Closed jonibatista closed 4 years ago
Pundit will do nothing unless you call authorize
.
Read: https://github.com/varvet/pundit#policies
Is it okay to rely only on the class policy? As far as I undestood I cannot use the authorize method without defining the class policy thus, why should I use the authorize method in the controller?
I don't understand this. You must call authorize(your_resource)
or nothing will be authorized. There's no magic here. Only creating policy classes won't protect anything.
I found the answer to my question @Linuus.
There's a before_action filter in my application_controller that calls the authorize method. This approach works perfectly because that model is required in almost every request.
Thank you for the clarification and my appologies for wasting your time.
I recently start using pundit in a project.
After reading the documentation, I start by creating an ApplicationPolicy and its child policies to match my models.
Things were going fine, everything works as expected, but I notice that I am not calling the authorize method at my controllers' actions.
I read the doc again and lots of posts but I cannot clarify if it's mandatory to call authorize or not.
Is it okay to rely only on the class policy? As far as I undestood I cannot use the authorize method without defining the class policy thus, why should I use the authorize method in the controller? Isn't it already protected?
What am I missing?