Option to cancel relationship update authorization #87
Comments
|
Hi, and thanks for raising the issue!
I beg to disagree with this. If the author model has association
Hmm. For context, the One idea that I could get behind is extracting these lines (and only these lines) to a new method on The new method could be something like class DefaultPunditAuthorizer
def fallback_authorize(user, record)
::Pundit.authorize(user, record, 'update?')
end
endI'd be open to review such a PR, with tests attached, and willing to consider including it in the gem itself. A mention in the documentation somewhere + in-line comments would be necessary to tell about this possibility. |
|
Hi and thanks for the quick reply
This is a valid philosophical point, but the practical implication is that I cannot allow someone to create or update an article without also allowing them to update the author. In my case, the dependency graph between all models in the project is connected, so I will be allowing them to update everything... At any rate, I assume this is pointless to discuss, since changing it will break existing code. I will try implement what you suggest when I can get to it. In the meantime, I have workaround overriding the respond_to? method, but this is not something I'd like to keep... Thanks! |
🙇. Even though there hasn't been many commits in the near history, I still try to answer issues and pull requests in a timely manner. This gem is alive and breathing just fine
Well, you can do that by creating the special methods in your policies. But I get your point
That definitely isn't good, and isn't what we'd want people to do.
I'm trying not to sound nasty here — this project just has gone through this same topic a few times in the past already. I'm actually quite glad that you were able to reference the relationship authorization documentation, because at least the current logic wasn't too surprising to you 😄
Let's hope you'll get to it at some point, or someone else who wants to work on this can also do so. If you or someone has questions on code or something, I'd try to help to the best I can. The one thing I won't do is code this feature on my own, as we don't need it at work right now. Here's a great chance to do some open source goodness 😉
Yikes, sounds flaky! I hope contributing code to this gem would even be easier for you in the long term |
Actually, I first found it in the code, then found it was documented :) Anyway, thanks again, I hope I can send something soon. |
|
Great! Feel free to ask even stupid questions 🤗. After all, I am sure to have blind spots in what is difficult to grasp as I'm already knee-deep in the code itself. |
|
Just had another look. Won't it be better to use method names that do not include the relationship type (as in |
Or, even easier, instead of calling |
|
"More flexible" in this case also means that it's easier to accidentally allow some operation that should not have been allowed. The philosophy of this gem, "err on the side of too much authorization than too little", is what is happening here. It is far too easy to create a What is entirely possible is to come up with an application-side abstraction for avoiding too much repetition in policy classes. I'd be quite curious to hear about them, and maybe it would even be beneficial to document them. As for the second idea, calling a method that most likely does not exist and rescue an error, I'd rather not do it. Exceptions should be reserved for exceptional cases, not control flow. And also encouraging a |
Hi,
In the creation example (for instance), when
create_with_author?does not exist, the fallback is to checkupdate?for the user. I find this unreasonable: when creating the article I'm not really updating the author. I know I could change the behaviour by defining acreate_with_author?method, but I would need to do it for every association in all my models (and when adding new ones)My suggestion: allow specifying a fallback or a method name in place of
update?(withupdate?as default), which is independent of the relationship name (e.g.,create_with?)Thanks!
The text was updated successfully, but these errors were encountered: