Comments (4)
Oh, I think I just got it. Is this just a safeguard to make sure you realize your mistake in case you forgot to authorize your controller action?
Sorry (and feel free to close this issue) if this was just a misunderstanding!
from pundit.
@gabrielecirulli precisely!
from pundit.
Hi @jnicklas, I agree with @gabrielecirulli that this method definitely can give a false sense of security. The use of this after_action is a bit confusing/mis-leading. Is the original use case for developers to use this during development only to flag methods that don't call authorize? Is this to catch instances in production that don't call authorize? If the latter is the case, then the vulnerability will still exist for any state-changing controller action. If the former is the case, then does a developer just leave this in their code even though it shouldn't ever have any implications in production code? I went through the same thought process as @gabrielecirulli after reading that section.
I think at the very least, there should be an explicit warning in that section of the README for developers not to rely on this method in production and that state changing actions will persist even after the exception is raised.
from pundit.
Is the original use case for developers to use this during development only to flag methods that don't call authorize?
Yes.
If the former is the case, then does a developer just leave this in their code even though it shouldn't ever have any implications in production code?
Yes. Because the whole point is that code changes, and someone else might do something which causes authorization not to be performed. It's a safety net. Removing it removes the safety net.
This method will raise an exception if authorize has not yet been called.
I'm not really sure how we can make this much clearer. If you actually read this section, I think it's pretty clear what this is for. I'd be open to a PR improving the documentation here if you feel strongly about it.
from pundit.
Related Issues (20)
- Unable to find policy when ids are passed to the params HOT 4
- [Request] Generate policy file when using scaffolding HOT 3
- Readme: update_attributes is deprecated
- policy_class and policy usage HOT 2
- Add `policy_class` parameter to `permitted_attributes` function HOT 3
- Manually specifying policy class via an instance method does not always work HOT 1
- Singular model class name vs. Plural module name HOT 3
- Split this into two methods?
- [Request] policy_scope should not alter joined table structure HOT 2
- Policy Finder `find` does not strip namespace. HOT 2
- Support authorization error flash messages when using turbo frames and streams? HOT 6
- Git tag for v2.3.0? HOT 1
- generator fails with ruby 3.2.0 HOT 6
- "include Pundit::Authorization" undefined ? HOT 3
- Enable custom description for permit matcher
- Do not use NotImplementedError HOT 1
- Rubygems version fully support Ruby 3.2
- Hook into Rails generators (scaffold, model) to generate policy classes HOT 3
- Helper policy_scope does not accept policy_scope_class HOT 1
- README for headless section is incorrect? HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from pundit.