Closed tbcooney closed 3 years ago
I'm going to try to model it similarly to how @jnicklas outlines here: https://github.com/varvet/pundit/issues/188#issuecomment-52301296. I feel this is a little more difficult than the way CanCan implements where a hash of conditions can be passed to further restrict which records a permission applies to. Anyone care to chime in?
class ApplicationController
include Pundit
def pundit_user
if session[:organization_id]
UserContext.new(current_user, Organization.find(session[:organization_id]))
else
UserContext.new(current_user)
end
end
end
Yeah, I think that would be a reasonable way to go about it. There's also some information about this in the Readme
Thanks for the appropriate label @Linuus and sorry if I'm polluting the Issues section.
I wanted to confirm with someone experienced whether this is an appropriate use-case for Pundit or if I consider a different way to implement authorization for my app? I've found my model setup seems to be quite standard, but given my use of the Member
join table that associates a User
to a specific Store
(and holds the role
attribute) I wanted to confirm I'm not contradicting the statement below.
If you find yourself needing more context than that, consider whether you are authorizing the right domain model, maybe another domain model (or a wrapper around multiple domain models) can provide the context you need
It's probably too late but I just came across this. I have the same set-up with enrollments
vs roles
. I (my original developer actually) did this sort of set-up:
class ApplicationPolicy
attr_reader :enrollment, :record, :context
def initialize(context, record)
@user = context.user
@enrollment = context
@record = record
end
def scope
Pundit.policy_scope!(user, record.class)
end
class Scope
attr_reader :enrollment, :scope, :context
def initialize(context, scope)
@user = context.user
@enrollment = context
@scope = scope
end
def resolve
scope
end
end
end
I then created methods in the enrollment like this which I can then use all through my policies:
enrollment.has_lead_role?(:administrator, :operations, :facilities)
enrollment.has_role?(:administrator, :owner)
enrollment.role_besides?(:guest)
It's probably too late but I just came across this. I have the same set-up with
enrollments
vsroles
. I (my original developer actually) did this sort of set-up:class ApplicationPolicy attr_reader :enrollment, :record, :context def initialize(context, record) @user = context.user @enrollment = context @record = record end def scope Pundit.policy_scope!(user, record.class) end class Scope attr_reader :enrollment, :scope, :context def initialize(context, scope) @user = context.user @enrollment = context @scope = scope end def resolve scope end end end
I then created methods in the enrollment like this which I can then use all through my policies:
enrollment.has_lead_role?(:administrator, :operations, :facilities) enrollment.has_role?(:administrator, :owner) enrollment.role_besides?(:guest)
Very cool. I ended up rolling my own version of Six, which is how Gitlab manages their policies.
I'm actually not sure if this is a Pundit or general permissions architectural problem, but I'm trying to setup a simple Pundit policy to restrict the actions a member within a company can perform. Users are joined as a Member to a company in a
has_many, through:
relationship. The Member model has arole
attribute ofowner
oruser
.Given a User that is a member of a Store, how can I restrict the access in a controller for the User's association to the Store? Below is a
Admin::MembersController
where a store owner can invite other members. I want to check on theindex
that the records can only be shown to the user if their member association to the store has a role set toowner
.Policy
User.rb
Member.rb
Store.rb