Action aliases in the controller

[brendon]

Here's another idea:

In my application I authorise a lot of controllers based on a simple (user editable) permissions system, so the policy structure is quite simple and has nothing to do with these controller items and more to do with their ultimate position within a tree structure and the permissions applied there. To that end I'm calling something like authorise! ComponentInstance to kick off the policy check.

Now that's all fine and good and I can define rule aliases in the policy for common actions:

  authorize :component_instance

  alias_rule :index?, :show?, to: :view?
  alias_rule :new?, :create?, :update?, :destroy?, to: :edit?

  def view?
    component_instance.has_permission_to(:view, user)
  end

  def edit?
    component_instance.has_permission_to(:edit, user)
  end

However, in some of my controllers there are other actions (e.g. sort) and some that are injected by concerns. In that case, it's illogical to keep adding those rule aliases to the policy, it'd be better to pass in the alias from the controller and I can see one can do that:

authorize! ComponentInstance, to: :view?

I was wondering what you thought of creating a method for defining rule aliases at the controller level, so I could do something like:

alias_action :sort, :jumble, to_rule: :edit?

So when you're identifying the rule to execute you could check this first, then move down to the rule aliases in the policy?

[palkan]

in some of my controllers there are other actions (e.g. sort) and some that are injected by concerns. In that case, it's illogical to keep adding those rule aliases to the policy

Why not using explicit rules in the concerns? That makes more sense, IMO.

I'm also using controllers concerns to add action, and I'm doing like this:

module Voted
  extend ActiveSupport::Concern

  included do
    before_action :set_votable, only: [:vote_up, :vote_down, :cancel_vote]
  end

  def vote_up
    # do smth with @votable
  end

  def set_votable
    @votable = controller_name.classify.constantize.find(params[:id])
    authorize! @votable, to: :manage?
  end
end

[brendon]

Thanks @palkan, in my case my authorize! is called from a controller superclass. I'd have to restrict its execution to the REST verbs, then use your method to do an alternative authorize! specifying the rule. Seems like a messier approach once I'm dealing with 10's of one-off non-REST actions spread across lots of controllers (many not in concerns).

I'm authorising in the superclass because my policy doesn't care about any of the sub-models in the application, just their ultimate parent, and its place in the site tree.

I'll probably just implement something in my application that is the same as my PR. I just thought you might want to have it as part of action_policy :)

[palkan]

I just thought you might want to have it as part of action_policy :)

What about adding this use-case to the docs? And then, if there would be a demand, include it into the gem.

[brendon]

Ok, sounds like a good idea. Do you mean to put in the docs saying that it is a proposed feature and show examples as it would work as implemented in the PR, then ask people to chime in on this issue if they'd like to see it implemented?

[palkan]

Yep. We can add a new top-level section, say, "Tip & Tricks", and the proposed implementation and the reasoning behind it.

And also add a link to this doc to Readme.

[brendon]

Done (#28). I'll link to the readme from here once the PR is merged :) Hopefully that page also helps explain my use case a bit better.

[brendon]

See: https://actionpolicy.evilmartians.io/#/controller_action_aliases for more information.

[palkan]

Closed as stale

[brendon]

@palkan, you might want to remove https://actionpolicy.evilmartians.io/#/controller_action_aliases that relates to this PR.