I've been banging my head against this a day. I am trying to implement a pundit policy(using Devise for authentication) for a model called Design that belongs to a User which has many designs. Should create and new be excepted from authorize after action as well? It seems like this should work. Help much appreciated
I keep running into
ArgumentError (wrong number of arguments (2 for 0)):
when creating a new design(where the 'debugger' is). I think that it is passing a valid @design into the policy finder. It may be the way I have set up the scope in the policy.
Here is the designs controller:
class DesignsController < ApplicationController
before_filter :authenticate_user!
before_action :set_design, only: [:show, :edit, :update, :destroy]
after_action :verify_authorized, except: [:index, :new]
# GET /designs
# GET /designs.json
def index
@designs = policy_scope(Design)
end
# GET /designs/1
# GET /designs/1.json
def show
end
# GET /designs/new
def new
@design = Design.new
end
# GET /designs/1/edit
def edit
end
# POST /designs
# POST /designs.json
def create
@design = Design.new(design_params)
@design.user_id = current_user.id
respond_to do |format|
if @design.save
format.html { redirect_to @design, notice: 'Design was successfully created.' }
format.json { render :show, status: :created, location: @design }
else
format.html { render :new }
format.json { render json: @design.errors, status: :unprocessable_entity }
end
end
debugger // This is where it throws the exception
authorize @design
end
# PATCH/PUT /designs/1
# PATCH/PUT /designs/1.json
def update
respond_to do |format|
if @design.update(design_params)
format.html { redirect_to @design, notice: 'Design was successfully updated.' }
format.json { render :show, status: :ok, location: @design }
else
format.html { render :edit }
format.json { render json: @design.errors, status: :unprocessable_entity }
end
end
end
# DELETE /designs/1
# DELETE /designs/1.json
def destroy
@design.destroy
respond_to do |format|
format.html { redirect_to designs_url, notice: 'Design was successfully destroyed.' }
format.json { head :no_content }
end
end
private
# Use callbacks to share common setup or constraints between actions.
def set_design
@design = Design.find(params[:id])
end
# Never trust parameters from the scary internet, only allow the white list through.
def design_params
params.require(:design).permit(:name, :description, :design_model, :certification_for_distribution, :manufacturing_test)
end
end
Here is the Designs Policy Class
class DesignPolicy
class Scope<DesignPolicy
attr_reader :user, :scope
def initialize(user,scope)
@user = user
@scope = scope
end
def resolve
if user.admin?
@scope.all
else
@scope.all.where(user_id: user.id)
end
end
end
def index?
debugger
true
end
def new?
debugger
@current_user != nil
end
def create?
@current_user != nil
new?
end
end
