I got this error today when I tried to use some helper methods for the users controller:
AbstractController::DoubleRenderError (Render and/or redirect were called multiple times in this action. Please note that you may only call render OR redirect, and
at most once per action. Also note that neither redirect nor render terminate execution of the action, so if you want to exit an action after redirecting, you need
to do something like "redirect_to(...) and return".)
I put this following helpers in application_controller.rb :
class ApplicationController < ActionController::Base
def current_user
User.find_by :id=>session[:user_id]
end
def log_in?
!!session[:user_id]
end
def log_in_first
if !log_in?
session[:error]="You have to log in first to continue your operation"
redirect_to("/login") and return
end
end
def correct_user?
if !(current_user.id.to_s==params[:id])
session[:error]="You have no right to do this operation."
redirect_to "/"
return
end
end
end
and here is the user_controller.rb:
class UsersController < ApplicationController
def new
#user = User.new
end
def create
#user = User.new(user_params)
if #user.save
session[:user_id]=#user.id
redirect_to user_path(#user)
else
render 'new'
end
end
def show
log_in_first
#user = User.find_by id: params[:id]
correct_user?
if #user
render 'show'
else
redirect_to '/login'
end
end
private
def user_params
params.require(:user).permit(:name,:password,:email,:email_confirmation)
end
end
As you can see I tried to use both return and and return in log_in_first and correct_user?to fix the problem but it still doesn't work. Does anyone have any ideas?
The problem is in the show action, log_in_first redirects then the show action does whatever it wants, which is redirect or render. This is causing the error.
A better solution is to use before_action for your authentication and authorization and just let the user controller actions do their thing. Something like the below.
class ApplicationController < ActionController::Base
def current_user
User.find_by :id=>session[:user_id]
end
def log_in?
!!session[:user_id]
end
def authenticate_user!
if !log_in?
session[:error]="You have to log in first to continue your operation"
redirect_to("/login")
end
end
def authorize_user!
unless current_user&.id.to_s==params[:id]
session[:error]="You have no right to do this operation."
redirect_to "/"
end
end
end
class UsersController < ApplicationController
before_action :authenticate_user!, only: [:show]
before_action :authorize_user!, only: [:show]
def new
#user = User.new
end
def create
#user = User.new(user_params)
if #user.save
session[:user_id]=#user.id
redirect_to user_path(#user)
else
render 'new'
end
end
def show
#user = User.find_by id: params[:id]
render 'show'
end
private
def user_params
params.require(:user).permit(:name,:password,:email,:email_confirmation)
end
end
I'm using Pundit with Rails, and I have a controller that I need to completely restrict from a specific user role. My roles are "Staff" and "Consumer." The staff should have full access to the controller, but the consumers should have no access.
Is there a way to do this that is more DRY than restricting each action one-by-one?
For instance, here is my policy:
class MaterialPolicy < ApplicationPolicy
attr_reader :user, :material
def initialize(user, material)
#user = user
#material = material
end
def index?
user.staff?
end
def show?
index?
end
def new?
index?
end
def edit?
index?
end
def create?
index?
end
def update?
create?
end
def destroy?
update?
end
end
And my controller:
class MaterialsController < ApplicationController
before_action :set_material, only: [:show, :edit, :update, :destroy]
# GET /materials
def index
#materials = Material.all
authorize #materials
end
# GET /materials/1
def show
authorize #material
end
# GET /materials/new
def new
#material = Material.new
authorize #material
end
# GET /materials/1/edit
def edit
authorize #material
end
# POST /materials
def create
#material = Material.new(material_params)
authorize #material
respond_to do |format|
if #material.save
format.html { redirect_to #material, notice: 'Material was successfully created.' }
else
format.html { render :new }
end
end
end
# PATCH/PUT /materials/1
def update
authorize #material
respond_to do |format|
if #material.update(material_params)
format.html { redirect_to #material, notice: 'Material was successfully updated.' }
else
format.html { render :edit }
end
end
end
# DELETE /materials/1
def destroy
authorize #material
#material.destroy
respond_to do |format|
format.html { redirect_to materials_url, notice: 'Material was successfully destroyed.' }
end
end
private
# Use callbacks to share common setup or constraints between actions.
def set_material
#material = Material.find(params[:id])
end
# Never trust parameters from the scary internet, only allow the white list through.
def material_params
params.require(:material).permit(:name)
end
end
Is there a way to do this that I'm not understanding, or is that how Pundit is designed, to require you to be explicit?
