Search code examples
ruby-on-rails-4punditrailsapps

How to set up authorization policies for two controllers using Pundit?


I'm learning Pundit using the RailsApps Pundit Tutorial and this statement from the tutorial totally confused me:

Given that the policy object is named UserPolicy, and we will use it for authorization from the Users controller, you might wrongly assume that the name of the policy object will always match the name of the controller. That is not the case.

  1. How can I create a policy (o set of policies) that allow users with the "role_a" to use the users_controller.index action and users with the "role_b" to use the orders_controller.index action?

    1.1 Does this require two different policies (UserPolicy and OrderPolicy) or should I name the index action for every controller differently to differentiate it on the UserPolicy?


Solution

  • Yes it requires two different policies(UserPolicy and OrderPolicy)

    #user_policy.rb
    class UserPolicy
    attr_reader :current_user
    
      def initialize(current_user)
        @current_user = current_user
      end
    
      def index?
        @current_user.role_a?
      end
    end
    

    And in your index method of users_controller

    def index
      @user = User.find(params[:id])
      authorize @user
    end
    

    Same for OrderPolicy

    #order_policy.rb
    class OrderPolicy
    attr_reader :current_user
    
      def initialize(current_user)
        @current_user = current_user
      end
    
      def index?
        @current_user.role_b?
      end
    end
    

    And in your index method of orders_controller

    def index
      @user = User.find(params[:id])
      authorize @user
    end