pundit 2.3.0 → 2.3.2
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/.github/PULL_REQUEST_TEMPLATE/gem_release_template.md +8 -0
- data/.github/PULL_REQUEST_TEMPLATE/pull_request_template.md +9 -0
- data/.github/workflows/main.yml +107 -0
- data/.github/workflows/push_gem.yml +33 -0
- data/.rubocop.yml +7 -16
- data/CHANGELOG.md +22 -0
- data/CONTRIBUTING.md +2 -5
- data/Gemfile +3 -2
- data/README.md +26 -38
- data/SECURITY.md +19 -0
- data/lib/generators/pundit/install/templates/application_policy.rb +1 -1
- data/lib/generators/pundit/policy/templates/policy.rb +7 -1
- data/lib/generators/rspec/templates/policy_spec.rb +1 -1
- data/lib/pundit/authorization.rb +12 -4
- data/lib/pundit/cache_store/legacy_store.rb +17 -0
- data/lib/pundit/cache_store/null_store.rb +18 -0
- data/lib/pundit/context.rb +127 -0
- data/lib/pundit/policy_finder.rb +1 -1
- data/lib/pundit/version.rb +1 -1
- data/lib/pundit.rb +24 -88
- data/pundit.gemspec +4 -2
- data/spec/authorization_spec.rb +22 -6
- data/spec/generators_spec.rb +1 -1
- data/spec/pundit_spec.rb +14 -10
- data/spec/spec_helper.rb +112 -35
- metadata +21 -13
- data/.travis.yml +0 -26
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: aa554bffd828649aeac4e79a802070d4e68948beacbc9c991fddab7141a965c9
|
4
|
+
data.tar.gz: edf9be8366e5dfcb541eff929e99a04c2bfb23b800214bc39d68c790b32d7365
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 555ccc09f0cc62c3e1da52a7eafb2c3e4805a303c884da39c2ed1c8fc13583727d3e060381ed761f5dd06fdcc71cc3f98c4c991e64db8ac3ff5ff5a460f64aac
|
7
|
+
data.tar.gz: be290f6d6253367e0911525969fc8bb8972db670626bd9803ccd6e7fc1a1504afd1c921a5aac506ee9cfe559a9863bfb469dca3a656909b7ffa1d74aa4c6ea36
|
@@ -0,0 +1,8 @@
|
|
1
|
+
## To do
|
2
|
+
|
3
|
+
- [ ] Commit changes:
|
4
|
+
- [ ] Bump `Pundit::VERSION` in `lib/pundit/version.rb`.
|
5
|
+
- [ ] Update `CHANGELOG.md`.
|
6
|
+
- [ ] Run `rake release`.
|
7
|
+
- [ ] Open pull request 🚀
|
8
|
+
- [ ] Make an announcement in [Pundit discussions](https://github.com/varvet/pundit/discussions/categories/announcements).
|
@@ -0,0 +1,9 @@
|
|
1
|
+
## To do
|
2
|
+
|
3
|
+
- [ ] I have read the [contributing guidelines](https://github.com/varvet/pundit/contribute).
|
4
|
+
- [ ] I have added relevant tests.
|
5
|
+
- [ ] I have adjusted relevant documentation.
|
6
|
+
- [ ] I have made sure the individual commits are meaningful.
|
7
|
+
- [ ] I have added relevant lines to the CHANGELOG.
|
8
|
+
|
9
|
+
PS: Thank you for contributing to Pundit ❤️
|
@@ -0,0 +1,107 @@
|
|
1
|
+
name: Main
|
2
|
+
|
3
|
+
on:
|
4
|
+
push:
|
5
|
+
branches: [ "main" ]
|
6
|
+
pull_request:
|
7
|
+
branches: [ "main" ]
|
8
|
+
workflow_dispatch:
|
9
|
+
|
10
|
+
permissions:
|
11
|
+
contents: read
|
12
|
+
|
13
|
+
env:
|
14
|
+
CC_TEST_REPORTER_ID: "ac477089fe20ab4fc7e0d304cab75f72d73d58a7596d366935d18fcc7d51f8f9"
