Project

pundit_can

0.0
The project is in a healthy, maintained state
pundit_cancandland/pundit_canHomepageDocumentationSource CodeBug TrackerWiki
Add cancan like load and authorize to controllers.
2005
2006
2007
2008
2009
2010
2011
2012
2013
2014
2015
2016
2017
2018
2019
2020
2021
2022
2023
2024
2025
2026
 Popularity
Downloads
2,435
Stars
1
Forks
0
Watchers
1
 Releases
Current version
0.1.4
Total releases
5
First release
2023-05-09
Latest release
2026-03-19
 Development
Primary Language
Ruby
Licenses
MIT
Average date of last 50 commits
2024-06-04
Reverse Dependencies
0

 Dependencies

Development

rails-controller-testing
>= 0

Runtime

pundit
>= 2.0.0
rails
>= 7.0.4.2
 Project Readme

PunditCan

Pundit with cancan style load_and_authorize functionality.

Usage

Include PunditCan::LoadAndAuthorize into ApplicationController or in each controller.

Call load_resource in the controller to load and authorize the resource.

class UsersController < ApplicationController
  load_resource
end

This will load @user from User using the UserPolicy to authorize and scope the loading.

Advanced usage

There are options to customize the loaded instance_name, model, and policy classes.

Parent / nested

This is an example of loading User and Posts, where posts are scoped through the user.

class PostsController < ApplicationController
  load_resource model_class: User, parent: true
  load_resource through: :user

  ...
end

The :through option tells load_resource to pass the parent's association as the scope through the policy. For example, if @user was loaded by the first call, the second call will pass @user.posts to PostPolicy::Scope instead of Post.all. This allows the policy scope to work with the already-authorized parent.

That will load @user from the UserPolicy into a User class, using :user_id to find the user. And it will load @post or @posts using the PostPolicy with the :id param.

If there is no parent instance variable set (e.g., a non-nested route), it will fall back to the default behavior of scoping with the model class.

When the association name doesn't match the model name, use the :association option:

class ArticlesController < ApplicationController
  load_resource model_class: User, parent: true
  load_resource model_class: Article, through: :user, association: :articles
  
  # This passes @user.articles instead of @user.posts to the ArticlePolicy::Scope
end

This is useful when you have associations like has_many :published_posts, class_name: "Post" or other cases where the association method name differs from the model class name.

Customized loading

You can customize the loading for cases when the model, controller, and policies don't match up name-wise.

class MisMatchedController < ApplicationController
  load_resource instance_name: :special_user,
    model_class: User,
    policy_class: SpecialUserPolicy,
    policy_scope_class: SpecialUserPolicy::Scope

  ...

  # Pundit method to override the model param key
  def pundit_params_for(record)
    params.require(:special_user)
  end
end

This will set @special_user with the User class, using the SpecialUserPolicy and SpecialUserPolicy::Scope classes to authorize and scope the loading.

Skiping checks

By default, verify_authorized and verify_policy_scoped after actions are setup. If you need to skip those for an action, there are skip_authorized_check and skip_scoped_check methods to skip the verify actions for the given actions.

class SkipsController < ApplicationController
  skip_authorized_check :index, :show
  skip_scoped_check :index, :show

  ...
end

Installation

Add this line to your application's Gemfile:

gem "pundit_can"

And then execute:

$ bundle

Or install it yourself as:

$ gem install pundit_can

Contributing

Contribution directions go here.

License

The gem is available as open source under the terms of the MIT License.