The first step is just to move the call to authorize to your callback:
def set_material
#material = Material.find(params[:id])
authorize #material
end
You can also write #material = authorize Material.find(params[:id]) if your Pundit version is up to date (previous versions returned true/false instead of the record).
Pundit has a huge amount of flexibility in how you choose to use it. You could for example create a separate headless policy:
class StaffPolicy < ApplicationPolicy
# the second argument is just a symbol (:staff) and is not actually used
def initialize(user, symbol)
#user = user
end
def access?
user.staff?
end
end
And then use this in a callback to authorize the entire controller:
class MaterialsController < ApplicationController
before_action :authorize_staff
# ...
def authorize_staff
authorize :staff, :access?
end
end
Or you can just use inheritance or mixins to dry your policy class:
class StaffPolicy < ApplicationPolicy
%i[ show? index? new? create? edit? update? delete? ].each do |name|
define_method name do
user.staff?
end
end
end
class MaterialPolicy < StaffPolicy
# this is how you would add additional restraints in a subclass
def show?
super && some_other_condition
end
end
Pundit is after all just plain old Ruby OOP.
Pundit doesn't require you to be explicit, but it allows it. If the index? method in your policy wasn't duplicated, you'd want the ability to be explicit.
You can start by looking at moving some of the authorization checks into the set_material method, that cuts down over half of the checks.
The other half could be abstracted out into other private methods if you wanted, but I think they're fine as-is.
You could also look at adding a before_action callback to call the authorizer based on the action name, after you've memoized #material via your other callback, but readability is likely to suffer.
Use the second argument for the authorize method. Eg:
authorize #material, :index?
You can now remove all the other methods that just calls index?
I am trying to learn how to use Pundit with my Rails 4 app.
I have the following models:
class User < ActiveRecord::Base
has_one :profile
has_many :eois
end
class Profile < ActiveRecord::Base
belongs_to :user
has_many :projects, dependent: :destroy
end
class Project < ActiveRecord::Base
belongs_to :profile
has_many :eois
end
class Eoi < ActiveRecord::Base
belongs_to :project
belongs_to :user
end
I have a scoped EoiPolicy with:
class EoiPolicy < ApplicationPolicy
class Scope
attr_reader :user, :scope
def initialize(user, scope)
#user = user
#scope = scope
end
def resolve
if user.profile.project.id == #eoi.project_id?
scope.where(project_id: #user.profile.project.id)
elsif user.id == eoi.user_id?
scope.where(user_id: user.id)
else
nil
end
end
end
def index?
user.profile.project.id == #eoi.project_id? or user.id == eoi.user_id?
end
def new?
true
end
def show?
user.profile.project.id == #eoi.project_id? or user.id == eoi.user_id?
end
def edit?
user.id == eoi.user.id?
end
def create?
true
end
def update?
user.id == eoi.user.id?
end
def destroy?
user.id == eoi.user.id?
end
end
In my EoisController, I have tried to use the scope with:
def index
# #eois = #project.eois
#eois = policy_scope(Eoi)
# #eois = Eois.find_by_project_id(params[:project_id])
end
Then in my view/eois/index, I have tried to display the index with:
<% policy_scope(#user.eois).each do |group| %>
I can't get this to work. The error message highlights this line of my scope method in the policy:
if user.profile.project.id == #eoi.project_id?
To me, this looks correct, although I'm still trying to figure this out. Can anyone see what needs to happen to make this work, so that if the user is the user, who's profile owns the relevant project, all eois relating to that project are visible.
Otherwise, if the user is the user who created the eoi, then all eois they have created are visible?
The error message says:
undefined method `project' for #<Profile:0x007fa03f3faf48>
Did you mean? projects
projects=
I'm wondering if that's because an index will have many records, it needs to show something different in the policy to recognise the plurality?
I have also tried replacing that line with:
if #eoi.project_id == #user.profile.project.id?
although that is also wrong and gives
undefined method `project_id' for nil:NilClass
Did you mean? object_id
I also tried making the scope:
def resolve
# cant figure what is wrong with this
if eoi.project_id == user.profile.project.id?
scope.where(project_id: #user.profile.project.id)
else
nil
end
end
but that's also wrong and gives this error:
undefined local variable or method `eoi' for #<EoiPolicy::Scope:0x007ffb505784f8>
I also tried:
def resolve
# cant figure what is wrong with this
if #eoi.project_id == user.profile.project.id? or Eoi.project_id == user.profile.project.id?
scope.where(project_id: #user.profile.project.id)
elsif user.id == eoi.user_id?
scope.where(user_id: user.id)
else
nil
end
end
end
def index?
user.profile.project.id == Eoi.project_id? or user.id == Eoi.user_id?
end
but that attempt gives this error message:
undefined method `project_id' for nil:NilClass
Did you mean? object_id
CURRENT THOUGHT
I think I need to pass more than user and scope to the scope method. If I can also pass project, then I can make the scope referable to the project to which the EoI relates.
