pundit 2.2.0 → 2.5.2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 82606dec60dec4ddb9086a4d1a71447bda39f9f17fd5e38025937f0fdb7b9b1a
-  data.tar.gz: e154a0dadc701871c49687ff843117e590011362be4cf3dfa7bc63ea4e5e698b
+  metadata.gz: eb37a66715ec9d8c397d11d11429d137673a43317335cd8e255a0b11f92d98ab
+  data.tar.gz: 82c44fa243f3dcc18f006dbbb87bb48754dfcae8baf1876a7a8266567dfe8ebe
 SHA512:
-  metadata.gz: 0414e7e35eb8e2aa3bac79a75f2d8ae4e45f5cf4152150be239664f620560732990b3547aeac678b50e4b62036ab25c45170f12ca1897c6bf41938589e5ef0bd
-  data.tar.gz: 964d660d1f79b36b8ace58452ca0adfef4f5ea68a7436f6373ae248f33cda7f017db5d5c5fbd0efca26fb5ee88a507cf900edc8bd0d7dad89a676cb308bd7bd1
+  metadata.gz: e650dddbc49cc94209dfdc22b12b5fedec499a07e0266c54c5bf8e93cc6573cdcd7cde045cc10e9e7343cb4de788c1459517b3b89333c2222700e821b624dc54
+  data.tar.gz: 443e7fefff8e69fd85aca350f174fa996f4c6fa7d524f17cd60cabec5ec09562bfccc25b25402d811934111b615542d9f470f899cd239cad7508d01471db16b6

data/CHANGELOG.md

@@ -1,5 +1,74 @@
 # Pundit
 
+## Unreleased
+
+## 2.5.2 (2025-09-24)
+
+### Fixed
+- Added `config/rubocop-rspec.yml` back from accidentally being excluded [#866](https://github.com/varvet/pundit/issues/866)
+
+## 2.5.1 (2025-09-12)
+
+### Fixed
+- Requiring only `pundit/rspec` no longer raises an error in Active Support [#857](https://github.com/varvet/pundit/issues/857)
+
+## 2.5.0 (2025-03-03)
+
+### Added
+
+- Add `Pundit::Authorization#pundit_reset!` hook to reset the policy and policy scope cache. [#830](https://github.com/varvet/pundit/issues/830)
+- Add links to gemspec. [#845](https://github.com/varvet/pundit/issues/845)
+- Register policies directories for Rails 8 code statistics [#833](https://github.com/varvet/pundit/issues/833)
+- Added an example for how to use pundit with Rails 8 authentication generator [#850](https://github.com/varvet/pundit/issues/850)
+
+### Changed
+
+- Deprecated `Pundit::SUFFIX`, moved it to `Pundit::PolicyFinder::SUFFIX` [#835](https://github.com/varvet/pundit/issues/835)
+- Explicitly require less of `active_support` [#837](https://github.com/varvet/pundit/issues/837)
+- Using `permit` matcher without a surrouding `permissions` block now raises a useful error. [#836](https://github.com/varvet/pundit/issues/836)
+
+### Fixed
+
+- Using a hash as custom cache in `Pundit.authorize` now works as documented. [#838](https://github.com/varvet/pundit/issues/838)
+
+## 2.4.0 (2024-08-26)
+
+### Changed
+
+- Improve the `NotAuthorizedError` message to include the policy class.
+  Furthermore, in the case where the record passed is a class instead of an instance, the class name is given. [#812](https://github.com/varvet/pundit/issues/812)
+
+### Added
+
+- Add customizable permit matcher description [#806](https://github.com/varvet/pundit/issues/806)
+- Add support for filter_run_when_matching :focus with permissions helper. [#820](https://github.com/varvet/pundit/issues/820)
+
+## 2.3.2 (2024-05-08)
+
+- Refactor: First pass of Pundit::Context [#797](https://github.com/varvet/pundit/issues/797)
+
+### Changed
+
+- Update `ApplicationPolicy` generator to qualify the `Scope` class name [#792](https://github.com/varvet/pundit/issues/792)
+- Policy generator uses `NoMethodError` to indicate `#resolve` is not implemented [#776](https://github.com/varvet/pundit/issues/776)
+
+## Deprecated
+
+- Dropped support for Ruby 3.0 [#796](https://github.com/varvet/pundit/issues/796)
+
+## 2.3.1 (2023-07-17)
+
+### Fixed
+
+- Use `Kernel.warn` instead of `ActiveSupport::Deprecation.warn` for deprecations [#764](https://github.com/varvet/pundit/issues/764)
+- Policy generator now works on Ruby 3.2 [#754](https://github.com/varvet/pundit/issues/754)
+
+## 2.3.0 (2022-12-19)
+
+### Added
+
+- add support for rubocop-rspec syntax extensions [#745](https://github.com/varvet/pundit/issues/745)
+
 ## 2.2.0 (2022-02-11)
 
