Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add the policy class to the NotAuthorizedError message #812

Merged
merged 10 commits into from
Jun 17, 2024
3 changes: 3 additions & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,9 @@

## Unreleased

- Improve the `NotAuthorizedError` message to include the policy class.
smitssjors marked this conversation as resolved.
Show resolved Hide resolved
Furthermore, in the case where the record passed is a class instead of an instance, the class name is given. (#812)

## 2.3.2 (2024-05-08)

- Refactor: First pass of Pundit::Context (#797)
Expand Down
1 change: 1 addition & 0 deletions CONTRIBUTING.md
Original file line number Diff line number Diff line change
Expand Up @@ -28,3 +28,4 @@ Pundit version, OS version and any stack traces you have are very valuable.
- **Send coherent history**. Make sure each individual commit in your pull
request is meaningful. If you had to make multiple intermediate commits while
developing, please squash them before sending them to us.
- **Update the CHANGELOG.** Don't forget to add your new changes to the CHANGELOG.
2 changes: 1 addition & 1 deletion README.md
Original file line number Diff line number Diff line change
Expand Up @@ -116,7 +116,7 @@ and the given record. It then infers from the action name, that it should call

``` ruby
unless PostPolicy.new(current_user, @post).update?
raise Pundit::NotAuthorizedError, "not allowed to update? this #{@post.inspect}"
raise Pundit::NotAuthorizedError, "not allowed to PostPolicy#update? this Post"
end
```

Expand Down
5 changes: 4 additions & 1 deletion lib/pundit.rb
Original file line number Diff line number Diff line change
Expand Up @@ -36,7 +36,10 @@ def initialize(options = {})
@record = options[:record]
@policy = options[:policy]

message = options.fetch(:message) { "not allowed to #{query} this #{record.class}" }
message = options.fetch(:message) do
record_name = record.is_a?(Class) ? record.to_s : "this #{record.class}"
"not allowed to #{policy.class}##{query} #{record_name}"
end
end

super(message)
Expand Down
25 changes: 21 additions & 4 deletions spec/pundit_spec.rb
Original file line number Diff line number Diff line change
Expand Up @@ -57,11 +57,11 @@
expect { Pundit.authorize(user, article_tag, :destroy?) }.to raise_error(Pundit::NotAuthorizedError)
end

it "raises an error with a query and action" do
it "raises an error with the policy, query and record" do
# rubocop:disable Style/MultilineBlockChain
expect do
Pundit.authorize(user, post, :destroy?)
end.to raise_error(Pundit::NotAuthorizedError, "not allowed to destroy? this Post") do |error|
end.to raise_error(Pundit::NotAuthorizedError, "not allowed to PostPolicy#destroy? this Post") do |error|
expect(error.query).to eq :destroy?
expect(error.record).to eq post
expect(error.policy).to have_attributes(
Expand All @@ -73,11 +73,12 @@
# rubocop:enable Style/MultilineBlockChain
end

it "raises an error with a the record, query and action when the record is namespaced" do
it "raises an error with the policy, query and record when the record is namespaced" do
# rubocop:disable Style/MultilineBlockChain
expect do
Pundit.authorize(user, [:project, :admin, comment], :destroy?)
end.to raise_error(Pundit::NotAuthorizedError, "not allowed to destroy? this Comment") do |error|
end.to raise_error(Pundit::NotAuthorizedError,
"not allowed to Project::Admin::CommentPolicy#destroy? this Comment") do |error|
expect(error.query).to eq :destroy?
expect(error.record).to eq comment
expect(error.policy).to have_attributes(
Expand All @@ -89,6 +90,22 @@
# rubocop:enable Style/MultilineBlockChain
end

it "raises an error with the policy, query and the class name when a Class is given" do
# rubocop:disable Style/MultilineBlockChain
expect do
Pundit.authorize(user, Post, :destroy?)
end.to raise_error(Pundit::NotAuthorizedError, "not allowed to PostPolicy#destroy? Post") do |error|
expect(error.query).to eq :destroy?
expect(error.record).to eq Post
expect(error.policy).to have_attributes(
user: user,
record: Post
)
expect(error.policy).to be_a(PostPolicy)
end
# rubocop:enable Style/MultilineBlockChain
end

it "raises an error with a invalid policy constructor" do
expect do
Pundit.authorize(user, wiki, :update?)
Expand Down