Authorization with Pundit
bundle add pundit
rails g pundit:install
class ApplicationController < ActionController::Base
include Pundit::Authorization
rescue_from Pundit::NotAuthorizedError, with: :user_not_authorized
private
def user_not_authorized
flash[:alert] = "You are not authorized to perform this action."
redirect_back(fallback_location: root_path)
# Be careful not to to get into infinite loop if root not authorized
end
#...
end
Users can only edit and delete availabilities they created
rails g pundit:policy availability
class AvailabilityPolicy < ApplicationPolicy
class Scope < Scope
# NOTE: Be explicit about which records you allow access to!
# def resolve
# scope.all
# end
end
# Edit inherits update
def update?
user == record.user
end
def destroy?
user == record.user
end
end
class AvailabilitiesController < ApplicationController
#...
def update
authorize @availability
#...
def delete
authorize @availability
#...
end
Only show the edit options the authorized user
<% if policy(@availability).update? && policy(@availability).destroy? %>
<div class="col-md-4">
<div class="dropdown">
<a class="btn btn-secondary dropdown-toggle" href="#" role="button" id="dropdownMenuLink" data-bs-toggle="dropdown" aria-expanded="false">
<i class="fas fa-cog"></i>
</a>
<ul class="dropdown-menu" aria-labelledby="dropdownMenuLink">
<li><%= link_to "Edit this availability", edit_availability_path(@availability), class: 'dropdown-item' %></li>
<li><%= button_to "Destroy this availability", @availability, method: :delete, class: 'dropdown-item', data: { confirm: 'Are you sure?' } %></li>
</ul>
</div>
</div>
</div>
<% end %>
Top comments (0)