 ### Fixed
@@ -12,41 +81,41 @@
 
 ### Deprecated
 
-- Deprecate `include Pundit` in favor of `include Pundit::Authorization` (#621)
+- Deprecate `include Pundit` in favor of `include Pundit::Authorization` [#621](https://github.com/varvet/pundit/issues/621)
 
 ## 2.1.1 (2021-08-13)
 
 Friday 13th-release!
 
-Careful! The bugfix below (#626) could break existing code. If you rely on the
+Careful! The bugfix below [#626](https://github.com/varvet/pundit/issues/626) could break existing code. If you rely on the
 return value for `authorize` and namespaced policies you might need to do some
 changes.
 
 ### Fixed
 
 - `.authorize` and `#authorize` return the instance, even for namespaced
-  policies (#626)
+  policies [#626](https://github.com/varvet/pundit/issues/626)
 
 ### Changed
 
-- Generate application scope with `protected` attr_readers. (#616)
+- Generate application scope with `protected` attr_readers. [#616](https://github.com/varvet/pundit/issues/616)
 
 ### Removed
 
-- Dropped support for Ruby end-of-life versions: 2.1 and 2.2. (#604)
-- Dropped support for Ruby end-of-life versions: 2.3 (#633)
-- Dropped support for Ruby end-of-life versions: 2.4, 2.5 and JRuby 9.1 (#676)
-- Dropped support for RSpec 2 (#615)
+- Dropped support for Ruby end-of-life versions: 2.1 and 2.2. [#604](https://github.com/varvet/pundit/issues/604)
+- Dropped support for Ruby end-of-life versions: 2.3 [#633](https://github.com/varvet/pundit/issues/633)
+- Dropped support for Ruby end-of-life versions: 2.4, 2.5 and JRuby 9.1 [#676](https://github.com/varvet/pundit/issues/676)
+- Dropped support for RSpec 2 [#615](https://github.com/varvet/pundit/issues/615)
 
 ## 2.1.0 (2019-08-14)
 
 ### Fixed
 
-- Avoid name clashes with the Error class. (#590)
+- Avoid name clashes with the Error class. [#590](https://github.com/varvet/pundit/issues/590)
 
 ### Changed
 
-- Return a safer default NotAuthorizedError message. (#583)
+- Return a safer default NotAuthorizedError message. [#583](https://github.com/varvet/pundit/issues/583)
 
 ## 2.0.1 (2019-01-18)
 
@@ -56,8 +125,8 @@ None
 
 ### Other changes
 
-- Improve exception handling for `#policy_scope` and `#policy_scope!`. (#550)
-- Add `:policy` metadata to RSpec template. (#566)
+- Improve exception handling for `#policy_scope` and `#policy_scope!`. [#550](https://github.com/varvet/pundit/issues/550)
+- Add `:policy` metadata to RSpec template. [#566](https://github.com/varvet/pundit/issues/566)
 