|
15
|
+
|
16
|
+
# `github.ref` points to the *merge commit* when running tests on a pull request, which will be a commit
|
17
|
+
# that doesn't exists in our code base. Since this workflow triggers from a PR, we use the HEAD SHA instead.
|
18
|
+
#
|
19
|
+
# NOTE: These are both used by Code Climate (cc-test-reporter).
|
20
|
+
GIT_COMMIT_SHA: ${{ github.event.pull_request.head.sha }}
|
21
|
+
GIT_BRANCH: ${{ github.head_ref }}
|
22
|
+
|
23
|
+
jobs:
|
24
|
+
matrix-test:
|
25
|
+
runs-on: ubuntu-latest
|
26
|
+
continue-on-error: ${{ matrix.allow-failure || false }}
|
27
|
+
strategy:
|
28
|
+
fail-fast: false
|
29
|
+
matrix:
|
30
|
+
ruby-version:
|
31
|
+
- '3.1'
|
32
|
+
- '3.2'
|
33
|
+
- '3.3'
|
34
|
+
- 'jruby-9.3.10' # oldest supported jruby
|
35
|
+
- 'jruby'
|
36
|
+
include: # HEAD-versions
|
37
|
+
- ruby-version: 'head'
|
38
|
+
allow-failure: true
|
39
|
+
- ruby-version: 'jruby-head'
|
40
|
+
allow-failure: true
|
41
|
+
- ruby-version: 'truffleruby-head'
|
42
|
+
allow-failure: true
|
43
|
+
|
44
|
+
steps:
|
45
|
+
- uses: actions/checkout@v3
|
46
|
+
- name: Set up Ruby
|
47
|
+
uses: ruby/setup-ruby@v1
|
48
|
+
with:
|
49
|
+
rubygems: latest
|
50
|
+
ruby-version: ${{ matrix.ruby-version }}
|
51
|
+
bundler-cache: true
|
52
|
+
- name: Run tests
|
53
|
+
run: bundle exec rspec
|
54
|
+
|
55
|
+
test:
|
56
|
+
runs-on: ubuntu-latest
|
57
|
+
steps:
|
58
|
+
- uses: actions/checkout@v3
|
59
|
+
- name: Set up Ruby
|
60
|
+
uses: ruby/setup-ruby@v1
|
61
|
+
with:
|
62
|
+
rubygems: latest
|
63
|
+
ruby-version: 'ruby'
|
64
|
+
bundler-cache: true
|
65
|
+
- name: "Download cc-test-reporter from codeclimate.com"
|
66
|
+
run: |
|
67
|
+
curl -L https://codeclimate.com/downloads/test-reporter/test-reporter-latest-linux-amd64 > ./cc-test-reporter
|
68
|
+
chmod +x ./cc-test-reporter
|
69
|
+
- name: "Report to Code Climate that we will send a coverage report."
|
70
|
+
run: ./cc-test-reporter before-build
|
71
|
+
- name: Run tests
|
72
|
+
run: bundle exec rspec
|
73
|
+
env:
|
74
|
+
COVERAGE: 1
|
75
|
+
- name: Upload code coverage to Code Climate
|
76
|
+
run: |
|
77
|
+
./cc-test-reporter after-build \
|
78
|
+
--coverage-input-type simplecov \
|
79
|
+
./coverage/.resultset.json
|
80
|
+
|
81
|
+
rubocop:
|
82
|
+
runs-on: ubuntu-latest
|
83
|
+
steps:
|
84
|
+
- uses: actions/checkout@v3
|
85
|
+
- name: Set up Ruby
|
86
|
+
uses: ruby/setup-ruby@v1
|
87
|
+
with:
|
88
|
+
rubygems: default
|
89
|
+
ruby-version: 'ruby'
|
90
|
+
bundler-cache: false
|
91
|
+
- run: bundle install
|
92
|
+
- name: Run RuboCop
|
93
|
+
run: bundle exec rubocop
|
94
|
+
|
95
|
+
required-checks:
|
96
|
+
runs-on: ubuntu-latest
|
97
|
+
if: ${{ always() }}
|
