Skip to content

Add Pundit policies for controllers that skipped verify_authorized#24

Merged
dadachi merged 2 commits intomainfrom
add_pundit_policies_for_skipped_controllers
Mar 14, 2026
Merged

Add Pundit policies for controllers that skipped verify_authorized#24
dadachi merged 2 commits intomainfrom
add_pundit_policies_for_skipped_controllers

Conversation

@dadachi
Copy link
Copy Markdown
Contributor

@dadachi dadachi commented Mar 14, 2026

Summary

  • Replaces skip_after_action :verify_authorized and manual before_action auth checks with proper Pundit authorize calls in 6 controllers: AccountsController, AccountsShopkeepersController, Accounts::AccountsInvitationsController, AccountsInvitationsController, MeController, and Account::PasswordsController
  • Adds 5 new Pundit policies (AccountPolicy, AccountsShopkeeperPolicy, AccountsInvitationPolicy, MePolicy, PasswordPolicy) with role-based authorization matching the existing manual checks
  • Overrides pundit_user in account-scoped controllers to resolve the shopkeeper's role in the param-specified account (not the middleware account)
Policy Rules
AccountPolicy index/show/create: any member; update: admin; destroy: owner
AccountsShopkeeperPolicy index/show: any member; update/destroy: admin
AccountsInvitationPolicy index/show: any member; create/update/destroy/resend: admin; token actions: any authenticated
MePolicy all actions: any authenticated (self-service)
PasswordPolicy update: any authenticated (self-service)

Test plan

  • 5 new policy test files with full coverage of all authorization rules
  • Expanded AccountsController tests (1 → 8 tests) covering CRUD + auth checks
  • Added token-based AccountsInvitationsController tests for cross-account access
  • All 376 tests pass (709 assertions, 0 failures)
  • RuboCop: no offenses
  • Brakeman: no warnings

🤖 Generated with Claude Code

dadachi and others added 2 commits March 14, 2026 09:03
@dadachi @claude
Add Pundit policies for controllers that skipped verify_authorized
070f3ef 
Replace skip_after_action :verify_authorized and manual before_action
auth checks with proper Pundit authorize calls in AccountsController,
AccountsShopkeepersController, Accounts::AccountsInvitationsController,
AccountsInvitationsController, MeController, and PasswordsController.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@dadachi @claude
Change Render.com previews plan from starter to standard
7de815d 
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@dadachi dadachi changed the title Add Pundit policies for controllers that skipped verify_authorized Add Pundit policies for controllers that skipped verify_authorized [render preview] Mar 14, 2026
@dadachi dadachi deployed to add_pundit_policies_for_skipped_controllers - nativeapptemplateapi-cache PR #24 March 14, 2026 00:14 — with Render Active
@dadachi dadachi deployed to add_pundit_policies_for_skipped_controllers - nativeapptemplateapi-queue PR #24 March 14, 2026 00:14 — with Render Active
@dadachi dadachi deployed to add_pundit_policies_for_skipped_controllers - nativeapptemplateapi-cable PR #24 March 14, 2026 00:14 — with Render Active
@dadachi dadachi deployed to add_pundit_policies_for_skipped_controllers - nativeapptemplateapi PR #24 March 14, 2026 00:14 — with Render Active
@dadachi dadachi temporarily deployed to add_pundit_policies_for_skipped_controllers - nativeapptemplateapi PR #24 March 14, 2026 00:15 — with Render Destroyed
@dadachi dadachi changed the title Add Pundit policies for controllers that skipped verify_authorized [render preview] Add Pundit policies for controllers that skipped verify_authorized Mar 14, 2026
@dadachi dadachi merged commit a2c61d7 into main Mar 14, 2026
3 checks passed
@dadachi dadachi deleted the add_pundit_policies_for_skipped_controllers branch March 14, 2026 00:49
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@dadachi