Is there an easy way to get the policy's associated class?

[keithlayne]

From looking at the source, it seems like this lookup usually goes in the other direction, i.e. class -> policy, but I probably missed something.

I was considering something like this for policies for AR models:

class ApplicationPolicy < ActionPolicy::Base
  def show? = authorized_scope(model_class.all).exists?(record.id)
end

...and then defining the scope in the policy subclasses. I've started using this kinda thing in actual policies and it seems to work well.

Part of my rationale here is that it's pretty important for the show rule to match the scope, and if/when the logic changes I've had to update both, and maintain exhaustive tests to make sure those two agree for all context/record combinations.

This technique is pretty useful even if it can't be inherited, and I have no issue with being explicit in each policy, but does my hypothetical model_class already exist somewhere?

[palkan]

but does my hypothetical model_class already exist somewhere?

Nope. The model_class depends solely on the naming convention used, so it's up to the end user; we do not enforce anything like this in the code.

Part of my rationale here is that it's pretty important for the show rule to match the scope, and if/when the logic changes I've had to update both, and maintain exhaustive tests to make sure those two agree for all context/record combinations.

Yeah, scoping-based authorization is a popular technique; however, in my experience it can lead to performance issues; in most cases, a singleton show? implementation can be much more efficient than using scopes. To keep them in sync, we can use tests (some special matcher that ensures that everything returned by the scope returns true for the corresponding rule and vice versa).