If I could have this working, then maybe I could get the scope method to work for the index view on the controller:
class Scope
attr_reader :user, :scope
def initialize(user, scope, project)
#user = user
#scope = scope
#project = project
end
end
then in the controller:
def index
# #eois = #project.eois
#eois = policy_scope(Eoi, #project)
# authorize #eois
# #eois = Eois.find_by_project_id(params[:project_id])
end
This doesnt work, when I try I get an error saying that the policy
wrong number of arguments (given 2, expected 1)
Please help!
NEXT ATTEMPT
My next attempt is to try taking the suggestions from [this]Pundit issue and implement that idea for how to get the right scope for a particular user.
In my Eoi Policy, I changed the resolve method to:
class Scope
attr_reader :user, :scope
def initialize(user, scope) #project
#user = user
#scope = scope
# #project = project
end
def resolve
# if Eoi.project_id == user.profile.project.id? or Eoi.project_id == user.profile.project.id?
if user.id == eoi.projects.profile.user.map(&:id)
scope.joins(eois: :projects).where(project_id: user.profile.projects.map(&:id)).empty?
# if scope.eoi.project_id == user.profile.projects.map(&:id)
# scope.where(project_id: user.profile.projects.map(&:id)).empty?
# scope.where(project_id: user.profile.project.id)
# elsif user.id == eoi.user_id?
# scope.where(user_id: user.id)
else
# nil
end
end
end
Then in my eoi controller index action, I tried this:
def index
# #eois = #project.eois
# #eois = policy_scope(Eoi, #project)
policy_scope(Eoi).where(project_id: params[:project_id])
# authorize #eois
# #eois = Eois.find_by_project_id(params[:project_id])
end
That doesnt work either. The error message for this attempt says:
undefined local variable or method `eoi' for #<EoiPolicy::Scope:0x007f98677c9cf8>
Im out of ideas for things to try. Can anyone see a way to give the scope the right inputs to set this up?
OBSERVATION
I have noticed that a lot of the repos on github that use Pundit with scopes also include a method like this:
def scope
Pundit.policy_scope!(user, record.class)
end
That method is in addition to the Scope class and isn't shown in the Pundit gem docs. If that is necessary to include, what does it do?
1
REWRITE
I've now looked through more than 200 repos on github for insight into how I'm supposed to write a policy to meet my objectives. I'm out of ideas for how to use Pundit as intended.
I've changed my setup completely to try and work around the bits I can't understand. I now have:
Eois Controller
class EoisController < ApplicationController
def index
#eois = Eoi.by_user_id(current_user.id)
end
end
Projects:: Eois controller
module Projects
class EoisController < ApplicationController
before_action :get_project
before_action :set_eoi, only: [:edit, :update, :destroy]
# after_action :verify_authorized
def index
#eois = Project.by_user_id(current_user.id).find_by(id: params[:project_id]).try(:eois) || []
end
def show
#eoi = Eoi.find(params[:id])
authorize #eoi
end
def set_eoi
#eoi = EoiPolicy::Scope.new(current_user, params[:project_id]).resolve.find(params[:id])
end
def get_project
#project = Project.find(params[:project_id])
end
Eoi Policy (to decide when to show all eois made by a user)
class EoiPolicy < ApplicationPolicy
class Scope
attr_reader :user, :scope
def initialize(user, scope)
#user = user
#scope = scope
end
def resolve
if scope.present?
Eoi.by_user_id(user.id)
# end
else
[]
end
end
end
def index?
user.profile.project.id == Eoi.project_id? or user.id == Eoi.user_id?
end
def new?
true
end
def show?
record.user_id == user.id || user.profile.project_id == record.project_id
# user.profile.project.id == #eoi.project_id? or user.id == eoi.user_id?
end
def edit?
user.id == eoi.user.id?
end
def create?
true
end
def update?
user.id == eoi.user.id?
end
def destroy?
user.id == eoi.user.id?
end
end
Routes
resources :eois
resources :projects do
member do
resources :eois, controller: 'projects/eois
end
When I want to show EoIs that are submitted in relation to a project, I use the Projects Eoi Policy and when I want to show the Eois that a user has created, I use the Eoi Policy -- no scopes.
