Comments (1)
Saw your AnyCable presentation at Ruby Kaigi in Sendai and thought it was one of the best presentations. ;)
Thanks! Glad you liked it)
I think this was because I defined manage?
Yep. manage?
is the default rule for ActionPolicy::Base
. You can change this behaviour either by not using ActionPolicy::Base
as your root policy (see https://actionpolicy.evilmartians.io/#/custom_policy) or by setting default_rule nil
.
This means index_readers?, create_readers? and count_readers?
Do these three actions require different permissions?
Usually, when dealing with associations I use some basic rule for the parent model instead of defining custom, e.g.: if I can see the post, I can see the readers and count them => call authorize! post, to: :show?
in #index_readers
and #count_readers
.
That would also provide a meaningful failure reason (if you use i18n integration), e.g. "You don't have enough permissions to see this post".
There is no generic solution though, it highly depends on the business logic of your authorization model.
from action_policy.
Related Issues (20)
- Add ability to authorize nil records if :with option is provided HOT 2
- NoMethodError: undefined method `params_filter' for MyPolicy:Class in tests HOT 1
- Authorizing fields based on params_filter HOT 1
- Unknown policy scope type :active_record_relation HOT 3
- Policy-generator not working with Ruby 3.2 HOT 1
- uninitialized constant ActionController::Parameters HOT 4
- I18n does not seem to work with I18n Active Record HOT 1
- How Do I Test Resource-less Authorize? HOT 1
- Add --parent option to policy generator HOT 2
- Update a documentation about #be_an_alias_of matcher HOT 2
- Documentation Contrast HOT 3
- Can't alias `create?` to `manage?` HOT 1
- Cannot use `controller_authorize_current_user` with `ActionPolicy::Base` HOT 1
- Rspec fails with v0.6.6 when `eager_load` is set to `true` HOT 13
- 0.6.7 breaks wrap_parameters HOT 3
- Policy lookup for authorized_scope returns default policy instead of using implicit authorization target HOT 3
- Add `with_context` qualifier to `have_authorized_scope` matcher. HOT 1
- Allow using callable objects as scopes HOT 1
- Migrate pretty print to Prism
- Allow to reset authorization context HOT 7
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from action_policy.