Remove pundit and related code from Rails

o19s · Jan 18, 2025 · 674735c · 674735c
1 parent cec3c2a
commit 674735c
Show file tree

Hide file tree

Showing 25 changed files with 22 additions and 897 deletions.
diff --git a/Gemfile b/Gemfile
@@ -41,7 +41,6 @@ gem 'omniauth-rails_csrf_protection'
 gem 'postmark-rails'
 gem 'prophet-rb', '~> 0.5.3'
 gem 'puma'
-gem 'pundit'
 gem 'rails', '8.0.1'
 gem 'rails-html-sanitizer'
 gem 'rack-cors', '~> 2.0'

diff --git a/Gemfile.lock b/Gemfile.lock
@@ -362,8 +362,6 @@ GEM
     public_suffix (6.0.1)
     puma (6.5.0)
       nio4r (~> 2.0)
-    pundit (2.4.0)
-      activesupport (>= 3.0.0)
     raabro (1.4.0)
     racc (1.8.1)
     rack (3.1.8)
@@ -591,7 +589,6 @@ DEPENDENCIES
   postmark-rails
   prophet-rb (~> 0.5.3)
   puma
-  pundit
   rack-cors (~> 2.0)
   rails (= 8.0.1)
   rails-controller-testing

diff --git a/app/controllers/api/api_controller.rb b/app/controllers/api/api_controller.rb
@@ -5,7 +5,6 @@
 # rubocop:disable Rails/ApplicationController
 module Api
   class ApiController < ActionController::Base
-    include Pundit::Authorization
     include Authentication::CurrentUserManager
     include Authentication::CurrentCaseManager
     include Authentication::CurrentQueryManager

diff --git a/app/controllers/api/v1/current_user_controller.rb b/app/controllers/api/v1/current_user_controller.rb
@@ -4,7 +4,6 @@ module Api
   module V1
     class CurrentUserController < Api::ApiController
       def show
-        @permissions = PermissionsEvaluator.new(current_user).run
         @user = current_user
 
         respond_with @user

diff --git a/app/controllers/api/v1/scorers_controller.rb b/app/controllers/api/v1/scorers_controller.rb
@@ -50,12 +50,7 @@ def create
 
       # rubocop:disable Metrics/MethodLength
       def update
-        # this method could be used instead of the below @scorer.owner == current_user logic
-        # authorize @scorer, :update_communal?
-
-        # the policy() call is provided by Pundit and leverages the Permissions data structures.
-        # using this check instead of the authorize because it raises an exception.
-        unless @scorer.owner == current_user || (@scorer.communal && policy(@scorer).update_communal?)
+        unless @scorer.owner == current_user || (@scorer.communal && current_user.administrator?)
           render(
             json:   {
               error: 'Cannot edit a scorer you do not own',

diff --git a/app/models/concerns/permissible.rb b/app/models/concerns/permissible.rb
diff --git a/app/models/permission.rb b/app/models/permission.rb
diff --git a/app/models/user.rb b/app/models/user.rb
@@ -104,9 +104,6 @@ class User < ApplicationRecord
            through: :teams,
            source:  :scorers
 
-  has_many :permissions,
-           dependent: :destroy
-
   has_many :scores,
            dependent: :destroy
 
@@ -210,7 +207,6 @@ def store_raw_invitation_token
   # END devise hacks
 
   # Concerns
-  include Permissible
   include Profile
 
   # Scopes