Upgrading Pundit 2.1.0 to Pundit 2.3.1 - breaking changes

[jgarner828]

Hello! I've recently taken on a major version upgrade of my orgs Rails service. We have upgraded Rails from version 3 to version 6, but the newest version has introduced a breaking change in our authorization. The version upgrade has changed Pundit from 2.1.0 which was stable and working in the service to 2.3.1, and now everything is returning a 403 unauthorized error on the service.

First tests required a change in the ApplicationController to move to include Pundit::Authorization, which was a change I made. Nothing else has been modified in my Policy files, and I am not sure what is now broken in my API calls to this service.

I am not sure how to best track down what is going wrong with my Authorization. Also, I cannot find a list of the helper methods provided by Pundit.

Is there a way to handle this without rewriting a few dozen policies?

[Burgestrand]

Hi!

First and foremost, have a look at the CHANGELOG to get a comprehensive list of changes between 2.1 and 2.3. Whatever incompatibility you're running into is probably listed there.

Something that would help:

• Which version of Ruby are you using?
• What's the underlying reason that you're receiving a 403?
• What does your automated tests say?

Other notes:

• The most recent release is v2.3.2.
• All methods exposed by Pundit in your controller are in Pundit::Authorization.
• All changes since were intended to be backwards-compatible, but some applications do override the pundit methods while still relying on pundit internals. I would take a hard look at any overrides as my second stop, after reading the CHANGELOG.

Final FYI:

• It turned out some applications relied on authorize to call policy, and so they overwrote policy and left authorize untouched. This is worth looking at in your own application, see e.g. Overriding both authorize and policy is required for namespacing #723
• '.authorize' and '#authorize' return record even with passed record with namespace array #626 changed behaviour which was seen as a bug, but might break existing code. This is also written in the CHANGELOG.
• While I don't think this is your issue because the change is which is error is raised, the discussion in Strip namespace when using policy_class #697 might also be worth looking at: https://github.com/varvet/pundit/pull/697/files#r835656389

[Burgestrand]

Looking at your stack trace, I believe you might want to take a look at app/lib/portal_policy_document.rb:55 in #get_portal_version_key. I'm guessing you're getting a 403 forbidden from the external API call you're doing.

I believe you're correct in your suspicion that current_user isn't being set correctly 😊