Modules in Pundit - How to organize policies ?

by Sandjiv

Here at Drawbotics, we use the Pundit gem for anything authorization-related.

Our platform has a client-side and an admin-side, both sharing the same database, models, and policies, which led to the following situation : 

def new?  
    user.role == ClientUser::Owner || user.role == AdminUser::Supervisor
end

Some refactoring was needed. We needed a way to :

  • Categorize the policies in folders in order to facilitate comprehension and navigation
  • Have different policies for shared models that can be called independently depending on where we are on the platform.

After some testing and diving into the Pundit codebase, we found a way to cover our 2 needs.

I implemented all the models with the following method : 

def self.policy_class  
    Default::ModelPolicy
end

Everytime i call the authorize method on a Model object, Pundit will call model.policy_class in order to find the policy class to use. That first change allowed us to easily categorize our policy classes in namespaces.

One problem remained : specifying the policy to use for a shared object.

In order to also have that feature, I added to every shared model an attr_writer also called policy_class and changed the policy_class method : 

def policy_class(klass = Default::ModelPolicy)  
    @policy_class ||= klass
end

With that change, I know have two choices when using Pundit :

  • I simply call authorize(model) (Pundit usual behavior)
authorize model

This code will use the Default::ModelPolicy located in policies/default

  • I specify the policy before authorizing.
model.policy_class = Admin::ModelPolicy  
authorize model

This code will use the Admin::ModelPolicy located in policies/admin. That way I can specify the policy to use for shared models.

With that solution, i've been able to clearly organize all policies before making all my changes.