Authorize related object when using pundit gem about pundit HOT 3 CLOSED

If a user is allowed to view the user show action (e.g. for his own record), wouldn't that imply that he is allowed to view everything that is rendered on this page?

Also, if you want to hide specific links etc. based on a user's permission, you can check permissions in the view:

<% if policy(@post).create? %>
  <%= link_to "New post", new_post_path %>
<% end %>

from pundit.

Thanks for your reply! I think perhaps I have misunderstand some basic pundit concept. What I believed "authorize user, :show?" is model oriented. that is, if it passes, current_user is allowed to fetch record from model. But after saw your reply, I changed my mind to "authorize user, :show?" is controller oriented. If it passes, current_user can use show action and related show page. Am I right?

Another example I encountered is: Say I have datings controller and create action:

def create
  @dating = current_user.users.build params[:dating]
  authorize @dating
end

And I use ajax create.js.coffee to add dating to the view. For convenience, I prefer use render in js.coffee:

$('.datings').append('<%=j render @dating %>')

In dating.html.erb, I must show user name:

User name is<%= dating.user.basicinfo.name %>

As you can see, In this situation, After create dating I viewed @dating, @dating.user, @dating.user.basicinfo. If I use your explanation, it should be: because current_user can use create action, he can also use create.js.coffee, right? Thanks!

from pundit.

Yeah, controller-action oriented authorization is what you could describe pundit. Can this user create a post, which usually happens in the posts#create action. In the view however, pundit helps e.g. show or hide elements based on the user's permission. When fetching records, pundit's policy_scope helps fetch only records which the user has permission to load / view / work on.

In your app: If a user can create a dating / date with someone, shouldn't he / she allowed to automatically see date's name and information. You're just thinking about "authorizing the showing of the basic info" because you extracted stuff like name to another model.

Btw, I wouldn't want to write dating.user.basicinfo.name all the time, but delegate to the basicinfo and chain at most dating.user.name (always assuming all info is present).

class User < AR::B
  delegate :name, :birthday, to: :basicinfo
end

from pundit.