The best explanation I have found for the gestalt of Pundit is 
https://www.varvet.com/blog/simple-authorization-in-ruby-on-rails-apps/ 

And yet ... I don't get it.

I can understand each statement in 
https://www.varvet.com/blog/simple-authorization-in-ruby-on-rails-apps/ ... 
but when I get to what the "authorize(@post)" in

def create
  @post = Post.new(params[:post])
  authorize(@post)
  …
end

does ... I don't get it.

I'm trying to put together an English sentence for "authorize(@post)".  
Please tell me if I'm close.



authorize(@post)
means ...

For the current user (i.e. current_user) and
for the @post object
throw a NotAuthorizedError exception if PostPolicy#create? returns false



I think the "hidden" inputs to authorize come from the following sources:
current_user             from Devise's current_user
@post                       is the self-evident argument to authorize
PostPolicy                 is built from the name of the class of the 
object @post followed by the word "Policy" (i.e. @post.class.to_s + 
'Policy')
create?                      is built from params[:action].  That is, since 
we know we're in def create then params[:action] must be "create".

How close am I?

Ralph

-- 
You received this message because you are subscribed to the Google Groups "Ruby 
on Rails: Talk" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to rubyonrails-talk+unsubscr...@googlegroups.com.
To post to this group, send email to rubyonrails-talk@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/rubyonrails-talk/c434a226-68b7-4ed3-9a62-eaab7c8ebef6%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Reply via email to