pundit rails 5 can't enforce create method restrictions

manpreet Best Answer 3 years ago

everytime I submit a form here (that I scaffolded) localhost:3000/syllabus_requests/new

The rescue_from Pundit::NotAuthorizedError, with: :user_not_authorized from my ApplicationController.rb file gets raised and I'm not sure why because in the policy class I have a create? method and it returns true

i'm using ruby '2.3.1' gem 'rails', '~> 5.0.0', '>= 5.0.0.1' gem 'pundit', '~> 1.1'

I have a policy

class SyllabusRequestPolicy < ApplicationPolicy
  attr_reader :current_user, :model

  def initialize(current_user, model)
    @current_user = current_user || User.new
    @model = model #this is the syllabus_request record from the syllabus_requests table as a rails model object
  end

  def index?
    @current_user.role == "admin"
  end

  def show?
    @current_user.role == "admin" 
  end

  def create?
    true
  end

  def edit?
    @current_user.role == "admin"
  end

  def update?
    @current_user.role == "admin"
  end

  def destroy?
    @current_user.role == "admin"
  end

end

I have a controller

class SyllabusRequestsController < ApplicationController
  before_action :set_syllabus_request, only: [:show, :edit, :update, :destroy]

  # GET /syllabus_requests
  # GET /syllabus_requests.json
  def index
    @syllabus_requests = SyllabusRequest.all
    authorize @syllabus_requests
  end

  # GET /syllabus_requests/1
  # GET /syllabus_requests/1.json
  def show
    authorize @syllabus_request
  end

  # GET /syllabus_requests/new
  def new
    @syllabus_request = SyllabusRequest.new
    authorize @syllabus_request
  end

  # GET /syllabus_requests/1/edit
  def edit
    authorize @syllabus_request
  end

  # POST /syllabus_requests
  # POST /syllabus_requests.json
  def create
    @syllabus_request = SyllabusRequest.new(syllabus_request_params)
    authorize @syllabus_request

    respond_to do |format|
      if @syllabus_request.save
        format.html { redirect_to @syllabus_request, notice: 'Syllabus request was successfully created.' }
        format.json { render :show, status: :created, location: @syllabus_request }
      else
        format.html { render :new }
        format.json { render json: @syllabus_request.errors, status: :unprocessable_entity }
      end
    end
  end

  # PATCH/PUT /syllabus_requests/1
  # PATCH/PUT /syllabus_requests/1.json
  def update
    authorize @syllabus_request

    respond_to do |
                                                

                                                                                                        
                                                    
                                                
                                                

                                                    

                                                        
                                                            0
                                                            views 

                                                            0
                                                                likes 
                                                            
                                                            

                                                            0
                                                            shares
                                                            


    

         Facebook
        
         Twitter
        
        
         Linked In 
        
          WhatsApp