Use controller’s action_name attr instead of params[:action]

This is the recommended way to access a controller’s current action
varvet · May 17, 2018 · 667b138 · 667b138
1 parent d28170b
commit 667b138
Show file tree

Hide file tree

Showing 3 changed files with 30 additions and 17 deletions.
diff --git a/lib/pundit.rb b/lib/pundit.rb
@@ -175,7 +175,7 @@ def verify_policy_scoped
   # @raise [NotAuthorizedError] if the given query method returned false
   # @return [Object] Always returns the passed object record
   def authorize(record, query = nil)
-    query ||= params[:action].to_s + "?"
+    query ||= "#{action_name}?"
 
     @_pundit_policy_authorized = true
 
@@ -232,7 +232,7 @@ def policy(record)
   # @param action [Symbol, String] the name of the action being performed on the record (e.g. `:update`).
   #   If omitted then this defaults to the Rails controller action name.
   # @return [Hash{String => Object}] the permitted attributes
-  def permitted_attributes(record, action = params[:action])
+  def permitted_attributes(record, action = action_name)
     policy = policy(record)
     method_name = if policy.respond_to?("permitted_attributes_for_#{action}")
       "permitted_attributes_for_#{action}"

diff --git a/spec/pundit_spec.rb b/spec/pundit_spec.rb
@@ -8,7 +8,7 @@
   let(:comment) { Comment.new }
   let(:comment_four_five_six) { CommentFourFiveSix.new }
   let(:article) { Article.new }
-  let(:controller) { Controller.new(user, action: "update") }
+  let(:controller) { Controller.new(user, "update", {}) }
   let(:artificial_blog) { ArtificialBlog.new }
   let(:article_tag) { ArticleTag.new }
   let(:comments_relation) { CommentsRelation.new }
@@ -426,56 +426,68 @@
 
   describe "#permitted_attributes" do
     it "checks policy for permitted attributes" do
-      params = ActionController::Parameters.new(action: "update", post: {
+      params = ActionController::Parameters.new(post: {
         title: "Hello",
         votes: 5,
         admin: true
       })
 
-      expect(Controller.new(user, params).permitted_attributes(post).to_h).to eq("title" => "Hello", "votes" => 5)
-      expect(Controller.new(double, params).permitted_attributes(post).to_h).to eq("votes" => 5)
+      action = "update"
+
+      expect(Controller.new(user, action, params).permitted_attributes(post).to_h).to eq(
+        "title" => "Hello",
+        "votes" => 5
+      )
+      expect(Controller.new(double, action, params).permitted_attributes(post).to_h).to eq("votes" => 5)
     end
 
     it "checks policy for permitted attributes for record of a ActiveModel type" do
-      params = ActionController::Parameters.new(action: "update", customer_post: {
+      params = ActionController::Parameters.new(customer_post: {
         title: "Hello",
         votes: 5,
         admin: true
       })
 
-      expect(Controller.new(user, params).permitted_attributes(customer_post)).to eq("title" => "Hello", "votes" => 5)
-      expect(Controller.new(double, params).permitted_attributes(customer_post)).to eq("votes" => 5)
-      expect(Controller.new(user, params).permitted_attributes(customer_post).to_h).to eq(
+      action = "update"
+
+      expect(Controller.new(user, action, params).permitted_attributes(customer_post).to_h).to eq(
+        "title" => "Hello",
+        "votes" => 5
+      )
+      expect(Controller.new(double, action, params).permitted_attributes(customer_post)).to eq("votes" => 5)
+      expect(Controller.new(user, action, params).permitted_attributes(customer_post).to_h).to eq(
         "title" => "Hello",
         "votes" => 5
       )
-      expect(Controller.new(double, params).permitted_attributes(customer_post).to_h).to eq(
+      expect(Controller.new(double, action, params).permitted_attributes(customer_post).to_h).to eq(
         "votes" => 5
       )
     end
   end
 
   describe "#permitted_attributes_for_action" do
     it "is checked if it is defined in the policy" do
-      params = ActionController::Parameters.new(action: "revise", post: {
+      params = ActionController::Parameters.new(post: {
         title: "Hello",
         body: "blah",
         votes: 5,
         admin: true
       })
 
-      expect(Controller.new(user, params).permitted_attributes(post).to_h).to eq("body" => "blah")
+      action = "revise"
+      expect(Controller.new(user, action, params).permitted_attributes(post).to_h).to eq("body" => "blah")
     end
 
     it "can be explicitly set" do
-      params = ActionController::Parameters.new(action: "update", post: {
+      params = ActionController::Parameters.new(post: {
         title: "Hello",
         body: "blah",
         votes: 5,
         admin: true
       })
 
-      expect(Controller.new(user, params).permitted_attributes(post, :revise).to_h).to eq("body" => "blah")
+      action = "update"
+      expect(Controller.new(user, action, params).permitted_attributes(post, :revise).to_h).to eq("body" => "blah")
     end
   end
 

diff --git a/spec/spec_helper.rb b/spec/spec_helper.rb
@@ -156,10 +156,11 @@ class Controller
   # Mark protected methods public so they may be called in test
   public(*Pundit.protected_instance_methods)
 
-  attr_reader :current_user, :params
+  attr_reader :current_user, :action_name, :params
 
-  def initialize(current_user, params)
+  def initialize(current_user, action_name, params)
     @current_user = current_user
+    @action_name = action_name
     @params = params
   end
 end