Closed nassredean closed 1 year ago
palkan
commented
5 years ago I'd like to see this talk)
places where Pundit's authorization verification falls short, authorizing in background jobs, and having to authorizer leaf nodes in serializers.
btw, have you considered Action Policy instead of Pundit?
nassredean
commented
5 years ago @palkan Thank you! To be honest with you, we did not consider Action Policy as an alternative to Pundit, but for no reason other than we weren't aware of it! We had a team member who advocated for Pundit and was quite experienced with it, and so that is the direction we went in. I would like to do some research into it to see if it can address some of the challenges we have faced while using Pundit.
Hello there,
My team at VTS recently conducted a migration of our authorization layer from the cancancan framework to Pundit. I think discussing this migration could be an interesting talk. Some of the topics I would cover would include:
1) What led to the decision to migrate? What are the differences between libraries that made Pundit more appealing to us? 2) How do we authorize? How do we handle scopes? How do we handle skipping authorization? How do we ensure that resources are always authorized and that we do not leak application data to the wrong users? This section is not purely a "how to use Pundit", but more discussing the strategy behind our authorization layer 3) How did we go about doing the migration? How did we mitigate risk? What were our general refactoring strategies? 4) What challenges do we still face when it comes to authorizing? This includes having to skip authorization sometimes, places where Pundit's authorization verification falls short, authorizing in background jobs, and having to authorizer leaf nodes in serializers.