 ## 2.0.0 (2018-07-21)
 
@@ -67,20 +136,20 @@ No changes since beta1
 
 ### Breaking changes
 
-- Only pass last element of "namespace array" to policy and scope. (#529)
-- Raise `InvalidConstructorError` if a policy or policy scope with an invalid constructor is called. (#462)
-- Return passed object from `#authorize` method to make chaining possible. (#385)
+- Only pass last element of "namespace array" to policy and scope. [#529](https://github.com/varvet/pundit/issues/529)
+- Raise `InvalidConstructorError` if a policy or policy scope with an invalid constructor is called. [#462](https://github.com/varvet/pundit/issues/462)
+- Return passed object from `#authorize` method to make chaining possible. [#385](https://github.com/varvet/pundit/issues/385)
 
 ### Other changes
 
-- Add `policy_class` option to `authorize` to be able to override the policy. (#441)
-- Add `policy_scope_class` option to `authorize` to be able to override the policy scope. (#441)
-- Fix `param_key` issue when passed an array. (#529)
-- Allow specification of a `NilClassPolicy`. (#525)
-- Make sure `policy_class` override is called when passed an array. (#475)
+- Add `policy_class` option to `authorize` to be able to override the policy. [#441](https://github.com/varvet/pundit/issues/441)
+- Add `policy_scope_class` option to `authorize` to be able to override the policy scope. [#441](https://github.com/varvet/pundit/issues/441)
+- Fix `param_key` issue when passed an array. [#529](https://github.com/varvet/pundit/issues/529)
+- Allow specification of a `NilClassPolicy`. [#525](https://github.com/varvet/pundit/issues/525)
+- Make sure `policy_class` override is called when passed an array. [#475](https://github.com/varvet/pundit/issues/475)
 
-- Use `action_name` instead of `params[:action]`. (#419)
-- Add `pundit_params_for` method to make it easy to customize params fetching. (#502)
+- Use `action_name` instead of `params[:action]`. [#419](https://github.com/varvet/pundit/issues/419)
+- Add `pundit_params_for` method to make it easy to customize params fetching. [#502](https://github.com/varvet/pundit/issues/502)
 
 ## 1.1.0 (2016-01-14)
 
@@ -112,16 +181,16 @@ No changes since beta1
 
 ## 0.3.0 (2014-08-22)
 
-- Extend the default `ApplicationPolicy` with an `ApplicationPolicy::Scope` (#120)
-- Fix RSpec 3 deprecation warnings for built-in matchers (#162)
-- Generate blank policy spec/test files for Rspec/MiniTest/Test::Unit in Rails (#138)
+- Extend the default `ApplicationPolicy` with an `ApplicationPolicy::Scope` [#120](https://github.com/varvet/pundit/issues/120)
+- Fix RSpec 3 deprecation warnings for built-in matchers [#162](https://github.com/varvet/pundit/issues/162)
+- Generate blank policy spec/test files for Rspec/MiniTest/Test::Unit in Rails [#138](https://github.com/varvet/pundit/issues/138)
 
 ## 0.2.3 (2014-04-06)
 
-- Customizable error messages: `#query`, `#record` and `#policy` methods on `Pundit::NotAuthorizedError` (#114)
-- Raise a different `Pundit::AuthorizationNotPerformedError` when `authorize` call is expected in controller action but missing (#109)
-- Update Rspec matchers for Rspec 3 (#124)
+- Customizable error messages: `#query`, `#record` and `#policy` methods on `Pundit::NotAuthorizedError` [#114](https://github.com/varvet/pundit/issues/114)
+- Raise a different `Pundit::AuthorizationNotPerformedError` when `authorize` call is expected in controller action but missing [#109](https://github.com/varvet/pundit/issues/109)
+- Update Rspec matchers for Rspec 3 [#124](https://github.com/varvet/pundit/issues/124)
 
 ## 0.2.2 (2014-02-07)
 
-- Customize the user to be passed into policies: `pundit_user` (#42)
+- Customize the user to be passed into policies: `pundit_user` [#42](https://github.com/varvet/pundit/issues/42)

data/CONTRIBUTING.md

@@ -1,9 +1,6 @@
 ## Security issues
 
-If you have found a security related issue, please do not file an issue on
-GitHub or send a PR addressing the issue. Contact
-[Jonas](mailto:jonas.nicklas@gmail.com) directly. You will be given public
-credit for your disclosure.
+If you have found a security related issue, please do not file an issue on GitHub or send a PR addressing the issue. Refer to [SECURITY.md](./SECURITY.md) for instructions.
 