98
|
+
needs:
|
99
|
+
- test
|
100
|
+
- matrix-test
|
101
|
+
- rubocop
|
102
|
+
steps:
|
103
|
+
- name: failure
|
104
|
+
if: ${{ failure() || contains(needs.*.result, 'failure') }}
|
105
|
+
run: exit 1
|
106
|
+
- name: success
|
107
|
+
run: exit 0
|
@@ -0,0 +1,33 @@
|
|
1
|
+
name: Push Gem
|
2
|
+
|
3
|
+
on:
|
4
|
+
workflow_dispatch:
|
5
|
+
|
6
|
+
permissions:
|
7
|
+
contents: read
|
8
|
+
|
9
|
+
jobs:
|
10
|
+
push:
|
11
|
+
if: github.repository == 'varvet/pundit'
|
12
|
+
runs-on: ubuntu-latest
|
13
|
+
|
14
|
+
permissions:
|
15
|
+
contents: write
|
16
|
+
id-token: write
|
17
|
+
|
18
|
+
steps:
|
19
|
+
# Set up
|
20
|
+
- name: Harden Runner
|
21
|
+
uses: step-security/harden-runner@a4aa98b93cab29d9b1101a6143fb8bce00e2eac4 # v2.7.1
|
22
|
+
with:
|
23
|
+
egress-policy: audit
|
24
|
+
|
25
|
+
- uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
|
26
|
+
- name: Set up Ruby
|
27
|
+
uses: ruby/setup-ruby@cacc9f1c0b3f4eb8a16a6bb0ed10897b43b9de49 # v1.176.0
|
28
|
+
with:
|
29
|
+
bundler-cache: true
|
30
|
+
ruby-version: ruby
|
31
|
+
|
32
|
+
# Release
|
33
|
+
- uses: rubygems/release-gem@612653d273a73bdae1df8453e090060bb4db5f31 # v1
|
data/.rubocop.yml
CHANGED
@@ -1,7 +1,10 @@
|
|
1
1
|
AllCops:
|
2
|
-
TargetRubyVersion:
|
2
|
+
TargetRubyVersion: 3.1
|
3
3
|
Exclude:
|
4
4
|
- "lib/generators/**/templates/**/*"
|
5
|
+
<% `git status --ignored --porcelain`.lines.grep(/^!! /).each do |path| %>
|
6
|
+
- <%= path.sub(/^!! /, '').sub(/\/$/, '/**/*') %>
|
7
|
+
<% end %>
|
5
8
|
SuggestExtensions: false
|
6
9
|
NewCops: disable
|
7
10
|
|
@@ -20,15 +23,6 @@ Metrics/ModuleLength:
|
|
20
23
|
Layout/LineLength:
|
21
24
|
Max: 120
|
22
25
|
|
23
|
-
Metrics/AbcSize:
|
24
|
-
Enabled: false
|
25
|
-
|
26
|
-
Metrics/CyclomaticComplexity:
|
27
|
-
Enabled: false
|
28
|
-
|
29
|
-
Metrics/PerceivedComplexity:
|
30
|
-
Enabled: false
|
31
|
-
|
32
26
|
Gemspec/RequiredRubyVersion:
|
33
27
|
Enabled: false
|
34
28
|
|
@@ -59,14 +53,11 @@ Style/StringLiteralsInInterpolation:
|
|
59
53
|
Style/StructInheritance:
|
60
54
|
Enabled: false
|
61
55
|
|
62
|
-
Style/AndOr:
|
63
|
-
Enabled: false
|
64
|
-
|
65
|
-
Style/Not:
|
66
|
-
Enabled: false
|
67
|
-
|
68
56
|
Style/DoubleNegation:
|
69
57
|
Enabled: false
|
70
58
|
|
71
59
|
Style/Documentation:
|
72
60
|
Enabled: false # TODO: Enable again once we have more docs
|
61
|
+
|
62
|
+
Style/HashSyntax:
|
63
|
+
EnforcedShorthandSyntax: never
|
data/CHANGELOG.md
CHANGED
@@ -1,5 +1,27 @@
|
|
1
1
|
# Pundit
|
2
2
|
|
3
|
+
## Unreleased
|
4
|
+
|
5
|
+
## 2.3.2 (2024-05-08)
|
6
|
+
|
7
|
+
- Refactor: First pass of Pundit::Context (#797)
|
8
|
+
|
9
|
+
## Changed
|
10
|
+
|
11
|
+
