Closed mepatterson closed 3 years ago
NOTE: this was working just fine on Ruby 2.7 and I upgraded my app to 3.0.1 and this blew up
Interesting. Our tests pass, and we have a similar example: https://github.com/palkan/action_policy/blob/73daca0232b2eb7b632b811f83bcdfd307927b79/test/action_policy/behaviour_test.rb#L21
Does your class include only ActionPolicy::Behaviour
or some other behaviors as well?
It's a StimulusReflex class, so it does other fancy things for sure, but I couldn't find any reason why it would be throwing an arguments error on the "authorize!" call only in Ruby 3
Could you please try to provide a reproduction script? (We have a template)
Ok, so I solved this. And, of course, it was my fault.
But... maybe worth noting here in case someone else does the same thing I did.
For StimulusReflex, I was integrating ActionPolicy into Reflex classes. I did this:
def authorize!(*)
@authorization_performed = true
super
end
# Call this method if you don't need to authorize the reflex
def skip_authorization!
@authorization_performed = true
end
after_reflex do
raise "Unauthorized Reflex! Make sure you're calling `authorize!` in the reflex method" unless @authorization_performed
end
Of course, def authorize!(*)
works in Ruby 2.7 but DOES NOT work in Ruby 3.
So I switched it to def authorize!(record = :__undef__, to:, **options)
matching the ActionPolicy code and it works great.
My question: Is there a better way to do this that I'm not thinking about? Some kind of before_authorize
?
So I switched it to def authorize!(record = :undef, to:, **options) matching the ActionPolicy code and it works great.
That's a good case for def authorize!(...)
(I should probably switch to it in the library).
My question: Is there a better way to do this that I'm not thinking about? Some kind of before_authorize?
authorize!
could be called multiple times in theory, so, we can use class-level callbacks here. Maybe, we can add some alias to distinguish main authorization from others.
Getting ActionPolicy to work with StimulusReflex classes is a huge win, imo. So much of my code now involves Reflexes morphing some piece of the dom surgically, so being able to authorize that reflex method to say "nope, I don't care how you initiated this reflex, you don't have authority to do that" is really cool.
Getting ActionPolicy to work with StimulusReflex classes is a huge win, imo
Glad to hear that! Would you like to propose a PR to SR docs to describe the usage of Action Policy for authorization (here https://docs.stimulusreflex.com/rtfm/authentication#authorization)?
Tell us about your environment
Ruby Version: 3.0.1
Framework Version (Rails, whatever): Rails 6.1
Action Policy Version: 0.5.7
What did you do?
What did you expect to happen?
It checks the authorization policy and continues along.
What actually happened?