 ## Reporting issues
 
@@ -23,7 +20,7 @@ Pundit version, OS version and any stack traces you have are very valuable.
 - **Document any change in behaviour**. Make sure the README and any other
   relevant documentation are kept up-to-date.
 
-- **Create topic branches**. Please don't ask us to pull from your master branch.
+- **Create topic branches**. Please don't ask us to pull from your main branch.
 
 - **One pull request per feature**. If you want to do more than one thing, send
   multiple pull requests.
@@ -31,3 +28,4 @@ Pundit version, OS version and any stack traces you have are very valuable.
 - **Send coherent history**. Make sure each individual commit in your pull
   request is meaningful. If you had to make multiple intermediate commits while
   developing, please squash them before sending them to us.
+- **Update the CHANGELOG.** Don't forget to add your new changes to the CHANGELOG.

data/README.md

@@ -1,31 +1,29 @@
 # Pundit
 
-[![Build Status](https://secure.travis-ci.org/varvet/pundit.svg?branch=master)](https://travis-ci.org/varvet/pundit)
-[![Code Climate](https://codeclimate.com/github/varvet/pundit.svg)](https://codeclimate.com/github/varvet/pundit)
-[![Inline docs](http://inch-ci.org/github/varvet/pundit.svg?branch=master)](http://inch-ci.org/github/varvet/pundit)
-[![Gem Version](https://badge.fury.io/rb/pundit.svg)](http://badge.fury.io/rb/pundit)
+[![Main](https://github.com/varvet/pundit/actions/workflows/main.yml/badge.svg)](https://github.com/varvet/pundit/actions/workflows/main.yml)
+[![Maintainability](https://qlty.sh/gh/varvet/projects/pundit/maintainability.svg)](https://qlty.sh/gh/varvet/projects/pundit)
+[![Inline docs](https://inch-ci.org/github/varvet/pundit.svg?branch=main)](https://inch-ci.org/github/varvet/pundit)
+[![Gem Version](https://badge.fury.io/rb/pundit.svg)](https://badge.fury.io/rb/pundit)
 
 Pundit provides a set of helpers which guide you in leveraging regular Ruby
-classes and object oriented design patterns to build a simple, robust and
+classes and object oriented design patterns to build a straightforward, robust, and
 scalable authorization system.
 
-Links:
+## Links:
 
-- [API documentation for the most recent version](http://www.rubydoc.info/gems/pundit)
+- [API documentation for the most recent version](https://www.rubydoc.info/gems/pundit)
 - [Source Code](https://github.com/varvet/pundit)
-- [Contributing](https://github.com/varvet/pundit/blob/master/CONTRIBUTING.md)
-- [Code of Conduct](https://github.com/varvet/pundit/blob/master/CODE_OF_CONDUCT.md)
+- [Contributing](https://github.com/varvet/pundit/blob/main/CONTRIBUTING.md)
+- [Code of Conduct](https://github.com/varvet/pundit/blob/main/CODE_OF_CONDUCT.md)
 
-Sponsored by:
-
-[<img src="https://www.varvet.com/images/wordmark-red.svg" alt="Varvet" height="50px"/>](https://www.varvet.com)
+<strong>Sponsored by:</strong> <a href="https://www.varvet.com">Varvet<br><br><img src="https://github.com/varvet/pundit/assets/99166/aa9efa0a-6903-4037-abee-1824edc57f1a" alt="Varvet logo" height="120"></div>
 
 ## Installation
 
 > **Please note** that the README on GitHub is accurate with the _latest code on GitHub_. You are most likely using a released version of Pundit, so please refer to the [documentation for the latest released version of Pundit](https://www.rubydoc.info/gems/pundit).
 
