CHANGELOG.md

Pundit

Unreleased

• Add support for params.expect using expected_parameters and expected_parameters_for. #855

Fixed

• Update for rspec 4 breaking changes #873

2.5.2 (2025-09-24)

Fixed

• Added config/rubocop-rspec.yml back from accidentally being excluded #866

2.5.1 (2025-09-12)

Fixed

• Requiring only pundit/rspec no longer raises an error in Active Support #857

2.5.0 (2025-03-03)

Added

• Add Pundit::Authorization#pundit_reset! hook to reset the policy and policy scope cache. #830
• Add links to gemspec. #845
• Register policies directories for Rails 8 code statistics #833
• Added an example for how to use pundit with Rails 8 authentication generator #850

Changed

• Deprecated Pundit::SUFFIX, moved it to Pundit::PolicyFinder::SUFFIX #835
• Explicitly require less of active_support #837
• Using permit matcher without a surrouding permissions block now raises a useful error. #836

Fixed

• Using a hash as custom cache in Pundit.authorize now works as documented. #838

2.4.0 (2024-08-26)

Changed

• Improve the NotAuthorizedError message to include the policy class. Furthermore, in the case where the record passed is a class instead of an instance, the class name is given. #812

Added

• Add customizable permit matcher description #806
• Add support for filter_run_when_matching :focus with permissions helper. #820

2.3.2 (2024-05-08)

• Refactor: First pass of Pundit::Context #797

Changed

• Update ApplicationPolicy generator to qualify the Scope class name #792
• Policy generator uses NoMethodError to indicate #resolve is not implemented #776

Deprecated

• Dropped support for Ruby 3.0 #796

2.3.1 (2023-07-17)

Fixed

• Use Kernel.warn instead of ActiveSupport::Deprecation.warn for deprecations #764
• Policy generator now works on Ruby 3.2 #754

2.3.0 (2022-12-19)

Added

• add support for rubocop-rspec syntax extensions #745

2.2.0 (2022-02-11)

Fixed

• Using policy_class and a namespaced record now passes only the record when instantiating the policy. (#697, #689, #694, #666)

Changed

• Require users to explicitly define Scope#resolve in generated policies (#711, #722)

Deprecated

• Deprecate include Pundit in favor of include Pundit::Authorization #621

2.1.1 (2021-08-13)

Friday 13th-release!

Careful! The bugfix below #626 could break existing code. If you rely on the return value for authorize and namespaced policies you might need to do some changes.

Fixed

• .authorize and #authorize return the instance, even for namespaced policies #626

Changed

• Generate application scope with protected attr_readers. #616

Removed

• Dropped support for Ruby end-of-life versions: 2.1 and 2.2. #604
• Dropped support for Ruby end-of-life versions: 2.3 #633
• Dropped support for Ruby end-of-life versions: 2.4, 2.5 and JRuby 9.1 #676
• Dropped support for RSpec 2 #615

2.1.0 (2019-08-14)

Fixed

• Avoid name clashes with the Error class. #590

Changed

• Return a safer default NotAuthorizedError message. #583

2.0.1 (2019-01-18)

Breaking changes

None

Other changes

• Improve exception handling for #policy_scope and #policy_scope!. #550
• Add :policy metadata to RSpec template. #566

2.0.0 (2018-07-21)

No changes since beta1

2.0.0.beta1 (2018-07-04)

Breaking changes

• Only pass last element of "namespace array" to policy and scope. #529
• Raise InvalidConstructorError if a policy or policy scope with an invalid constructor is called. #462
• Return passed object from #authorize method to make chaining possible. #385

Other changes

• Add policy_class option to authorize to be able to override the policy. #441

• Add policy_scope_class option to authorize to be able to override the policy scope. #441

• Fix param_key issue when passed an array. #529

• Allow specification of a NilClassPolicy. #525

• Make sure policy_class override is called when passed an array. #475

• Use action_name instead of params[:action]. #419

• Add pundit_params_for method to make it easy to customize params fetching. #502

1.1.0 (2016-01-14)

• Can retrieve policies via an array of symbols/objects.
• Add autodetection of param key to permitted_attributes helper.
• Hide some methods which should not be actions.
• Permitted attributes should be expanded.
• Generator uses RSpec.describe according to modern best practices.

1.0.1 (2015-05-27)

• Fixed a regression where NotAuthorizedError could not be ininitialized with a string.
• Use camelize instead of classify for symbol policies to prevent weird pluralizations.

1.0.0 (2015-04-19)

• Caches policy scopes and policies.
• Explicitly setting the policy for the controller via controller.policy = foo has been removed. Instead use controller.policies[record] = foo.
• Explicitly setting the policy scope for the controller via controller.policy_policy = foo has been removed. Instead use controller.policy_scopes[scope] = foo.
• Add permitted_attributes helper to fetch attributes from policy.
• Add pundit_policy_authorized? and pundit_policy_scoped? methods.
• Instance variables are prefixed to avoid collisions.
• Add Pundit.authorize method.
• Add skip_authorization and skip_policy_scope helpers.
• Better errors when checking multiple permissions in RSpec tests.
• Better errors in case nil is passed to policy or policy_scope.
• Use inspect when printing object for better errors.
• Dropped official support for Ruby 1.9.3

0.3.0 (2014-08-22)

• Extend the default ApplicationPolicy with an ApplicationPolicy::Scope #120
• Fix RSpec 3 deprecation warnings for built-in matchers #162
• Generate blank policy spec/test files for Rspec/MiniTest/Test::Unit in Rails #138

0.2.3 (2014-04-06)

• Customizable error messages: #query, #record and #policy methods on Pundit::NotAuthorizedError #114
• Raise a different Pundit::AuthorizationNotPerformedError when authorize call is expected in controller action but missing #109
• Update Rspec matchers for Rspec 3 #124

0.2.2 (2014-02-07)

• Customize the user to be passed into policies: pundit_user #42