I am trying to add authorization via Pundit for my Proposal class.
I have all the creation of proposals, etc set up but I also have several states with aasm_gem for proposals. drafted, published and closed.
I want only users who own the proposal to be able to view the drafted proposal. then on publish any users should be able to view the proposal.
How would I go about creating a Pundit policy that achieves this? I was not able to quite understand from the documentaiton. If I can see one example I should be able to figure it out.
I currently trasition between states with this on the show page:
<%= button_to 'Publish Proposal', proposals_publish_path(@proposal), method: :put, class:"pull-right btn btn-primary btn-lg", style:"color:white; border: 0px; margin-top:15px;" %>
I already installed Pundit and ran the generator.
I don't know anything about the aasm_gem you're referring to, but from your description, something like this would work (I'm making up the published? and draft? methods since I don't know the actual API you're dealing with)
def show?
return true if record.published?
return true if record.draft? && user.id == record.user_id
false
end