I would love to figure this out so I can use this gem the way it is intended. Advice would be greatly appreciated. I'm sure this attempt isn't what Pundit is meant for - but I can't figure out how to use this gem as shown in the docs.
I can't use policy_scope because I need to pass the project_id param into the index action for the projects eoi controller index action.
PaReeOhNos SUGGESTION
My attempt at trying to implement PareeOhNos suggestion is set out below. I'm not sure I understand it properly because eois will always have a project id and a user id, but maybe I'm not getting the point of what the load_parent method is doing.
In my Eois Controller, I have:
class EoisController < ApplicationController
before_action :load_parent
before_action :load_eoi, only: [:show, :edit, :update, :destroy]
def index
authorize #parent
#eois = EoiPolicy::Scope.new(current_user, #parent).resolve
end
def show
end
# GET /eois/new
def new
#project = Project.find(params[:project_id])
#eoi = #project.eois.build
#contribute = params[:contribute] || false
#participate = params[:participate] || false
#partner = params[:partner] || false
#grant = params[:grant] || false
#invest = params[:invest] || false
end
# GET /eois/1/edit
def edit
end
# POST /eois
# POST /eois.json
def create
#eoi = Project.find(params[:project_id]).eois.build(eoi_params)
#eoi.user_id = #current_user.id
respond_to do |format|
if #eoi.save
format.html { redirect_to Project.find(params[:project_id]), notice: 'Eoi was successfully created.' }
format.json { render :show, status: :created, location: #project }
else
format.html { render :new }
format.json { render json: #eoi.errors, status: :unprocessable_entity }
end
end
end
# PATCH/PUT /eois/1
# PATCH/PUT /eois/1.json
def update
respond_to do |format|
if #eoi.update(eoi_params)
format.html { redirect_to #project, notice: 'Eoi was successfully updated.' }
format.json { render :show, status: :ok, location: #eoi }
else
format.html { render :edit }
format.json { render json: #eoi.errors, status: :unprocessable_entity }
end
end
end
# DELETE /eois/1
# DELETE /eois/1.json
def destroy
#eoi.destroy
respond_to do |format|
format.html { redirect_to #project, notice: 'Eoi was successfully destroyed.' }
format.json { head :no_content }
end
end
private
def load_parent
# #parent = (params[:project_id] ? Project.find(params[:project_id] : current_user)
#parent = params[:project_id] ? Project.find(params[:project_id]) : current_user
end
def load_eoi
#eoi = Eoi.find(params[:id])
authorize #eoi
end
In my Eoi Policy, I have:
class EoiPolicy < ApplicationPolicy
class Scope
attr_reader :user, :scope
def initialize(user, scope)
#user = user
#scope = scope
end
def resolve
if scope.is_a?(User)
Eoi.where(user_id: scope.id)
elsif scope.is_a?(Project)
Eoi.where(project_id: scope.id)
else
[]
end
end
end
def index?
record.is_a?(User) || user.profile.project.id == record.project_id
end
def new?
true
end
def show?
record.user_id == user.id || user.profile.project_id == record.project_id
end
def edit?
user.id == eoi.user.id?
end
def create?
true
end
def update?
user.id == eoi.user.id?
end
def destroy?
user.id == eoi.user.id?
end
end
In my routes.rb, I have:
resources :projects do
member do
resources :eois, shallow: true
resources :eois, only: [:index]
In my eois/index, I have:
<% #eois.sort_by(&:created_at).in_groups_of(2) do |group| %>
<% group.compact.each do |eoi| %>
<h4><%= link_to eoi.user.full_name %></h4>
<%= link_to 'VIEW DETAILS', eoi_path(eoi), :class=>"portfolio-item-view" %>
<% end %>
<% end %>
In my eois/ show, I have:
"test"
When I try all this, the eois/index page loads. When I try to show a specific eoi page, I get an error that says:
wrong number of arguments (given 2, expected 0)
the error message points to authorise #eoi line of the controller:
def load_eoi
#eoi = Eoi.find(params[:id])
authorize #eoi
end
The same error arises if I put authorize #eoi in the show action instead of the load eoi method.
