- Add
Pundit::Authorization#pundit_reset!
hook to reset the policy and policy scope cache. (#830)
- Deprecated
Pundit::SUFFIX
, moved it toPundit::PolicyFinder::SUFFIX
(#835) - Explicitly require less of
active_support
(#837) - Using
permit
matcher without a surroudingpermissions
block now raises a useful error. (#836)
- Using a hash as custom cache in
Pundit.authorize
now works as documented. (#838)
- Improve the
NotAuthorizedError
message to include the policy class. Furthermore, in the case where the record passed is a class instead of an instance, the class name is given. (#812)
- Add customizable permit matcher description (#806)
- Add support for filter_run_when_matching :focus with permissions helper. (#820)
- Refactor: First pass of Pundit::Context (#797)
- Update
ApplicationPolicy
generator to qualify theScope
class name (#792) - Policy generator uses
NoMethodError
to indicate#resolve
is not implemented (#776)
- Dropped support for Ruby 3.0 (#796)
- Use
Kernel.warn
instead ofActiveSupport::Deprecation.warn
for deprecations (#764) - Policy generator now works on Ruby 3.2 (#754)
- add support for rubocop-rspec syntax extensions (#745)
- Using
policy_class
and a namespaced record now passes only the record when instantiating the policy. (#697, #689, #694, #666)
- Require users to explicitly define Scope#resolve in generated policies (#711, #722)
- Deprecate
include Pundit
in favor ofinclude Pundit::Authorization
(#621)
Friday 13th-release!
Careful! The bugfix below (#626) could break existing code. If you rely on the
return value for authorize
and namespaced policies you might need to do some
changes.
.authorize
and#authorize
return the instance, even for namespaced policies (#626)
- Generate application scope with
protected
attr_readers. (#616)
- Dropped support for Ruby end-of-life versions: 2.1 and 2.2. (#604)
- Dropped support for Ruby end-of-life versions: 2.3 (#633)
- Dropped support for Ruby end-of-life versions: 2.4, 2.5 and JRuby 9.1 (#676)
- Dropped support for RSpec 2 (#615)
- Avoid name clashes with the Error class. (#590)
- Return a safer default NotAuthorizedError message. (#583)
None
- Improve exception handling for
#policy_scope
and#policy_scope!
. (#550) - Add
:policy
metadata to RSpec template. (#566)
No changes since beta1
- Only pass last element of "namespace array" to policy and scope. (#529)
- Raise
InvalidConstructorError
if a policy or policy scope with an invalid constructor is called. (#462) - Return passed object from
#authorize
method to make chaining possible. (#385)
-
Add
policy_class
option toauthorize
to be able to override the policy. (#441) -
Add
policy_scope_class
option toauthorize
to be able to override the policy scope. (#441) -
Fix
param_key
issue when passed an array. (#529) -
Allow specification of a
NilClassPolicy
. (#525) -
Make sure
policy_class
override is called when passed an array. (#475) -
Use
action_name
instead ofparams[:action]
. (#419) -
Add
pundit_params_for
method to make it easy to customize params fetching. (#502)
- Can retrieve policies via an array of symbols/objects.
- Add autodetection of param key to
permitted_attributes
helper. - Hide some methods which should not be actions.
- Permitted attributes should be expanded.
- Generator uses
RSpec.describe
according to modern best practices.
- Fixed a regression where NotAuthorizedError could not be ininitialized with a string.
- Use
camelize
instead ofclassify
for symbol policies to prevent weird pluralizations.
- Caches policy scopes and policies.
- Explicitly setting the policy for the controller via
controller.policy = foo
has been removed. Instead usecontroller.policies[record] = foo
. - Explicitly setting the policy scope for the controller via
controller.policy_policy = foo
has been removed. Instead usecontroller.policy_scopes[scope] = foo
. - Add
permitted_attributes
helper to fetch attributes from policy. - Add
pundit_policy_authorized?
andpundit_policy_scoped?
methods. - Instance variables are prefixed to avoid collisions.
- Add
Pundit.authorize
method. - Add
skip_authorization
andskip_policy_scope
helpers. - Better errors when checking multiple permissions in RSpec tests.
- Better errors in case
nil
is passed topolicy
orpolicy_scope
. - Use
inspect
when printing object for better errors. - Dropped official support for Ruby 1.9.3
- Extend the default
ApplicationPolicy
with anApplicationPolicy::Scope
(#120) - Fix RSpec 3 deprecation warnings for built-in matchers (#162)
- Generate blank policy spec/test files for Rspec/MiniTest/Test::Unit in Rails (#138)
- Customizable error messages:
#query
,#record
and#policy
methods onPundit::NotAuthorizedError
(#114) - Raise a different
Pundit::AuthorizationNotPerformedError
whenauthorize
call is expected in controller action but missing (#109) - Update Rspec matchers for Rspec 3 (#124)
- Customize the user to be passed into policies:
pundit_user
(#42)