varvet / pundit

Minimal authorization through OO design and pure Ruby classes
MIT License
8.31k stars 633 forks source link

Why do I need to call authorize method in controller with pundit? #664

Closed jonibatista closed 4 years ago

jonibatista commented 4 years ago

I recently start using pundit in a project.

After reading the documentation, I start by creating an ApplicationPolicy and its child policies to match my models.

Things were going fine, everything works as expected, but I notice that I am not calling the authorize method at my controllers' actions.

I read the doc again and lots of posts but I cannot clarify if it's mandatory to call authorize or not.

Is it okay to rely only on the class policy? As far as I undestood I cannot use the authorize method without defining the class policy thus, why should I use the authorize method in the controller? Isn't it already protected?

What am I missing?

Linuus commented 4 years ago

Pundit will do nothing unless you call authorize. Read: https://github.com/varvet/pundit#policies

Is it okay to rely only on the class policy? As far as I undestood I cannot use the authorize method without defining the class policy thus, why should I use the authorize method in the controller?

I don't understand this. You must call authorize(your_resource) or nothing will be authorized. There's no magic here. Only creating policy classes won't protect anything.

jonibatista commented 4 years ago

I found the answer to my question @Linuus.

There's a before_action filter in my application_controller that calls the authorize method. This approach works perfectly because that model is required in almost every request.

Thank you for the clarification and my appologies for wasting your time.