APPLICATION POLICY HAS
class ApplicationPolicy
attr_reader :user, :scope
class Scope
def initialize(user, scope)
#byebug
#user = user
# record = record
#scope = scope
end
def resolve
scope
end
end
def index?
false
end
def show?
scope.where(:id => record.id).exists?
end
def create?
false
end
def new?
create?
end
def update?
false
end
def edit?
update?
end
def destroy?
false
end
def scope
Pundit.policy_scope!(user, record.class)
end
NEXT ATTEMPT
Taking PaReeOhNos suggestion (copied above), I've tried to adapt it a bit to better fit my use cases.
Now, I have:
Eoi controller
class EoisController < ApplicationController
# before_action :get_project
# before_action :set_eoi, only: [:show, :edit, :update, :destroy]
before_action :load_parent
before_action :load_eoi, only: [:show, :edit, :update, :destroy]
# GET /eois
# GET /eois.json
# def index
# #eois = #project.eois
# # #eois = Eois.find_by_project_id(params[:project_id])
# end
def index
# authorize #parent
#eois = policy_scope(Eoi.where(project_id: params[:project_id]))
# #eois = EoiPolicy::Scope.new(current_user, #parent).resolve
end
# GET /eois/1
# GET /eois/1.json
def show
end
# GET /eois/new
def new
#project = Project.find(params[:project_id])
#eoi = #project.eois.build
#contribute = params[:contribute] || false
#participate = params[:participate] || false
#partner = params[:partner] || false
#grant = params[:grant] || false
#invest = params[:invest] || false
end
# GET /eois/1/edit
def edit
end
# POST /eois
# POST /eois.json
def create
#eoi = Project.find(params[:project_id]).eois.build(eoi_params)
#eoi.user_id = #current_user.id
respond_to do |format|
if #eoi.save
format.html { redirect_to Project.find(params[:project_id]), notice: 'Eoi was successfully created.' }
format.json { render :show, status: :created, location: #project }
else
format.html { render :new }
format.json { render json: #eoi.errors, status: :unprocessable_entity }
end
end
end
# PATCH/PUT /eois/1
# PATCH/PUT /eois/1.json
def update
respond_to do |format|
if #eoi.update(eoi_params)
format.html { redirect_to #project, notice: 'Eoi was successfully updated.' }
format.json { render :show, status: :ok, location: #eoi }
else
format.html { render :edit }
format.json { render json: #eoi.errors, status: :unprocessable_entity }
end
end
end
# DELETE /eois/1
# DELETE /eois/1.json
def destroy
#eoi.destroy
respond_to do |format|
format.html { redirect_to #project, notice: 'Eoi was successfully destroyed.' }
format.json { head :no_content }
end
end
private
def load_parent
# #parent = (params[:project_id] ? Project.find(params[:project_id] : current_user)
#parent = params[:project_id] ? Project.find(params[:project_id]) : current_user
end
def load_eoi
#eoi = Eoi.find(params[:id])
# authorize #eoi
end
Eoi policy
class EoiPolicy < ApplicationPolicy
class Scope
attr_reader :user, :scope
def initialize(user, scope)
#user = user
#scope = scope
end
def resolve
# since we send the scoped eois from controller, we can pick
# any eoi and get its project id
# check if the current user is the owner of the project
# if (user.profile.projects.map(&:id).include?(project_id))
# # user is the owner of the project, get all the eois
# scope.all
# end
# #not the owner , then get only the eois created by the user
# scope.where(user_id: user.id)
# end
if scope.is_a?(User)
Eoi.where(user_id: scope.id)
elsif scope.is_a?(Project) && (user.profile.projects.map(&:id).include?(project_id))
project_id = scope.first.project_id
Eoi.where(project_id: scope.id)
else
Eoi.none
end
end
end
def index?
record.is_a?(User) || user.profile.project.id == record.project_id
end
def new?
true
end
def show?
record.user_id == user.id || user.profile.project_id == record.project_id
end
def edit?
user.id == eoi.user.id?
end
def create?
true
end
def update?
user.id == eoi.user.id?
end
def destroy?
user.id == eoi.user.id?
end
end
Routes
resources :eois#, only: [:index]
concern :eoiable do
resources :eois
end
resources :projects do
concerns :eoiable
end
Index
<% #eois.sort_by(&:created_at).in_groups_of(2) do |group| %>
<% group.compact.each do |eoi| %>
<h4><%= link_to eoi.user.full_name %></h4>
<%= link_to 'VIEW DETAILS', project_eoi_path(eoi.project, eoi), :class=>"portfolio-item-view" %>
<% end %>
<% end %>
View
'test'
This isn't working, because when I navigate to a project and then try to render the index of eois that have a matching project id, I get an empty index page, when I have 4 records in my database that should be rendered.
LEITO'S SUGGESTION
Taking Leito's suggestion, I've also tried this:
Eoi Controller
class EoisController < ApplicationController
before_action :get_project
before_action :set_eoi, only: [:show, :edit, :update, :destroy]
# before_action :load_parent
# before_action :load_eoi, only: [:show, :edit, :update, :destroy]
# GET /eois
# GET /eois.json
# def index
# #eois = #project.eois
# # #eois = Eois.find_by_project_id(params[:project_id])
# end
def index
# authorize #eois
# authorize #parent
# policy_scope(#project.eois)
#eois = policy_scope(Eoi.where(project_id: params[:project_id]))
# #eois = EoiPolicy::Scope.new(current_user, #parent).resolve
end
# GET /eois/1
# GET /eois/1.json
def show
end
# GET /eois/new
def new
#project = Project.find(params[:project_id])
#eoi = #project.eois.build
#contribute = params[:contribute] || false
#participate = params[:participate] || false
#partner = params[:partner] || false
#grant = params[:grant] || false
#invest = params[:invest] || false
end
# GET /eois/1/edit
def edit
end
# POST /eois
# POST /eois.json
def create
#eoi = Project.find(params[:project_id]).eois.build(eoi_params)
#eoi.user_id = #current_user.id
respond_to do |format|
if #eoi.save
format.html { redirect_to Project.find(params[:project_id]), notice: 'Eoi was successfully created.' }
format.json { render :show, status: :created, location: #project }
else
format.html { render :new }
format.json { render json: #eoi.errors, status: :unprocessable_entity }
end
end
end
# PATCH/PUT /eois/1
# PATCH/PUT /eois/1.json
def update
respond_to do |format|
if #eoi.update(eoi_params)
format.html { redirect_to #project, notice: 'Eoi was successfully updated.' }
format.json { render :show, status: :ok, location: #eoi }
else
format.html { render :edit }
format.json { render json: #eoi.errors, status: :unprocessable_entity }
end
end
end
# DELETE /eois/1
# DELETE /eois/1.json
def destroy
#eoi.destroy
respond_to do |format|
format.html { redirect_to #project, notice: 'Eoi was successfully destroyed.' }
format.json { head :no_content }
end
end
private
# def load_parent
# # #parent = (params[:project_id] ? Project.find(params[:project_id] : current_user)
# #parent = params[:project_id] ? Project.find(params[:project_id]) : current_user
# end
# def load_eoi
# #eoi = Eoi.find(params[:id])
# # authorize #eoi
# end
# # Use callbacks to share common setup or constraints between actions.
def set_eoi
#eoi = Eoi.find(params[:id])
end
def get_project
#project = Project.find(params[:project_id])
end
Eoi Policy
def initialize(user, scope)
#user = user
#scope = scope
end
def resolve
if scope.joins(project: :profile).where profiles: { user_id: user }
Eoi.where(project_id: scope.ids)
elsif scope.joins(eoi: :user).where eois: { user_id: user }
Eoi.where(user_id: scope.ids)
else
Eoi.none
end
# since we send the scoped eois from controller, we can pick
# any eoi and get its project id
# check if the current user is the owner of the project
# if (user.profile.projects.map(&:id).include?(project_id))
# # user is the owner of the project, get all the eois
# scope.all
# end
# #not the owner , then get only the eois created by the user
# scope.where(user_id: user.id)
# end
# if scope.is_a?(User)
# Eoi.where(user_id: scope.id)
# elsif scope.is_a?(Project) && (user.profile.projects.map(&:id).include?(project_id))
# project_id = scope.first.project_id
# Eoi.where(project_id: scope.id)
# else
# Eoi.none
# end
end
end
def index?
true
# record.is_a?(User) || user.profile.project.id == record.project_id
end
def new?
true
end
def show?
true
# record.user_id == user.id || user.profile.project_id == record.project_id
end
def edit?
user.id == eoi.user.id?
end
def create?
true
end
def update?
user.id == eoi.user.id?
end
def destroy?
user.id == eoi.user.id?
end
end
The routes and views are the same as the attempt above
The problem here is with the get project method in my controller. I need that for the scenario where Im trying to show all the eois on a specific project. I don't need it when I'm trying to show all of a user's eois.
