Applying Pundit policies to rodauth features

[rennel-tenten]

I would like to regulate access to some rodauth endpoints using Pundit policies. For example, I would like to make it so that only accounts that have the role "admin" can create new accounts. Is this possible? If so, how would I go about doing this?

The code below does not work but it illustrates what I want to do:

before_create_account do
  authorize :account_management, :create?
end

[jeremyevans]

I'm not sure, as I've never used Pundit. If authorize returns a value, then that's not going to work. If it returns a boolean (with false meaning not authorized), you could do:

  before_create_account_route do
    unless authorize(:account_management, :create?)
      # return a response
        # set_response_error_status(status)
        # return_response("response body") 
      # set flash error and redirect
        # set_redirect_error_flash "Not admin"
        # redirect '/some/path'
    end
  end

Note that this uses before_create_account_route so that this happens before Rodauth tries to handle the request. No point in processing the params if you aren't going to allow the request anyway.

[janko]

The #authorize method raises a Pundit::NotAuthorizedError that application code is expected to rescue. You should be able to integrate Pundit as follows:

class RodauthMain < Rodauth::Auth
  include Pundit::Authorization # this is what gets included into Rails controllers

  configure do
    before_create_account do
      authorize(:account_management, :create?)
    end
  end

  private

  def authorize(...)
    super
  rescue Pundit::NotAuthorizedError
    set_redirect_error_flash "Not authorized for this action"
    redirect default_redirect
  end

  def pundit_user
    account! # or `rails_account` if you're using rodauth-rails
  end
end

[rennel-tenten]

Thanks for your advice @janko . I was able to integrate pundit using your sample code as a reference. I did run into some errors when I tried to call authorize from within before_create_account.
Based on my investigation this was caused by rails_account being nil during that time. I was able to get around this by calling authorize from within before_create_account_route instead. In that context rails_account had the value of the logged in user as I expected.

If anyone else wants to do something similar, you may want to follow the same pattern and call authorize from within before_xxx_route. As for why rails_account was nil within the context of before_create_account, I am not quite sure. I’d appreciate if anyone could chime in and help me understand that behavior actually.

[janko]

Yeah, that makes sense. In the before_create_account hook, account/rails_account will contain to the account about to be created, not the account that's currently logged in. I would expect rails_account.id to return nil, though, not that rails_account would be nil.

I originally thought the create_account feature assumes a user is creating their own account (so they're not logged in), but I suppose it supports an admin creating an account as well, as long as create_account_autologin? is set to false.