Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Why different names? authorize vs policy #400

Closed
exalted opened this issue Jun 23, 2016 · 8 comments
Closed

Why different names? authorize vs policy #400

exalted opened this issue Jun 23, 2016 · 8 comments

Comments

@exalted
Copy link

exalted commented Jun 23, 2016
edited
Loading

Hi, I am a little curious about rationale behind the decision for different names (i.e. authorize and policy) for (apparently) same functionality, albeit used in different contexts (controllers vs. views).

Any comments please? Thank you.

Keep up the great great work! 🙏
@formigarafa
Copy link

@exalted ,
I did a quick check here and what I could observe is that believe while authorize methods checks the authorization (for the records and query) the policy methods only returns the related policy initialized with user and record (without applying any other check or raising exception).
With the policy in hand you can call any method on it and then is up to you do whatever you want to do with their result.

I hope this helps.

@formigarafa
Copy link

formigarafa commented Jul 5, 2016
edited
Loading

@exalted, I just noticed this is not completely true. The policy_scope controller helper actually apply the resolve method from the policy on the provided scope. This even brings consequences that I mentioned on #368.

@exalted
Copy link
Author

exalted commented Jul 5, 2016

@formigarafa You're correct, I believe. module Pundit's authorize method basically creates a policy (using the same policy method exposed as the view helper as well) and calls methods on it based on Pundit's conventions & assumptions; while in a view you have to call methods on policies explicitly.

For the sake of coherency, I was wondering why then <% if policy(@post).update? %> is suggested over something like <% if authorize(@post) %> instead.

@andrewhavens
Copy link

@exalted I'm not sure that Rails provides the view with the name of the current action, and even if it did, a view often displays links/buttons for performing different actions. Thus, I don't think it would work to simply use authorize(@post) in a view.

@jnicklas
Copy link
Collaborator

jnicklas commented Jul 7, 2016

No you shouldn't use <% if authorize(@post) %> in a view. For one it is not even exposed as a helper_method, so you actually can't, but even if you were able to do it, then it would be wrong. authorize always returns true in Pundit 1.x, that if-statement is never going to fail. Instead what would happen is that an error would be raised if @post cannot be authorized. That is not what you want. This is why authorize is a separate (and different) method, because you usually want to raise an error in a controller, but maybe not always, and in a view you definitely don't want to do that.

@jnicklas
Copy link
Collaborator

jnicklas commented Jul 7, 2016

I suggest re-reading the README if you're still confused, it actually explains all of this, more or less.

@exalted
Copy link
Author

exalted commented Jul 7, 2016

@jnicklas thanks for the lengthy explanation, however my question was about the rationale rather than the usage of Pundit. It's clear to me how Pundit works and the way is supposed to be used on controller and view contexts. Regardless, thank you for taking time and commenting.

@exalted
Copy link
Author

exalted commented Jul 7, 2016

I guess that's it. Thanks everyone who answered. 🍻

@exalted exalted closed this as completed Jul 7, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@jnicklas @formigarafa @exalted @andrewhavens