- Update `ApplicationPolicy` generator to qualify the `Scope` class name (#792)
|
12
|
+
- Policy generator uses `NoMethodError` to indicate `#resolve` is not implemented (#776)
|
13
|
+
|
14
|
+
## Deprecated
|
15
|
+
|
16
|
+
- Dropped support for Ruby 3.0 (#796)
|
17
|
+
|
18
|
+
## 2.3.1 (2023-07-17)
|
19
|
+
|
20
|
+
### Fixed
|
21
|
+
|
22
|
+
- Use `Kernel.warn` instead of `ActiveSupport::Deprecation.warn` for deprecations (#764)
|
23
|
+
- Policy generator now works on Ruby 3.2 (#754)
|
24
|
+
|
3
25
|
## 2.3.0 (2022-12-19)
|
4
26
|
|
5
27
|
### Added
|
data/CONTRIBUTING.md
CHANGED
@@ -1,9 +1,6 @@
|
|
1
1
|
## Security issues
|
2
2
|
|
3
|
-
If you have found a security related issue, please do not file an issue on
|
4
|
-
GitHub or send a PR addressing the issue. Contact
|
5
|
-
[Jonas](mailto:jonas.nicklas@gmail.com) directly. You will be given public
|
6
|
-
credit for your disclosure.
|
3
|
+
If you have found a security related issue, please do not file an issue on GitHub or send a PR addressing the issue. Refer to [SECURITY.md](./SECURITY.md) for instructions.
|
7
4
|
|
8
5
|
## Reporting issues
|
9
6
|
|
@@ -23,7 +20,7 @@ Pundit version, OS version and any stack traces you have are very valuable.
|
|
23
20
|
- **Document any change in behaviour**. Make sure the README and any other
|
24
21
|
relevant documentation are kept up-to-date.
|
25
22
|
|
26
|
-
- **Create topic branches**. Please don't ask us to pull from your
|
23
|
+
- **Create topic branches**. Please don't ask us to pull from your main branch.
|
27
24
|
|
28
25
|
- **One pull request per feature**. If you want to do more than one thing, send
|
29
26
|
multiple pull requests.
|
data/Gemfile
CHANGED
data/README.md
CHANGED
@@ -1,24 +1,22 @@
|
|
1
1
|
# Pundit
|
2
2
|
|
3
|
-
[![
|
4
|
-
[![Code Climate](https://codeclimate.com/
|
5
|
-
[![Inline docs](http://inch-ci.org/github/varvet/pundit.svg?branch=
|
3
|
+
[![Main](https://github.com/varvet/pundit/actions/workflows/main.yml/badge.svg)](https://github.com/varvet/pundit/actions/workflows/main.yml)
|
4
|
+
[![Code Climate](https://api.codeclimate.com/v1/badges/a940030f96c9fb43046a/maintainability)](https://codeclimate.com/github/varvet/pundit/maintainability)
|
5
|
+
[![Inline docs](http://inch-ci.org/github/varvet/pundit.svg?branch=main)](http://inch-ci.org/github/varvet/pundit)
|
6
6
|
[![Gem Version](https://badge.fury.io/rb/pundit.svg)](http://badge.fury.io/rb/pundit)
|
7
7
|
|
8
8
|
Pundit provides a set of helpers which guide you in leveraging regular Ruby
|
9
|
-
classes and object oriented design patterns to build a
|
9
|
+
classes and object oriented design patterns to build a straightforward, robust, and
|
10
10
|
scalable authorization system.
