Add support for params.expect#855
Conversation
|
This looks as one could expect (:D). I'm also wondering if this is a good time to adjust what kind of API we will permit (:D), since this is an addition we've got time to adjust the API without breaking any backwards-compatibility. Things I'm thinking of:
We're still rather light on Pundit-usage in our current projects. What about your project, do you use the action-specific |
We do, yeah. |
Well we are not using the expect at all yet as we are waiting for it to be added in Pundit, right? :) |
|
Correct, I thought the question was if we're using the existing action specific permitted attributes methods. |
|
Ah yes. Sometimes I write a bit för fort! I haven't forgotten this. Still thinking about if I want to adjust the future API now that there's a chance to do so. |
|
We use
For us that means that in most cases the methods would look like: def expected_params_for(_action)
%i[foo bar]
endThe action-specific cases would take one of two forms: # 1 Switch
def expected_params_for(action)
case action.to_sym
when :create
%i[foo bar]
when :update
[:bar, (:foo if user.admin?)].compact
else
%i[bar]
end
end
# 2 Concat
def expected_params_for(action)
params = %i[foo]
params += %i[bar baz] if action.to_sym == :create
params
endThings I'd note:
All that to say, I think I prefer copying the existing policy API ala |
|
@matthew-puku Thanks, this is great feedback! |
|
Any plans to proceed with this? Can we do anything to help? |
Yeah! I'm on a project now where I'll start using Pundit a bit more again, so that should allow me to try things out. Also christmas holidays 😄 I still have this irk that I want to finish up all issues, including the many-years old ones. 1. I do want to move the responsibility of def expected_params_for_action(_action) = expected_paramsI've considered the issue about data type and it'll semantically be whatever the framework you're using is passing, i.e. Rails' action_name. 2. I also want to move the I think it's as simple as just adding the method: def param_key(record) = policy_finder(record).param_keyFootnotes
|
a289ca9 to
79101b5
Compare
1. Public API surface is reduced compared to multiple methods.
2. We retain the flexibility of action-specific expected attributes.
If you still prefer the old style, you can implement it yourself in your policy:
```
def expected_params_for_action(action_name)
if respond_to?("expected_params")
expected_params
else
public_send("expected_params_for_#{action_name}")
end
end
```
79101b5 to
c4fbfd9
Compare
|
FYI I ended up rebasing this branch on I'll let this marinate while I go to lunch, but I intend to merge it today. I would be interested to hear your experiences if you're willing to try out running pundit from the main branch, to test expected attributes out. |
|
Thank you! While this has been merged, I'm more than happy to keep options for improving this open. Once it's finally released the API should remain stable, but until then it's a free for all. |
Fixes: #841
To do
This PR starts adding support for
params.expectin Rails which is now recommended overparams.require.permit.See: https://api.rubyonrails.org/classes/ActionController/Parameters.html#method-i-expect
I'm a bit unsure what to do with
pundit_params_forthough. It's kind of redundant... but also kind of useful as mentioned in our Readme, if you want to fetch based on another "namespace" than the default. However, for expect it would essentially just turn into a wrapper method forPolicyFinder.new(record).param_key, so you can just override theparam_keymethod on the Policy instead? 🤔