Skip to content

DannyBen/pundit_extra

Repository files navigation

PunditExtra

Gem Version Build Status Maintainability


This library borrows functionality from CanCan(Can) and adds it to Pundit.

  • can? and cannot? view helpers
  • load_resource, authorize_resource, load_and_authorize_resource and skip_authorization controller filters

The design intentions were:

  1. To ease the transition from CanCanCan to Pundit.
  2. To reduce boilerplate code in controller methods.
  3. To keep things simple and intentionally avoid dealing with edge cases or endless magical options you need to memorize.

Install

Add to your Gemfile:

gem 'pundit_extra'

Add to your ApplicationController:

class ApplicationController < ActionController::Base
  include Pundit::Authorization
  include PunditExtra
end

View Helpers: can? and cannot?

You can use the convenience methods can? and cannot? in any controller and view.

  • if can? :assign, @task is the same as Pundit's policy(@task).assign?
  • if can? :index, Task is the same as Pundit's policy(Task).index?
  • if cannot? :assign, @task is the opposite of can?

Autoload and Authorize Resource

You can add these to your controllers to automatically load the resource and/or authorize it.

class TasksController < ApplicationController
  before_action :authenticate_user!
  load_resource except: [:index, :create]
  authorize_resource except: [:create]
end

The load_resource filter will create the appropriate instance variable based on the current action.

The authorize_resource filter will call Pundit's authorize @model in each action.

You can use except: :action, or only: :action to limit the filter to a given action or an array of actions.

Example:

class TasksController < ApplicationController
  before_action :authenticate_user!
  load_resource except: [:edit, :complete]
  authorize_resource except: :index

  def index
    # this happens automatically
    # @tasks = policy_scope(Task)
  end

  def show
    # this happens automatically
    # @task = Task.find params[:id]
    # authorize @task
  end

  def new
    # this happens automatically
    # @task = Task.new
    # authorize @task
  end

  def create
    # this happens automatically
    # @task = Task.new task_params
    # authorize @task
  end

end

In addition, you can use:

  • load_and_authorize_resource which is a combination shortcut for load_resource and authorize_resource
  • skip_authorization which sends skip_authorization and skip_policy_scope to Pundit for all (or the specified) actions.

Credits

Thanks for building awesome stuff.