Need help decoupling a policy from a controller

[ganchdev]

Hey, I recently came across this gem and I would want to integrate it in an application I'm currently working on, however, I am struggling to port some of the logic that's present in my controllers.

Say I've got a controller named ObjectsController, this controller locates/fetches an object in a before_action callback:
before_action :set_object, except: [:index, :destroy]

However, this set_object method calls a method that's included from a concern module, the set_object method looks like that:

  def set_object
    @object = find_permitted_object_by_ref(params[:object_id])
  end

The concern is really simple and it's worth mentioning that more than one controller include it:

# frozen_string_literal: true

module ObjectPermissions
  extend ActiveSupport::Concern

  class AccessDenied < StandardError; end

  included do
    rescue_from AccessDenied, with: :handle_object_access_denied
  end

  def find_permitted_object_by_ref(reference)
    object = Current.account.objects.find_by(reference: reference)
    unless object&.can_be_accessed_by?(Current.user)
      raise AccessDenied, "You do not have permission to access this object because it is "\
                          "assigned to the #{object.relation.name}, which you do not belong to."
    end

    object
  end

  def handle_object_access_denied(error)
    redirect_to objects_path(view: params[:view]), alert: error.message
  end
end

The bit I'm struggling with the most is error handling, I can see that we can rescue ActionPolicy::Unauthorized and handle exceptions accordingly but I'm more or less rewriting the same logic in a similar concern, I just don't understand how to handle different errors that require some action, in my specific case above I need to redirect to a path. I don't want to return back to the policy on errors and call a method in there as it really breaks the rule for separation of concerns, i.e. policies shouldn't know about controllers, any help/directions appreciated! I can post what I came up with but in my opinion it's far from ideal and introduces a lot more complexity than just that simple concern above. Thanks!

[palkan]

policies shouldn't know about controllers

Agree.

I just don't understand how to handle different errors that require some action

What do you mean by different errors? How to differentiate between Unauthorized errors from the concern and other places?

I can post what I came up with but in my opinion it's far from ideal and introduces a lot more complexity than just that simple concern above

Yeah, that would be great.

[ganchdev]

In the end I took the following approach:

# frozen_string_literal: true

class ObjectPolicy < ApplicationPolicy
  def user_can_view_object?
    return true if record&.can_be_accessed_by?(user)

    message = "You do not have permission to access this object because it is "\
              "assigned to the #{record.relation.name} team, which you do not belong to."

    deny!(details: {message: message})
  end
end

Then in my controllers I just do:

def set_object
  @object = Current.account.objects.find_by(reference: params[:object_id])
  authorize! @object, to: :user_can_view_object? # for other controllers I just add 'with: ObjectPolicy' here
rescue ActionPolicy::Unauthorized => e
  redirect_to objects_path(view: params[:view]), alert: e.result.all_details[:message]
end

Initially I wanted to handle errors outside of the #set_object method but I think rescuing these directly makes things clearer to the reader.
I hope that makes sense, any feedback appreciated!

[ganchdev]

What do you mean by different errors? How to differentiate between Unauthorized errors from the concern and other places?

Yes that was indeed my problem, I previously had something like:
deny!(details: {action: :user_can_view_ticket?, message: message}) in my policy method

And a concern that does that:

# frozen_string_literal: true

module PoliciesErrorHandler
  extend ActiveSupport::Concern

  included do
    rescue_from ActionPolicy::Unauthorized, with: :handle_unauthorized_error
  end

  def handle_unauthorized_error(error)
    details = error.result.all_details
    case details[:action]
    when :user_can_view_object?
      redirect_to objects_path(view: params[:view]), alert: details[:message]
    end
  end
end

But I did not like it because this case statement could quickly get unwieldy as I add more policies.

[palkan]

In that case, introducing a custom helper or an override would make sense. For example:

def set_object
  @object = Current.account.objects.find_by(reference: params[:object_id])
  authorize! @object, to: :user_can_view_object?, redirect_on_fail: objects_path(view: params[:view])
end

def authorize!(*args, **kwargs, redirect_on_fail: nil)
  return super(*args, **kwargs) unless redirect_on_fail
  begin
    super(*args, **kwargs)
  rescue ActionPolicy::Unauthorized => e
    redirect_to redirect_on_fail, alert: e.result.all_details[:message]
  end
end