I have a pretty standard setup: Identity::Member are users, and each Project::Project is owned by a member. I use Devise and Pundit together for authentication and authorization.
Here's my code for Project::ProjectPolicy
class Project::ProjectPolicy < ApplicationPolicy
attr_reader :member, :project
def initialize(member, project)
@member = member
@project = project
end
...
def update?
member == project.member
end
def edit?
update?
end
...
end
And here's my edit action:
# GET /projects/1/edit
def edit
authorize @project_project
respond_with @project_project
end
Lastly, the rescue setup in ApplicationController
rescue_from Pundit::NotAuthorizedError, with: :member_not_authorized
def member_not_authorized
respond_with current_member, status: :unauthorized, location: -> { root_path }
end
But... for some reason, clicking on edit will still bring you to the edit view, although all changes are blocked and users are redirected to the root_path just as I instructed for update and destroy actions. Why?