-``` ruby
-gem "pundit"
+``` sh
+bundle add pundit
 ```
 
 Include `Pundit::Authorization` in your application controller:
@@ -49,8 +47,8 @@ can pick up any classes in the new `app/policies/` directory.
 ## Policies
 
 Pundit is focused around the notion of policy classes. We suggest that you put
-these classes in `app/policies`. This is a simple example that allows updating
-a post if the user is an admin, or if the post is unpublished:
+these classes in `app/policies`. This is an example that allows updating a post
+if the user is an admin, or if the post is unpublished:
 
 ``` ruby
 class PostPolicy
@@ -67,7 +65,7 @@ class PostPolicy
 end
 ```
 
-As you can see, this is just a plain Ruby class. Pundit makes the following
+As you can see, this is a plain Ruby class. Pundit makes the following
 assumptions about this class:
 
 - The class has the same name as some kind of model class, only suffixed
@@ -118,7 +116,7 @@ and the given record. It then infers from the action name, that it should call
 
 ``` ruby
 unless PostPolicy.new(current_user, @post).update?
-  raise Pundit::NotAuthorizedError, "not allowed to update? this #{@post.inspect}"
+  raise Pundit::NotAuthorizedError, "not allowed to PostPolicy#update? this Post"
 end
 ```
 
@@ -199,7 +197,7 @@ you can retrieve it by passing a symbol.
 class DashboardPolicy
   attr_reader :user
 
-  # _record in this example will just be :dashboard
+  # `_record` in this example will be :dashboard
   def initialize(user, _record)
     @user = user
   end
@@ -211,7 +209,7 @@ end
 ```
 
 Note that the headless policy still needs to accept two arguments. The
-second argument will just be the symbol `:dashboard` in this case which
+second argument will be the symbol `:dashboard` in this case, which
 is what is passed as the record to `authorize` below.
 
 ```ruby
@@ -279,7 +277,7 @@ generator, or create your own base class to inherit from:
 
 ``` ruby
 class PostPolicy < ApplicationPolicy
-  class Scope < Scope
+  class Scope < ApplicationPolicy::Scope
     def resolve
       if user.admin?
         scope.all
@@ -362,8 +360,15 @@ authorize individual instances.
 ``` ruby
 class ApplicationController < ActionController::Base
   include Pundit::Authorization
-  after_action :verify_authorized, except: :index
-  after_action :verify_policy_scoped, only: :index
+  after_action :verify_pundit_authorization
+
+  def verify_pundit_authorization
+    if action_name == "index"
+      verify_policy_scoped
+    else
+      verify_authorized
+    end
+  end
 end
 ```
 
@@ -374,7 +379,7 @@ these filters without affecting how your app works in any way.**
 
 Some people have found this feature confusing, while many others
 find it extremely helpful. If you fall into the category of people who find it
-confusing then you do not need to use it. Pundit will work just fine without
+confusing then you do not need to use it. Pundit will work fine without
 using `verify_authorized` and `verify_policy_scoped`.
 
 ### Conditional verification
@@ -419,20 +424,13 @@ class Post
 end
 ```
 
-## Just plain old Ruby
+## Plain old Ruby
 
-As you can see, Pundit doesn't do anything you couldn't have easily done
-yourself.  It's a very small library, it just provides a few neat helpers.
-Together these give you the power of building a well structured, fully working
-authorization system without using any special DSLs or funky syntax or
-anything.
+Pundit is a very small library on purpose, and it doesn't do anything you can't do yourself. There's no secret sauce here. It does as little as possible, and then gets out of your way.
 
-Remember that all of the policy and scope classes are just plain Ruby classes,
-which means you can use the same mechanisms you always use to DRY things up.
-Encapsulate a set of permissions into a module and include them in multiple
-policies. Use `alias_method` to make some permissions behave the same as
-others. Inherit from a base set of permissions. Use metaprogramming if you
-really have to.
+With the few but powerful helpers available in Pundit, you have the power to build a well structured, fully working authorization system without using any special DSLs or funky syntax.
+
+Remember that all of the policy and scope classes are plain Ruby classes, which means you can use the same mechanisms you always use to DRY things up. Encapsulate a set of permissions into a module and include them in multiple policies. Use `alias_method` to make some permissions behave the same as others. Inherit from a base set of permissions. Use metaprogramming if you really have to.
 
 ## Generator
 
@@ -483,7 +481,7 @@ example, associations which might be `nil`.
 
