Legal stuff about this site and your private life:

  • We use a cookie to keep your preferences (language, NSFW status, login status) during navigation.
  • We use your local storage to save the announces you closed (like this one).
  • We don't save informations you don't give
  • We don't share your email address if you comment or register
  • There is no tracker of any kind.

If you're not OK with this, move your way.

Rails: Check Pundit authorization in RSpec

Pundit provide two helper methods to help you ensure the actions are authorized/scoped: verify_authorized and verify_policy_scoped. They are meant to be used in an after_action hook.

As the check is made after the action, I see no point of using it in production, so I use it in RSpec:

# rails_helper.rb
# ...
config.before(:suite) do
  FactoryBot.create :user, :known
  ApplicationController.send(:after_action, :verify_authorized, {except: [:index]})
  ApplicationController.send(:after_action, :verify_policy_scoped, {only: [:index]})
# ...

This way, it's still checked during all the tests using controllers.

Leave a comment

You want to react to this content or ask something to the author? Just leave a comment here!

Note that the comments are not publicly visible, so don't worry if you don't see yours.

All the information you give will only be visible to the author. We don't share anything with anyone.

Don't fill this field if you want this form to be saved.