Closed bmulholland closed 2 years ago
I don't think this is possible in the general case, and I don't think this is a feature we'd want to add to Pundit.
What makes it possible in Rails controllers is that we have access to after_action
: if sidekiq (or whatever other case you'd like to have this behaviour) has a similar hook then you could easily implement the same behaviour for that specific case by calling verify_policy_scoped
after every job.
Bear in mind that verify_policy_scoped
only provides a quite weak protection: all it checks is that policy_scope
was called at least once - not that every query included policy_scope
.
I'd like some level of backup that data is only ever accessed in an authorized way, probably with a raised exception if I forget to use
policy_scope
. This gives some level of comfort that data exposure doesn't happen by accident. Is there any way to achieve that?More specifically,
Post.all
would throw an error, whilepolicy_scope(Post).all
would work fine.This is in-line with the enforcement spelled out in README: Ensuring policies and scopes are used, but it could go further. There's no way to make sure that a scope isn't forgotten in, say, a Sidekiq job.
Is there a way to achieve that? If not, would you consider adding it, or even a PR to do so?