|
11
11
|
|
12
|
-
Links:
|
12
|
+
## Links:
|
13
13
|
|
14
14
|
- [API documentation for the most recent version](http://www.rubydoc.info/gems/pundit)
|
15
15
|
- [Source Code](https://github.com/varvet/pundit)
|
16
|
-
- [Contributing](https://github.com/varvet/pundit/blob/
|
17
|
-
- [Code of Conduct](https://github.com/varvet/pundit/blob/
|
16
|
+
- [Contributing](https://github.com/varvet/pundit/blob/main/CONTRIBUTING.md)
|
17
|
+
- [Code of Conduct](https://github.com/varvet/pundit/blob/main/CODE_OF_CONDUCT.md)
|
18
18
|
|
19
|
-
Sponsored by
|
20
|
-
|
21
|
-
[<img src="https://www.varvet.com/images/wordmark-red.svg" alt="Varvet" height="50px"/>](https://www.varvet.com)
|
19
|
+
<strong>Sponsored by:</strong> <a href="https://www.varvet.com">Varvet<br><br><img src="https://github.com/varvet/pundit/assets/99166/aa9efa0a-6903-4037-abee-1824edc57f1a" alt="Varvet logo" height="120"></div>
|
22
20
|
|
23
21
|
## Installation
|
24
22
|
|
@@ -49,8 +47,8 @@ can pick up any classes in the new `app/policies/` directory.
|
|
49
47
|
## Policies
|
50
48
|
|
51
49
|
Pundit is focused around the notion of policy classes. We suggest that you put
|
52
|
-
these classes in `app/policies`. This is
|
53
|
-
|
50
|
+
these classes in `app/policies`. This is an example that allows updating a post
|
51
|
+
if the user is an admin, or if the post is unpublished:
|
54
52
|
|
55
53
|
``` ruby
|
56
54
|
class PostPolicy
|
@@ -67,7 +65,7 @@ class PostPolicy
|
|
67
65
|
end
|
68
66
|
```
|
69
67
|
|
70
|
-
As you can see, this is
|
68
|
+
As you can see, this is a plain Ruby class. Pundit makes the following
|
71
69
|
assumptions about this class:
|
72
70
|
|
73
71
|
- The class has the same name as some kind of model class, only suffixed
|
@@ -199,7 +197,7 @@ you can retrieve it by passing a symbol.
|
|
199
197
|
class DashboardPolicy
|
200
198
|
attr_reader :user
|
201
199
|
|
202
|
-
# _record in this example will
|
200
|
+
# `_record` in this example will be :dashboard
|
203
201
|
def initialize(user, _record)
|
204
202
|
@user = user
|
205
203
|
end
|
@@ -211,7 +209,7 @@ end
|
|
211
209
|
```
|
212
210
|
|
213
211
|
Note that the headless policy still needs to accept two arguments. The
|
214
|
-
second argument will
|
212
|
+
second argument will be the symbol `:dashboard` in this case, which
|
215
213
|
is what is passed as the record to `authorize` below.
|
216
214
|
|
217
215
|
```ruby
|
@@ -279,7 +277,7 @@ generator, or create your own base class to inherit from:
|
|
279
277
|
|
280
278
|
``` ruby
|
281
279
|
class PostPolicy < ApplicationPolicy
|
282
|
-
class Scope < Scope
|
280
|
+
class Scope < ApplicationPolicy::Scope
|
283
281
|
def resolve
|
284
282
|
if user.admin?
|
285
283
|
scope.all
|
@@ -374,7 +372,7 @@ these filters without affecting how your app works in any way.**
|
|
374
372
|
|
375
373
|
Some people have found this feature confusing, while many others
|
376
374
|
find it extremely helpful. If you fall into the category of people who find it
|
377
|
-
confusing then you do not need to use it. Pundit will work
|
375
|
+
confusing then you do not need to use it. Pundit will work fine without
|
378
376
|
using `verify_authorized` and `verify_policy_scoped`.
|
379
377
|
|
380
378
|
### Conditional verification
|
@@ -419,20 +417,13 @@ class Post
|
|
419
417
|
end
|
420
418
|
```
|
421
419
|
|
422
|
-
##
|
420
|
+
## Plain old Ruby
|
421
|
+
|
422
|
+
Pundit is a very small library on purpose, and it doesn't do anything you can't do yourself. There's no secret sauce here. It does as little as possible, and then gets out of your way.
|
423
423
|
|
424
|
-
|
425
|
-
yourself. It's a very small library, it just provides a few neat helpers.
|
426
|
-
Together these give you the power of building a well structured, fully working
|
427
|
-
authorization system without using any special DSLs or funky syntax or
|
428
|
-
anything.
|
424
|
+
With the few but powerful helpers available in Pundit, you have the power to build a well structured, fully working authorization system without using any special DSLs or funky syntax.
