'.authorize' and '#authorize' return record even with passed record with namespace array

[QWYNG]

Hi, Thank you for the great Gem!
This is a proposal and pull request at once.
'.authorize' and '#authorize' return passed record now.

def show
  @post  = authorize Post.find(params[:id])
end

But When passing record with a namespace. return array

def show
  @post  = authorize [:admin, Post.find(params[:id])]
end

# @post is  [:admin, Post.find(params[:id])]

These methods are expected to return record not namespase array

When authorize override the helpers in AdminController to automatically apply the namespacing, This change will be very useful.

class AdminController < ApplicationController
  def authorize(record, query = nil)
    super([:admin, record], query)
  end
end

class Admin::PostController < AdminController
  def show
    post = authorize Post.find(params[:id])
    # We don't need `authorize(post)` line!
  end
end

If there is a place to fix, please let me know.
best regards.

[dgmstuart]

I'm basically in favour of this change - I have a few questions about the tests and some edge cases.

[dgmstuart]

While I think it's unlikely that anyone is relying on getting the namespace array back from the authorize method, technically this is a breaking change: I don't think there's a clear expectation set that we always return the model instance, since the README does say "authorize returns the object passed to it", which I'd argue could mean either "the instance" or "the array".

Not sure how seriously we need to take that 🤷‍♂

[QWYNG]

@dgmstuart
Thank you for your comments!
I'll fix spec!
I think that this is a breaking change too.
But I think that most users would expect the only record itself to return in this case.

[QWYNG]

@dgmstuart
Thank you for your review.
I fixed spec.
I'm really grateful as a pundit user for your interaction even with this PR doesn't marge.

[dgmstuart]

Good job with the test coverage 👍

we maybe need to tweak a couple of the tests, but this feels close.

[dgmstuart]

be feels unusual to me - would eq be more expressive/conventional?
The same for "comment" above

[QWYNG]

OK!

[dgmstuart]

This feels like quite a weak assertion - is truthiness a property we care about?

Would it be better to make this an assertion about the return value ("returns the... ") and to expect the specific value we get in this case? (is it Post?)

[QWYNG]

I see.

[QWYNG]

But we have not 'authorize can use without a particular instance' spec and 'authorize can use headless policy' spec other.
May I add it at this time?

[dgmstuart]

The thing for me is that I'm not sure what "can use" (or "can be used") is intending to test.

For me there are usually two types of test, which correspond to the two kinds of property which we care about our code having:

1. What's the return value (if we care)
2. What side effects happen (if any)

If we have one of these tests for a particular scenario/context then we're also implicitly testing that we "can use" the method in that context, since we're using the code. If we don't care about either 1 or 2, then probably the code doesn't need to exist 😉

Am I making sense, or am I missing the point?

[QWYNG]

Thanks! It became clear.
Certainly, 1 is testing that we "can use" the method.

[dgmstuart]

Cool, in that case I suggest it should be the same shape as the other specs which test a return value:
title: it "returns..." do
expectation: expect(Pundit.authorize(...).to eq(<specific value>)

[QWYNG]

Yes
I left only test a return value.

[Linuus]

I would definitely say this is a bug 🐛

[QWYNG]

@dgmstuart
Thank you for your review!
fixed again

[dgmstuart]

Ah I see - I hadn't read this correctly before. Yes, it's good to delete these specs, since they're entirely covered by the it "returns..." specs.

[dgmstuart]

Great work - let's get this merged in 👍

[QWYNG]

@dgmstuart @Linuus
I really appreciate both!
Thank you for the useful gem again!