Class: RuboCop::Cop::Guardrails::NoInlineAuthorization

Inherits:

Base

Object
Base
RuboCop::Cop::Guardrails::NoInlineAuthorization

show all

Includes:: VisibilityHelpers

Defined in:: lib/rubocop/cop/guardrails/no_inline_authorization.rb

Overview

Flags inline authorization checks in controller actions.

Authorization responses like ‘head :forbidden`, `head :unauthorized`, or `render status: :forbidden` should live in a `before_action` callback, not inline in an action method. This keeps actions focused on the happy path.

Examples:

# bad
def destroy
  head :forbidden unless Current.user.can_administer?(@card)
  @card.destroy!
end

# bad
def destroy
  render status: :forbidden unless Current.user.can_administer?(@card)
  @card.destroy!
end

# good — extract to a before_action
before_action :ensure_can_administer_card, only: :destroy

def destroy
  @card.destroy!
end

private

def ensure_can_administer_card
  head :forbidden unless Current.user.can_administer?(@card)
end

Constant Summary collapse

MSG =

'Extract authorization to a `before_action` callback.'

RESTRICT_ON_SEND =

%i[head render].freeze

AUTHORIZATION_STATUSES =

%i[forbidden unauthorized].to_set.freeze

Instance Method Summary collapse

#on_send(node) ⇒ Object (also: #on_csend)

Instance Method Details

#on_send(node) ⇒ `Object` Also known as: on_csend



48
49
50

# File 'lib/rubocop/cop/guardrails/no_inline_authorization.rb', line 48

def on_send(node)
  add_offense(node) if authorization_response?(node) && in_public_method?(node)
end