|
429
425
|
|
430
|
-
Remember that all of the policy and scope classes are
|
431
|
-
which means you can use the same mechanisms you always use to DRY things up.
|
432
|
-
Encapsulate a set of permissions into a module and include them in multiple
|
433
|
-
policies. Use `alias_method` to make some permissions behave the same as
|
434
|
-
others. Inherit from a base set of permissions. Use metaprogramming if you
|
435
|
-
really have to.
|
426
|
+
Remember that all of the policy and scope classes are plain Ruby classes, which means you can use the same mechanisms you always use to DRY things up. Encapsulate a set of permissions into a module and include them in multiple policies. Use `alias_method` to make some permissions behave the same as others. Inherit from a base set of permissions. Use metaprogramming if you really have to.
|
436
427
|
|
437
428
|
## Generator
|
438
429
|
|
@@ -483,7 +474,7 @@ example, associations which might be `nil`.
|
|
483
474
|
|
484
475
|
```ruby
|
485
476
|
class NilClassPolicy < ApplicationPolicy
|
486
|
-
class Scope < Scope
|
477
|
+
class Scope < ApplicationPolicy::Scope
|
487
478
|
def resolve
|
488
479
|
raise Pundit::NotDefinedError, "Cannot scope NilClass"
|
489
480
|
end
|
@@ -541,7 +532,7 @@ class ApplicationController < ActionController::Base
|
|
541
532
|
policy_name = exception.policy.class.to_s.underscore
|
542
533
|
|
543
534
|
flash[:error] = t "#{policy_name}.#{exception.query}", scope: "pundit", default: :default
|
544
|
-
redirect_back(
|
535
|
+
redirect_back(fallback_location: root_path)
|
545
536
|
end
|
546
537
|
end
|
547
538
|
```
|
@@ -555,8 +546,7 @@ en:
|
|
555
546
|
create?: 'You cannot create posts!'
|
556
547
|
```
|
557
548
|
|
558
|
-
|
559
|
-
your error messaging.
|
549
|
+
This is an example. Pundit is agnostic as to how you implement your error messaging.
|
560
550
|
|
561
551
|
## Manually retrieving policies and scopes
|
562
552
|
|
@@ -578,9 +568,7 @@ those without the bang will return nil.
|
|
578
568
|
|
579
569
|
## Customize Pundit user
|
580
570
|
|
581
|
-
|
582
|
-
`current_user` is not the method that should be invoked by Pundit. Simply
|
583
|
-
define a method in your controller called `pundit_user`.
|
571
|
+
On occasion, your controller may be unable to access `current_user`, or the method that should be invoked by Pundit may not be `current_user`. To address this, you can define a method in your controller named `pundit_user`.
|
584
572
|
|
585
573
|
```ruby
|
586
574
|
def pundit_user
|
@@ -796,11 +784,11 @@ end
|
|
796
784
|
```
|
797
785
|
|
798
786
|
An alternative approach to Pundit policy specs is scoping them to a user context as outlined in this
|
799
|
-
[excellent post](http://thunderboltlabs.com/blog/2013/03/27/testing-pundit-policies-with-rspec/) and implemented in the third party [pundit-matchers](https://github.com/
|
787
|
+
[excellent post](http://thunderboltlabs.com/blog/2013/03/27/testing-pundit-policies-with-rspec/) and implemented in the third party [pundit-matchers](https://github.com/punditcommunity/pundit-matchers) gem.
|
800
788
|
|
801
789
|
### Scope Specs
|
802
790
|
|
803
|
-
Pundit does not provide a DSL for testing scopes.
|
791
|
+
Pundit does not provide a DSL for testing scopes. Test them like you would a regular Ruby class!
|
804
792
|
|
805
793
|
### Linting with RuboCop RSpec
|
806
794
|
|
data/SECURITY.md
ADDED
@@ -0,0 +1,19 @@
|
|
1
|
+
# Security Policy
|
2
|
+
|
3
|
+
Please do not file an issue on GitHub, or send a PR addressing the issue.
|
4
|
+
|
5
|
+
## Supported versions
|
6
|
+
|
7
|
+
Most recent major version only.
