search

varvet / pundit

Minimal authorization through OO design and pure Ruby classes
MIT License
8.22k stars 625 forks source link

Safeguard verify_authorized and controllers inheritance #733

Closed pjezusek closed 2 months ago

pjezusek commented 2 years ago

Hello,

I have a problem with verify_authorized method when I'm using the inheritance in controllers. My project is divided into modules. Each module has a controller with some basic stuff and the rest controllers inherit from it. For example:

class SomeModuleController < ApplicationController
   after_action :verify_authorized

   before_action :authorize_access

   def authorize_access
      authorize :some_module, :access?
   end
end

class SomeModule::SomeController < SomeModuleController
   ...
   def show
      ....
      authorize @some, :show?
   end
   ...
end

And here comes the problem. When I run my tests I would like to also check if authorize @some, show? was not forgotten. But firstly I check (in the parent controller) if a user has an access to this module at all. In this way verify_authorized won't raise any error because there is always authorization in authorize_access method before any action.

I looked at the code and the only way for now which I see is to manage @_pundit_policy_authorized flag manually but maybe there is some 'official' way to achieve what I want.

Is there something I can do, to make this safeguard suitable for my architecture?

PS.: As this is my first question I would like to thank you for this great gem.