 ```ruby
 class NilClassPolicy < ApplicationPolicy
-  class Scope < Scope
+  class Scope < ApplicationPolicy::Scope
     def resolve
       raise Pundit::NotDefinedError, "Cannot scope NilClass"
     end
@@ -498,7 +496,7 @@ end
 ## Rescuing a denied Authorization in Rails
 
 Pundit raises a `Pundit::NotAuthorizedError` you can
-[rescue_from](http://guides.rubyonrails.org/action_controller_overview.html#rescue-from)
+[rescue_from](https://guides.rubyonrails.org/action_controller_overview.html#rescue-from)
 in your `ApplicationController`. You can customize the `user_not_authorized`
 method in every controller.
 
@@ -512,7 +510,7 @@ class ApplicationController < ActionController::Base
 
   def user_not_authorized
     flash[:alert] = "You are not authorized to perform this action."
-    redirect_to(request.referrer || root_path)
+    redirect_back_or_to(root_path)
   end
 end
 ```
@@ -541,7 +539,7 @@ class ApplicationController < ActionController::Base
    policy_name = exception.policy.class.to_s.underscore
 
    flash[:error] = t "#{policy_name}.#{exception.query}", scope: "pundit", default: :default
-   redirect_to(request.referrer || root_path)
+   redirect_back_or_to(root_path)
  end
 end
 ```
@@ -555,8 +553,7 @@ en:
      create?: 'You cannot create posts!'
 ```
 
-Of course, this is just an example. Pundit is agnostic as to how you implement
-your error messaging.
+This is an example. Pundit is agnostic as to how you implement your error messaging.
 
 ## Manually retrieving policies and scopes
 
@@ -578,9 +575,7 @@ those without the bang will return nil.
 
 ## Customize Pundit user
 
-In some cases your controller might not have access to `current_user`, or your
-`current_user` is not the method that should be invoked by Pundit. Simply
-define a method in your controller called `pundit_user`.
+On occasion, your controller may be unable to access `current_user`, or the method that should be invoked by Pundit may not be `current_user`. To address this, you can define a method in your controller named `pundit_user`.
 