|
8
|
+
|
9
|
+
## Reporting a vulnerability
|
10
|
+
|
11
|
+
Contact one of the maintainers directly:
|
12
|
+
|
13
|
+
* [@Burgestrand](https://github.com/Burgestrand)
|
14
|
+
* [@dgmstuart](https://github.com/dgmstuart)
|
15
|
+
* [@varvet](https://github.com/varvet)
|
16
|
+
|
17
|
+
You can report vulnerabilities on GitHub too: https://github.com/varvet/pundit/security
|
18
|
+
|
19
|
+
Thank you!
|
@@ -1,6 +1,12 @@
|
|
1
1
|
<% module_namespacing do -%>
|
2
2
|
class <%= class_name %>Policy < ApplicationPolicy
|
3
|
-
|
3
|
+
# NOTE: Up to Pundit v2.3.1, the inheritance was declared as
|
4
|
+
# `Scope < Scope` rather than `Scope < ApplicationPolicy::Scope`.
|
5
|
+
# In most cases the behavior will be identical, but if updating existing
|
6
|
+
# code, beware of possible changes to the ancestors:
|
7
|
+
# https://gist.github.com/Burgestrand/4b4bc22f31c8a95c425fc0e30d7ef1f5
|
8
|
+
|
9
|
+
class Scope < ApplicationPolicy::Scope
|
4
10
|
# NOTE: Be explicit about which records you allow access to!
|
5
11
|
# def resolve
|
6
12
|
# scope.all
|
data/lib/pundit/authorization.rb
CHANGED
@@ -15,6 +15,14 @@ module Pundit
|
|
15
15
|
|
16
16
|
protected
|
17
17
|
|
18
|
+
# @return [Pundit::Context] a new instance of {Pundit::Context} with the current user
|
19
|
+
def pundit
|
20
|
+
@pundit ||= Pundit::Context.new(
|
21
|
+
user: pundit_user,
|
22
|
+
policy_cache: Pundit::CacheStore::LegacyStore.new(policies)
|
23
|
+
)
|
24
|
+
end
|
25
|
+
|
18
26
|
# @return [Boolean] whether authorization has been performed, i.e. whether
|
19
27
|
# one {#authorize} or {#skip_authorization} has been called
|
20
28
|
def pundit_policy_authorized?
|
@@ -64,7 +72,7 @@ module Pundit
|
|
64
72
|
|
65
73
|
@_pundit_policy_authorized = true
|
66
74
|
|
67
|
-
|
75
|
+
pundit.authorize(record, query: query, policy_class: policy_class)
|
68
76
|
end
|
69
77
|
|
70
78
|
# Allow this action not to perform authorization.
|
@@ -98,9 +106,9 @@ module Pundit
|
|
98
106
|
#
|
99
107
|
# @see https://github.com/varvet/pundit#policies
|
100
108
|
# @param record [Object] the object we're retrieving the policy for
|
101
|
-
# @return [Object
|
109
|
+
# @return [Object] instance of policy class with query methods
|
102
110
|
def policy(record)
|
103
|
-
|
111
|
+
pundit.policy!(record)
|
104
112
|
end
|
105
113
|
|
106
114
|
# Retrieves a set of permitted attributes from the policy by instantiating
|
@@ -162,7 +170,7 @@ module Pundit
|
|
162
170
|
private
|
163
171
|
|
164
172
|
def pundit_policy_scope(scope)
|
165
|
-
policy_scopes[scope] ||=
|
173
|
+
policy_scopes[scope] ||= pundit.policy_scope!(scope)
|
166
174
|
end
|
167
175
|
end
|
168
176
|
end
|
@@ -0,0 +1,17 @@
|
|
1
|
+
# frozen_string_literal: true
|
2
|
+
|
3
|
+
module Pundit
|
4
|
+
module CacheStore
|
5
|
+
# @api private
|
6
|
+
class LegacyStore
|
7
|
+
def initialize(hash = {})
|
8
|
+
@store = hash
|
9
|
+
end
|
10
|
+
|
11
|
+
def fetch(user:, record:)
|
12
|
+
_ = user
|
13
|
+
@store[record] ||= yield
|
14
|
+
end
|
15
|
+
end
|
16
|
+
end
|
17
|
+
end
|