The best explanation I have found for the gestalt of Pundit is https://www.varvet.com/blog/simple-authorization-in-ruby-on-rails-apps/
And yet ... I don't get it. I can understand each statement in https://www.varvet.com/blog/simple-authorization-in-ruby-on-rails-apps/ ... but when I get to what the "authorize(@post)" in def create @post = Post.new(params[:post]) authorize(@post) … end does ... I don't get it. I'm trying to put together an English sentence for "authorize(@post)". Please tell me if I'm close. authorize(@post) means ... For the current user (i.e. current_user) and for the @post object throw a NotAuthorizedError exception if PostPolicy#create? returns false I think the "hidden" inputs to authorize come from the following sources: current_user from Devise's current_user @post is the self-evident argument to authorize PostPolicy is built from the name of the class of the object @post followed by the word "Policy" (i.e. @post.class.to_s + 'Policy') create? is built from params[:action]. That is, since we know we're in def create then params[:action] must be "create". How close am I? Ralph -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/rubyonrails-talk/c434a226-68b7-4ed3-9a62-eaab7c8ebef6%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
