Help with gestalt of Pundit's authorize, please

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Help with gestalt of Pundit's authorize, please

Ralph Shnelvar
The best explanation I have found for the gestalt of Pundit is https://www.varvet.com/blog/simple-authorization-in-ruby-on-rails-apps/ 

And yet ... I don't get it.

I can understand each statement in https://www.varvet.com/blog/simple-authorization-in-ruby-on-rails-apps/ ... but when I get to what the "authorize(@post)" in
def create
 
@post = Post.new(params[:post])
  authorize
(@post)
 

end
does ... I don't get it.

I'm trying to put together an English sentence for "authorize(@post)".  Please tell me if I'm close.



authorize(@post)
means ...

For the current user (i.e. current_user) and
for the @post object
throw a NotAuthorizedError exception if PostPolicy#create? returns false



I think the "hidden" inputs to authorize come from the following sources:
current_user             from Devise's current_user
@post                       is the self-evident argument to authorize
PostPolicy                 is built from the name of the class of the object @post followed by the word "Policy" (i.e. @post.class.to_s + 'Policy')
create?                      is built from params[:action].  That is, since we know we're in def create then params[:action] must be "create".

How close am I?

Ralph

--
You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/rubyonrails-talk/c434a226-68b7-4ed3-9a62-eaab7c8ebef6%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Help with gestalt of Pundit's authorize, please

Ralph Shnelvar
While I'm at it ...

In
authorize(@post)
WHAT is being "authorize-d"?  The @post ?  The current_user ?  The controller action ?  Something else ?

Ralph



On Monday, July 17, 2017 at 1:02:11 AM UTC-6, Ralph Shnelvar wrote:
The best explanation I have found for the gestalt of Pundit is <a href="https://www.varvet.com/blog/simple-authorization-in-ruby-on-rails-apps/" target="_blank" rel="nofollow" onmousedown="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fwww.varvet.com%2Fblog%2Fsimple-authorization-in-ruby-on-rails-apps%2F\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNGoCsBDUFoGPKjKIVKyxG9lNTEHZg&#39;;return true;" onclick="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fwww.varvet.com%2Fblog%2Fsimple-authorization-in-ruby-on-rails-apps%2F\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNGoCsBDUFoGPKjKIVKyxG9lNTEHZg&#39;;return true;">https://www.varvet.com/blog/simple-authorization-in-ruby-on-rails-apps/ 

And yet ... I don't get it.

I can understand each statement in <a href="https://www.varvet.com/blog/simple-authorization-in-ruby-on-rails-apps/" target="_blank" rel="nofollow" onmousedown="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fwww.varvet.com%2Fblog%2Fsimple-authorization-in-ruby-on-rails-apps%2F\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNGoCsBDUFoGPKjKIVKyxG9lNTEHZg&#39;;return true;" onclick="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fwww.varvet.com%2Fblog%2Fsimple-authorization-in-ruby-on-rails-apps%2F\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNGoCsBDUFoGPKjKIVKyxG9lNTEHZg&#39;;return true;">https://www.varvet.com/blog/simple-authorization-in-ruby-on-rails-apps/ ... but when I get to what the "authorize(@post)" in
def create
 
@post = Post.new(params[:post])
  authorize
(@post)
 

end
does ... I don't get it.

I'm trying to put together an English sentence for "authorize(@post)".  Please tell me if I'm close.



authorize(@post)
means ...

For the current user (i.e. current_user) and
for the @post object
throw a NotAuthorizedError exception if PostPolicy#create? returns false



I think the "hidden" inputs to authorize come from the following sources:
current_user             from Devise's current_user
@post                       is the self-evident argument to authorize
PostPolicy                 is built from the name of the class of the object @post followed by the word "Policy" (i.e. @post.class.to_s + 'Policy')
create?                      is built from params[:action].  That is, since we know we're in def create then params[:action] must be "create".

How close am I?

