Is the authorized_scope method with a default "with" option available?

[nlsrchtr]

Hi everyone,

I'm currently facing the situation, that I have a central model Portal::Organization with I would like to expose via a namespaced controller Portal::Web::Organization and also via Portal::Api::Organization. The authentication and authorization within the web namespace should be different from the api namespace.

The policy classes are namespaced accordingly: Portal::Web::OrganizationPolicy and Portal::Api::OrganizationPolicy.

My current setup looks like this:

module Portal
  module Web
    class OrganizationsController < Portal::Web::BaseController
      before_action :authorize!

      def index
        @organizations = authorized_scope(Portal::Organization.ordered)
      end

      private

      def authorize!
        super with: "#{controller_path.classify}Policy".safe_constantize
      end
    end
  end
end

This setup leads to:

Couldn't find policy class for [#<Portal::Web::OrganizationsController:0x00000000018b50>, "Couldn't find implicit authorization target for Portal::Web::OrganizationsController. Please, provide policy class explicitly using `with` option or define the `implicit_authorization_target` method."] (Array)

and when I overwrite the implicit_authorization_targetwith the following implementation (see also #170 (comment)):

def implicit_authorization_target
  controller_path.gsub('web/','').classify.safe_constantize
end

I get Couldn't find policy class for Portal::Organization. So I can provide like:

def index
  @organizations = authorized_scope(Portal::Organization.ordered, with: Portal::Web::OrganizationPolicy)
end

and everything works nicely, but providing the "with" option every time, smells from my perspective a bit. So I was wondering if there is a known and supported way of providing the "with" option to the authorized_scope method, without overwriting?

Maybe I'm also doing something very strange here, but I'm kind of following the example implementation from the documentation, with the only difference that my base model is namespaced in Portal.

Thanks for any support on this!

[palkan]

Let me think about this use-case (not something we usually deal with).

First, the model is namespaced (Portal::Organization). Thus, whenever we try to lookup a policy from a record, we search for Portal::OrganizationPolicy in the current namespace. But your namespace if Portal::Web, so, lookup candidates are: Portal::Web::Portal::OrganizationPolicy, Portal::Portal::OrganizationPolicy and Portal::OrganizationPolicy — no Portal::Web::OrganizationPolicy (we just don't know about the relation between the record's class namespace and the context's namespace).

Then, about the implicit target:

def implicit_authorization_target
  controller_path.gsub('web/','').classify.safe_constantize
end

It should be:

"portal/web/organizations".gsub('web/'. '').classify.safe_constantize #=>
"portal/organizations".classify.safe_constantize #=>
"Portal::Organization".safe_constantize #=>

Portal::Organization

The same problem as in the first case (the lookup chain is the same).

How can we deal with this?

First of all, the namespacing looks good to me: we have a Portal component (top-level namespace), Web and Api sub-components. Everything in the Portal component should live within the Portal:: namespace. Can we assume that if the current namespace and the record's namespace have common prefixes, we can drop them and lookup a policy without for a namespaced name? That is:

namespace = "Portal::Web"
policy = "Portal::OrganizationPolicy"

# drop Portal from the record and the namespace
namespace = "Web"
record = "OrganizationPolicy"

Now we should be able to find "Web::OrganizationPolicy" (which would resolve into Portal::Web::OrganizationPolicy).

I think, we can implement this. (Though I need to think carefully about potential side-effects).

---

For now, you can do the following two modifications:

• Add Portal.policy_name:

class Portal::Organization < AR
  def self.policy_name = "OrganizationPolicy"
end

That would made record-based lookups work.

• In your controller:

def implicit_authorization_target
  controller_path.gsub('portal/web/','').to_sym
end

That should make record-less lookups work.