When I save all this and try it, the eois on a project show correctly. However the eois (not nested inside a project) that are supposed to show me all of my (as a user) eois, shows an error that says:
Couldn't find Project with 'id'=
The error message highlights the 'get_project method'.
LEITO'S UPDATED SUGGESTION
Taking Leito's updated suggestion, I have set out the current attempt.
Before doing so, I want to clarify that all Eois will have both a user id and a project id. I use this table for users to express interest in projects. My objective is to have the user whose profile owns the project to see all eois submitted on that project. Then, I also want users to see all of their own eois submitted (across all projects).
Eoi Policy
def resolve
if scope.joins(project: :profile).where 'profiles.user_id = ? OR eois.user_id = ?', user.id, user.id
Eoi.all
else
Eoi.none
end
Eoi controller
def index
#eois = policy_scope(Eoi)
#eois = #eois.where(project_id: params[:project_id]) if params[:project_id]
end
Currently this works fine in finding the eois that are nested under a project (project/26/eois). However, when I try to do eois/index (not nested under project), which I want to return all the user's eois, I get an error that says:
Couldn't find Project with 'id'=
It highlights this line of the eoi controller:
def get_project
#project = Project.find(params[:project_id])
end
I'm not sure I understand the resolve method or the controller culling idea now. I can't see what's wrong with the scope line to see what to try changing.
I'm the previous commenter on that issue.
For your EoiScope, you simply want what Eois the user has access to (because they belong to projects under this profile), independent from the project (this requirement is only for the controller, because is nested), so your controller should look something like this:
Edit: Based on your latest attempt, I've updated the scope to account for Eois belonging directly to the user (not through a project) and you should simply scope it to a project or not based on the presence of params[:project_id], see updated answer.
#eois = policy_scope(Eoi)
#eois = #eios.where(project_id: params[:project_id]) if params[:project_id]
And your scope should do joins until it reaches user or simply look for the user_id property on Eoi.
class EoiPolicy < ApplicationPolicy
class Scope < Scope
def resolve
scope.joins(project: : profile).where 'profiles.user_id = ? OR eois.user_id = ?', user.id, user.id
end
end
# Other methods that differ from ApplicationPolicy's methods
end
Please note, Scope isn't calling eoi, but default* scope only knows about scope and user. * By default, I mean when it inherits from ApplicationPolicy::Scope
In your first example, there's a couple of issues. Firstly, #eoi does not exist, and can't exist. The #eoi variable is set in the controller, and this is a different object. It doesn't work in the same way as your views where this is accessible, so this will never be set.
Equally, the eoi variable will not be set, as your initialize method is only assigning the user and resource variables, so they're the only two you have access to (unless you rename)
The scope in the policy works a little differently to how you think it works. The policy itself generally takes the user logged in, and a class, or a record that you are authorising. The scope however, doesn't normally take a record as the second argument. It is a scope, so either an active record sub-class, or a relation. You're not restricted to this however, and you could work around it by supplying a record but do note this is not normal behaviour for Pundit.
In order to achieve what you're after, you should only have to make a few adjustments:
class EoiPolicy < ApplicationPolicy
class Scope
attr_reader :user, :eoi
def initialize(user, eoi)
#user = user
#eoi = eoi
end
def resolve
if user.profile.project.id == eoi.project_id
Eoi.where(project_id: user.profile.project.id)
elsif user.id == eoi.user_id
Eoi.where(user_id: user.id)
else
nil
end
end
end
def index?
user.profile.project.id == record.project_id or user.id == record.user_id
end
def new?
true
end
def show?
user.profile.project.id == record.project_id? or user.id == record.user_id
end
def edit?
user.id == record.user.id
end
def create?
true
end
def update?
user.id == record.user.id
end
def destroy?
user.id == record.user.id
end
end
The main changes here are that the attr_reader :user, :scope is now attr_reader :user, :eoi which will give you access to eoi within that scope.
Access to this is no longer prefixed with # as this is in-line with how pundit works.
Throughout the rest of the policy, #eoi again cannot work, but this has been changed to record (assuming this is what it is in ApplicationPolicy). Please bear in mind the the Scope, and the rest of the policy are two different classes.