Ralph

--
You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/rubyonrails-talk/a1ae7041-b259-4b07-8101-a02d71935bb2%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Help with gestalt of Pundit's authorize, please

Frederick Cheung-2
In reply to this post by Ralph Shnelvar


On Monday, July 17, 2017 at 8:02:11 AM UTC+1, Ralph Shnelvar wrote:

authorize
(@post)
means ...

For the current user (i.e. current_user) and
for the @post object
throw a NotAuthorizedError exception if PostPolicy#create? returns false



I think the "hidden" inputs to authorize come from the following sources:
current_user             from Devise's current_user
@post                       is the self-evident argument to authorize
PostPolicy                 is built from the name of the class of the object @post followed by the word "Policy" (i.e. @post.class.to_s + 'Policy')
create?                      is built from params[:action].  That is, since we know we're in def create then params[:action] must be "create".



sounds about right. This is described in the pundit readme ( https://github.com/elabs/pundit ) 

Fred

--
You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/rubyonrails-talk/3fbc3aec-8f47-4d6a-8fc7-26248b94be0f%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Help with gestalt of Pundit's authorize, please

Frederick Cheung-2
In reply to this post by Ralph Shnelvar

On Monday, July 17, 2017 at 1:08:08 PM UTC+1, Ralph Shnelvar wrote:
While I'm at it ...

In
authorize(@post)
WHAT is being "authorize-d"?  The @post ?  The current_user ?  The controller action ?  Something else ?


All 3: this checks that the current user can perform a given action (inferred from controller action) upon the passed object.

It might be better phrased as "check_authorized" rather than "authorize", which sounds a bit like you are granting accessing rather than checking for access

Fred


Ralph



On Monday, July 17, 2017 at 1:02:11 AM UTC-6, Ralph Shnelvar wrote:
The best explanation I have found for the gestalt of Pundit is <a href="https://www.varvet.com/blog/simple-authorization-in-ruby-on-rails-apps/" rel="nofollow" target="_blank" onmousedown="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fwww.varvet.com%2Fblog%2Fsimple-authorization-in-ruby-on-rails-apps%2F\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNGoCsBDUFoGPKjKIVKyxG9lNTEHZg&#39;;return true;" onclick="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fwww.varvet.com%2Fblog%2Fsimple-authorization-in-ruby-on-rails-apps%2F\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNGoCsBDUFoGPKjKIVKyxG9lNTEHZg&#39;;return true;">https://www.varvet.com/blog/simple-authorization-in-ruby-on-rails-apps/ 

And yet ... I don't get it.

I can understand each statement in <a href="https://www.varvet.com/blog/simple-authorization-in-ruby-on-rails-apps/" rel="nofollow" target="_blank" onmousedown="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fwww.varvet.com%2Fblog%2Fsimple-authorization-in-ruby-on-rails-apps%2F\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNGoCsBDUFoGPKjKIVKyxG9lNTEHZg&#39;;return true;" onclick="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fwww.varvet.com%2Fblog%2Fsimple-authorization-in-ruby-on-rails-apps%2F\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNGoCsBDUFoGPKjKIVKyxG9lNTEHZg&#39;;return true;">https://www.varvet.com/blog/simple-authorization-in-ruby-on-rails-apps/ ... but when I get to what the "authorize(@post)" in
def create
 
@post = Post.new(params[:post])
  authorize
(@post)
 

end
does ... I don't get it.

I'm trying to put together an English sentence for "authorize(@post)".  Please tell me if I'm close.



authorize(@post)
means ...

For the current user (i.e. current_user) and
for the @post object
throw a NotAuthorizedError exception if PostPolicy#create? returns false



I think the "hidden" inputs to authorize come from the following sources:
current_user             from Devise's current_user
@post                       is the self-evident argument to authorize
PostPolicy                 is built from the name of the class of the object @post followed by the word "Policy" (i.e. @post.class.to_s + 'Policy')
create?                      is built from params[:action].  That is, since we know we're in def create then params[:action] must be "create".

How close am I?

Ralph

--
You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/rubyonrails-talk/a1c797c3-12df-48e8-a0ee-37f73f94f5a6%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Loading...