 ```ruby
 def pundit_user
@@ -588,6 +583,36 @@ def pundit_user
 end
 ```
 
+For instance, Rails 8 includes a built-in [authentication generator](https://github.com/rails/rails/tree/8-0-stable/railties/lib/rails/generators/rails/authentication). If you choose to use it, the currently logged-in user is accessed via `Current.user` instead of `current_user`.
+
+To ensure compatibility with Pundit, define a `pundit_user` method in `application_controller.rb` (or another suitable location) as follows:
+
+```ruby
+def pundit_user
+  Current.user
+end
+```
+
+### Handling User Switching in Pundit
+
+When switching users in your application, it's important to reset the Pundit user context to ensure that authorization policies are applied correctly for the new user. Pundit caches the user context, so failing to reset it could result in incorrect permissions being applied.
+
+To handle user switching, you can use the following pattern in your controller:
+
+```ruby
+class ApplicationController
+  include Pundit::Authorization
+
+  def switch_user_to(user)
+    terminate_session if authenticated?
+    start_new_session_for user
+    pundit_reset!
+  end
+end
+```
+
+Make sure to invoke `pundit_reset!` whenever changing the user. This ensures the cached authorization context is reset, preventing any incorrect permissions from being applied.
+
 ## Policy Namespacing
 In some cases it might be helpful to have multiple policies that serve different contexts for a
 resource. A prime example of this is the case where User policies differ from Admin policies. To
@@ -692,7 +717,7 @@ You can now retrieve these attributes from the policy:
 class PostsController < ApplicationController
   def update
     @post = Post.find(params[:id])
-    if @post.update_attributes(post_params)
+    if @post.update(post_params)
       redirect_to @post
     else
       render :edit
@@ -714,7 +739,7 @@ However, this is a bit cumbersome, so Pundit provides a convenient helper method
 class PostsController < ApplicationController
   def update
     @post = Post.find(params[:id])
-    if @post.update_attributes(permitted_attributes(@post))
+    if @post.update(permitted_attributes(@post))
       redirect_to @post
     else
       render :edit
@@ -766,6 +791,10 @@ end
 
 ### Policy Specs
 
+> [!TIP]
+> An alternative approach to Pundit policy specs is scoping them to a user context as outlined in this
+[excellent post](https://thunderboltlabs.com/blog/2013/03/27/testing-pundit-policies-with-rspec/) and implemented in the third party [pundit-matchers](https://github.com/punditcommunity/pundit-matchers) gem.
+
 Pundit includes a mini-DSL for writing expressive tests for your policies in RSpec.
 Require `pundit/rspec` in your `spec_helper.rb`:
 
@@ -795,25 +824,67 @@ describe PostPolicy do
 end
 ```
 
-An alternative approach to Pundit policy specs is scoping them to a user context as outlined in this
-[excellent post](http://thunderboltlabs.com/blog/2013/03/27/testing-pundit-policies-with-rspec/) and implemented in the third party [pundit-matchers](https://github.com/chrisalley/pundit-matchers) gem.
+### Custom matcher description
+
+By default rspec includes an inspected `user` and `record` in the matcher description, which might become overly verbose:
+
+```
+PostPolicy
+  update? and show?
+    is expected to permit #<User:0x0000000104aefd80> and #<Post:0x0000000104aef8d0 @user=#<User:0x0000000104aefd80>>
+```
+
+You can override the default description with a static string, or a block:
+
+```ruby
+# static alternative: Pundit::RSpec::Matchers.description = "permit the user"
+Pundit::RSpec::Matchers.description = ->(user, record) do
+  "permit user with role #{user.role} to access record with ID #{record.id}"
+end
+```
+
+Which would make for a less chatty output:
+
+```
+PostPolicy
+  update? and show?
+    is expected to permit user with role admin to access record with ID 130
+```
+
+### Focus Support
+
+If your RSpec config has `filter_run_when_matching :focus`, you may tag the `permissions` helper like so:
+
+```
+permissions :show?, :focus do
+```
 
 ### Scope Specs
 
-Pundit does not provide a DSL for testing scopes. Just test it like a regular Ruby class!
+Pundit does not provide a DSL for testing scopes. Test them like you would a regular Ruby class!
+
+### Linting with RuboCop RSpec
+
+When you lint your RSpec spec files with `rubocop-rspec`, it will fail to properly detect RSpec constructs that Pundit defines, `permissions`.
+Make sure to use `rubocop-rspec` 2.0 or newer and add the following to your `.rubocop.yml`:
+
+```yaml
+inherit_gem:
+  pundit: config/rubocop-rspec.yml
+```
 
 # External Resources
 
 - [RailsApps Example Application: Pundit and Devise](https://github.com/RailsApps/rails-devise-pundit)
-- [Migrating to Pundit from CanCan](http://blog.carbonfive.com/2013/10/21/migrating-to-pundit-from-cancan/)
-- [Testing Pundit Policies with RSpec](http://thunderboltlabs.com/blog/2013/03/27/testing-pundit-policies-with-rspec/)
+- [Migrating to Pundit from CanCan](https://blog.carbonfive.com/2013/10/21/migrating-to-pundit-from-cancan/)
+- [Testing Pundit Policies with RSpec](https://thunderboltlabs.com/blog/2013/03/27/testing-pundit-policies-with-rspec/)
 - [Testing Pundit with Minitest](https://github.com/varvet/pundit/issues/204#issuecomment-60166450)
 - [Using Pundit outside of a Rails controller](https://github.com/varvet/pundit/pull/136)
-- [Straightforward Rails Authorization with Pundit](http://www.sitepoint.com/straightforward-rails-authorization-with-pundit/)
+- [Straightforward Rails Authorization with Pundit](https://www.sitepoint.com/straightforward-rails-authorization-with-pundit/)
 