With this setup, you should now be able to simply call policy_scope(#eoi) from within your controller. Note the usage of the #eoi variable here and NOT the Eoi class as before. This is crucial, as without this, you won't have access to things like user_id or project_id as those methods don't exist in the Eoi class, but only a record.
I've also removed the ? symbols from the end of your if conditions. These are generally used to signify that the method being called returns a boolean, whereas you had them on the end of something that simply returns an integer. I'd imagine you'd actually get an error saying the method doesn't exist but if you've renamed things then you may want to put them back, but as I say that does go against ruby coding styles.
And on a side-note, using or or and in statements instead of || or && can on the odd occasion behave differently to how you expect. In most scenarios it's fine, but it doesn't technically mean the same thing.
Hope this all helps, let me know if you have any further issues with it.
For others, I'm not sure if this is a solution that makes use of Pundit in the way it was intended, however it does generate the flows that I want, within the limits of my ability.
Thank you to everyone who helped on this. I'm sure I've still got lots to learn about how to improve this, but for now, this is a solution that works.
In summary - I now have two policies for 1 controller.
Eoi Policy
class EoiPolicy < ApplicationPolicy
class Scope
def initialize(user, scope)
#user = user
#scope = scope
end
def resolve
# selects all the EOI's for a given user
#scope.where(user_id: #user.id)
end
end
def index?
true
end
Project Eoi Policy
class ProjectEoiPolicy < ApplicationPolicy
class Scope < Scope
def resolve(project_id)
project = Project.find(project_id)
if project.owner?(#user)
# if the user is the owner of the project, then get
# all the eois
project.eois
else
# select all the eois for the project
# created by this user
Eoi.for_user(#user.id).for_project(project_id)
end
end
end
end
Eoi Controller index action
class EoisController < ApplicationController
before_action :get_project, except: [:index, :show]
before_action :set_eoi, only: [:show, :edit, :update, :destroy]
def index
if params[:project_id]
#eois = ProjectEoiPolicy::Scope.new(current_user, Eoi).resolve(params[:project_id])
else
#eois = policy_scope(Eoi)
end
end
I am making an api with ruby on rails, and I am trying to use token based authentication. Everything works just fine, but Rails is saying that the method authenticate_with_http_token is undefined.
This is the error it is giving:
{"status":500,"error":"Internal Server Error","exception":"#\u003cNoMethodError: undefined method `authenticate_with_http_token' for #\u003cUsersController:0x007fa8ac16dee0\u003e\u003e","traces":{"Application Trace":[{"id":0,"trace":"app/controllers/users_controller.rb:59:in `authenticate_token'"},{"id":1,"trace":"app/controllers/users_controller.rb:55:in `authenticate'"}],"Framework Trace":[{"id":2,"trace":"activesupport (5.0.0.beta3) lib/active_support/callbacks.rb:382:in `block in make_lambda'"}
This is the code for my controller:
class UsersController < ApplicationController
before_action :set_user, only: [:show, :update, :destroy]
before_action :authenticate, only: [:show, :update, :destroy]
# GET /users
def index
#users = User.all
render json: #users
end
# GET /users/1
def show
render json: #user
end
# POST /users
def create
#user = User.new(user_params)
if #user.save
render json: #user, status: :created, location: #user
else
render json: #user.errors, status: :unprocessable_entity
end
end
# PATCH/PUT /users/1
def update
if #user.update(user_params)
render json: #user
else
render json: #user.errors, status: :unprocessable_entity
end
end
# DELETE /users/1
def destroy
#user.destroy
end
private
# Use callbacks to share common setup or constraints between actions.
def set_user
#user = User.find(params[:id])
end
# Only allow a trusted parameter "white list" through.
def user_params
params.require(:user).permit(:first_name, :last_name, :email, :school_id, :auth_token, :password_digest)
end
def authenticate
authenticate_token || render_unauthorized
end
def authenticate_token
authenticate_with_http_token { |token, options| User.find_by(auth_token: token) }
end
end
Try to include that in your ApplicationController or UsersController
include ActionController::HttpAuthentication::Token::ControllerMethods
I guess you are trying to use the new Rails 5 API-only?
If so you probably inherited your ApplicationController from
class ApplicationController < ActionController::API
instead of
class ApplicationController < ActionController::Base
Please take note that ActionController::API is a downsized version of ActionController which does not include ALL modules. One of the ones left out is actually ActionController::HttpAuthentication::Token.
Including it in your ApplicationController (or a specialized controller if you just need it in one place) should fix it:
include ActionController::HttpAuthentication::Basic