Comments (7)
samnang
commented on August 24, 2024
6
Thank @thomasklemm, I end up creating a helper method to mock authorize method and stub out verify_authorized:
def mock_authorize(record, unauthorize: false)
expectation = expect(controller).to receive(:authorize).with(record)
expectation.and_raise(Pundit::NotAuthorizedError) if unauthorize
allow(controller).to receive(:verify_authorized)
endBTW, it's really a good trick to remove DoubleRenderError.
from pundit.
thomasklemm
commented on August 24, 2024
1
How about testing the expected behavior (e.g. render template, redirect, set flash) depending on the stubbed result of the authorize call in your case? This should keep your isolation, and you can ensure your policies work correctly with policy specs (as you might already have done).
from pundit.
thomasklemm
commented on August 24, 2024
Authorization influences the expected outcome of an HTTP request passing through a controller action, so I personally would choose not to stub the authorize @post out. E.g. for a staff user, an action should render a template, while an unauthorized user should be redirected back with a "You are not allowed to perform this action." flash.
from pundit.
samnang
commented on August 24, 2024
I agree, but so far I face some issues in my project because most of my controller specs are doing insolation testing, so I don't touch models and heavy used on rspec double(test doubles), then pundit failed when it tried to resolve policy class.
from pundit.
samnang
commented on August 24, 2024
I tried that approach by stubbing authorize method in different contexts, but it came to another issues when I use after_filter :verify_authorized in application_controller to ensure the authorize method has been called, then it's just failed and throw AbstractController::DoubleRenderError error.
from pundit.
thomasklemm
commented on August 24, 2024
The after_filter :verify_authorized checks for the truthyness of @_policy_authorized, so you'd have to set this one, too.
The DoubleRenderError has been discussed before and could be fixed with code from #53.
class ApplicationController < ActionController::Base
protect_from_forgery
include Pundit
rescue_from Pundit::NotAuthorizedError, with: :user_not_authorized
private
def user_not_authorized
# Clear the previous response body to avoid a DoubleRenderError
# when redirecting or rendering another view
self.response_body = nil
flash[:error] = "You are not authorized to perform this action."
redirect_to request.headers["Referer"] || root_path
end
endfrom pundit.
thomasklemm
commented on August 24, 2024
@samnang Glad to help. Thanks for reporting your solution.
from pundit.
Related Issues (20)
- Manually specifying policy class via an instance method does not always work HOT 1
- Singular model class name vs. Plural module name HOT 3
- Split this into two methods?
- [Request] policy_scope should not alter joined table structure HOT 2
- Policy Finder `find` does not strip namespace. HOT 2
- Support authorization error flash messages when using turbo frames and streams? HOT 6
- Git tag for v2.3.0? HOT 1
- generator fails with ruby 3.2.0 HOT 6
- "include Pundit::Authorization" undefined ? HOT 3
- Enable custom description for permit matcher
- Do not use NotImplementedError HOT 1
- Rubygems version fully support Ruby 3.2
- Hook into Rails generators (scaffold, model) to generate policy classes HOT 3
- Helper policy_scope does not accept policy_scope_class HOT 1
- README for headless section is incorrect? HOT 1
- uninitialized constant Pundit::Authorization HOT 1
- Update gem release template for new gem publish workflow
- Pundit caching isn't sensitive to current user changing HOT 3
- Support :focus for rspec permissions blocks HOT 2
- how can i authorize all controllers and actions
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from pundit.