 ## Other implementations
 
-- [Flask-Pundit](https://github.com/anurag90x/flask-pundit) (Python) is a [Flask](http://flask.pocoo.org/) extension "heavily inspired by" Pundit
+- [Flask-Pundit](https://github.com/anurag90x/flask-pundit) (Python) is a [Flask](https://flask.pocoo.org/) extension "heavily inspired by" Pundit
 
 # License
 

data/SECURITY.md

@@ -0,0 +1,19 @@
+# Security Policy
+
+Please do not file an issue on GitHub, or send a PR addressing the issue.
+
+## Supported versions
+
+Most recent major version only.
+
+## Reporting a vulnerability
+
+Contact one of the maintainers directly:
+
+* [@Burgestrand](https://github.com/Burgestrand)
+* [@dgmstuart](https://github.com/dgmstuart)
+* [@varvet](https://github.com/varvet)
+
+You can report vulnerabilities on GitHub too: https://github.com/varvet/pundit/security
+
+Thank you!

data/config/rubocop-rspec.yml

@@ -0,0 +1,5 @@
+RSpec:
+  Language:
+    ExampleGroups:
+      Regular:
+        - permissions

data/lib/generators/pundit/install/install_generator.rb

@@ -1,12 +1,14 @@
 # frozen_string_literal: true
 
 module Pundit
+  # @private
   module Generators
+    # @private
     class InstallGenerator < ::Rails::Generators::Base
       source_root File.expand_path("templates", __dir__)
 
       def copy_application_policy
-        template "application_policy.rb", "app/policies/application_policy.rb"
+        template "application_policy.rb.tt", "app/policies/application_policy.rb"
       end
     end
   end

data/lib/generators/pundit/install/templates/{application_policy.rb → application_policy.rb.tt}

@@ -43,7 +43,7 @@ class ApplicationPolicy
     end
 
     def resolve
-      raise NotImplementedError, "You must define #resolve in #{self.class}"
+      raise NoMethodError, "You must define #resolve in #{self.class}"
     end
 
     private

data/lib/generators/pundit/policy/policy_generator.rb

@@ -1,12 +1,14 @@
 # frozen_string_literal: true
 
 module Pundit
+  # @private
   module Generators
+    # @private
     class PolicyGenerator < ::Rails::Generators::NamedBase
       source_root File.expand_path("templates", __dir__)
 
       def create_policy
-        template "policy.rb", File.join("app/policies", class_path, "#{file_name}_policy.rb")
+        template "policy.rb.tt", File.join("app/policies", class_path, "#{file_name}_policy.rb")
       end
 
       hook_for :test_framework

data/lib/generators/pundit/policy/templates/policy.rb.tt

@@ -0,0 +1,16 @@
+<% module_namespacing do -%>
+class <%= class_name %>Policy < ApplicationPolicy
+  # NOTE: Up to Pundit v2.3.1, the inheritance was declared as
+  # `Scope < Scope` rather than `Scope < ApplicationPolicy::Scope`.
+  # In most cases the behavior will be identical, but if updating existing
+  # code, beware of possible changes to the ancestors:
+  # https://gist.github.com/Burgestrand/4b4bc22f31c8a95c425fc0e30d7ef1f5
+
+  class Scope < ApplicationPolicy::Scope
+    # NOTE: Be explicit about which records you allow access to!
+    # def resolve
+    #   scope.all
+    # end
+  end
+end
+<% end -%>