search

itmammoth / rails_sortable

Easy drag & drop sorting with persisting the arranged order for rails
MIT License
142 stars 37 forks source link

Pundit authorization not performed on SortableController #55

Closed JenniferMB closed 3 years ago

JenniferMB commented 3 years ago

How do I resolve Pundit::AuthorizationNotPerformedError in SortableController#reorder? Must I override the controller in my application code in order to add the authorize command to the reorder method?

scarroll32 commented 3 years ago

@JenniferMB that's an interesting question!

I think you could simply add the reorder method to your Pundit policy for the affected model, either mark it as true or add some permission logic.

eg:

def reorder
  true # or some actual permissions
end

You could also override the controller and skip the authorization. The controller is not namespaced in this gem, so you would need to copy in all the code which would pose a problem when the gem is updated.

Perhaps an easier way, although slightly hacky, would be to do this at the ApplicationController level

class ApplicationController
  if self.class == SortableController
    skip_authorization # could also be `skip_policy_scope`
  end
  ...
end

Neither of these are tested, but would be interested to hear what solution you go with.

JenniferMB commented 3 years ago

I had already tried the first suggestion unsuccessfully, the second one wasn't effective, either

To resolve the Pundit authorization error, I had to make a copy of the SortableController from the gem, add a before_action :authenticate_user and in the reorder method add skip_authorization.

itmammoth commented 3 years ago

This wiki can be of help for you. You can patch SortableController without copying from gem.

scarroll32 commented 3 years ago

Thank you @itmammoth, yes this should work:

Create config/initializers/rails_sortable.rb.

Rails.configuration.to_prepare do
  SortableController.class_eval do
    skip_authorization
  end
end