johno / pundit Goto Github PK

Currently we're including too much code in the package itself, including both dist and src directories. The way the node_modules subfolder is structured means that we cannot import from the pundit package directly.

• An index.js should be included in the root of the package
• We shouldn't include uncompiled TypeScript code in the package
• import { Policy, When, PunditProvider } from 'pundit/dist/pundit.mjs' should become import { Policy, When, PunditProvider } from 'pundit'

Following the discussion in #41, it would be simpler to be able to define actions without explicitly defining an actions map, e.g.

class PostPolicy extends Policy {
  user: AuthorisableUser
  record: AuthorisablePost

  constructor(user: AuthorisableUser, record: AuthorisablePost) {
    super(user, record)
  }

  view(): boolean {
    return true
  }

  publish(): boolean {
    return this.user.id === this.record.userId
  }

  destroy(): boolean {
    return this.user.isAdmin
  }
}

Hi @johno, want to use your solution in my project, but for some reason, it doesn't work.

What I did:

import React, { useEffect } from "react";
...
import { Policy, When } from "pundit";

export default function Landing() {
  const { user } = useAuth()
  const landingPolicy = new Policy();

  useEffect(() => {
    if(user) {
      landingPolicy.add("create", (user, record) => user.pioneer);
    }
  }, [user]);

  return(
    <When can="create" user={user} policy={landingPolicy} record={"landing"}>
      <div>
        <Link to="/create">Create</Link>
      </div>
    </When>
  );
}

It doesn't show me my link. Even if I replace user.pioneer with true

Maybe you see an issue with my setup. We can later improve README, so others will understand how to use it with React.

v0.1.0

• https://github.com/changesets/changesets
• https://www.johno.com/changesets

Currently to include multiple JSX elements inside of a When block it requires us to wrap the elements inside of a React fragment:

<When can="edit">
  <>
    <button type="button">Edit</button>
    <button type="button">Publish</button>
  </>
</When>

It would be cleaner to nest these within <When /> directly, e.g.

<When can="edit">
  <button type="button">Edit</button>
  <button type="button">Publish</button>
</When>

In order to make policy tests less verbose, it would be useful to include some Jest matchers, similar to what we have in Pundit Matchers.

I don't think we need to reproduce the whole Pundit Matchers API, which follows a "There's more than one way to do it" / TMTOWTDI approach. A subset of permitOnlyActions, permitAllActions, and permitActions to begin with would cover most scenarios.

Initially I could add some matchers to the existing codebase/package, with the intent to split them into a seperate package once we've moved to pnpm workspaces.

@johno any thoughts here?

It would be great if it were possible to generate the JS/TS policies based on the ruby ones.

What do people think about that idea?

Currently, the pundit package does not require 2FA to publish:

I suggest we change this to the highest level of security, "Require two-factor authentication and disallow tokens". Do you concur @johno?

Hi @johno,

Chris Alley, author of the Pundit Matchers gem here. I'm a TypeScript developer who is reviewing options for creating "Pundit for JavaScript" that would be used in at least one production application. Rather than creating more fragmentation on npm, I'm interested in adopting or helping to maintain this package.

Some ideas that I have to improve the project include:

• Modernise development dependencies (in progress)
• Add React tests (in progress)
• Add further tests for policy.ts
• Host the repo on the Pundit Community GitHub organisation, with multiple maintainers who can come and go.
• Split the React code into a seperate package, for example @pundit/react. This would give us the option to create other integrations for Svelte, Vue, etc without increasing the size of the package.
• Convert the project to a monorepo, for example managed via pnpm workspaces.
• Create Jest/Vitest matchers, similar to Pundit Matchers.
• Investigate recreating other parts of Pundit (policy scopes, permitted attributes).
• Investigate alternative policy syntax using class methods for policy actions.

Please let me know what your thoughts are. Would this be a welcome future for the project, or better suited to a seperate project?