search

varvet / pundit

Minimal authorization through OO design and pure Ruby classes
MIT License
8.26k stars 627 forks source link

Headless policies and namespaces, please update documentation #644

Closed estani closed 4 years ago

estani commented 4 years ago

After a while I found a mention in StackOverflow on how to use headless policies with namespaces. This was the answer:

class ProjectReporting::DashboardsController < TenantController
  def index
    authorize [:some_module, :dashboard]
  end
end
# and .../policies/some_module/dashboard_policy.rb

I later found even another option:

class ProjectReporting::DashboardsController < TenantController
  def index
    authorize self.class
  end
end
# and .../policies/some_module/dashboards_controller_policy.rb

None is very intuitive, it would be good to add it to the documentation, if this is indeed supported (or whatever is the encouraged way of doing it)

(If you ask me, a better solution might have been to use authorize self and get the name from obj.class.name.sub /Controller$/,'')

Linuus commented 4 years ago

The first alternative is what’s described in the docs.

Here’s the docs for headless policies: https://github.com/varvet/pundit/blob/master/README.md#headless-policies

Namespaces: https://github.com/varvet/pundit/blob/master/README.md#policy-namespacing

What is it that needs to be clarified?

estani commented 4 years ago

Oh! I missed the namespaces... I think is ok as it is, I should have found the other part after finding the headless policy info. Sorry for that!