Authorizing resources using user's account with Pundit

How can I go about including the user's account (that they are currently using / signed in as) with Pundit? I have the default multitenancy setup.

For example, I have my project setup where Account has_one Company (and each Company belongs_to Account). The user has a personal account, and any subsequent accounts they have would mean that those accounts are companies.

Each Company can create many products.

On the Product actions, for example, edit, I want to authorize the Product via the ProductPolicy in a way similar to this: user.present? && current_account != user.personal? && record.company_id == current_account.company.id

I'm not sure if this is the best way to structure things, but it's working decent so far. Anyone know how to make it so that I can do this within the ProductPolicy?

Also, I came across this in the ReadMe: https://github.com/varvet/pundit#additional-context. Not sure if this actually possible or not.

Thanks!

Hi. I'm interested in that. Did you get a solution?

Hi, I included the account model in Pundit and it is working fine for me with the additional context:

class UserContext
  attr_reader :user, :account

  def initialize(user, account)
    @user = user
    @account = account
  end
end

class ApplicationPolicy
  attr_reader :user, :account, :record

  def initialize(user_context, record)
    @user = user_context.user
    @account = user_context.account
    @record = record
  end
end

class ApplicationController < ActionController::Base
  protect_from_forgery with: :exception

  include Pundit

  protected

  def pundit_user
    UserContext.new(current_user, current_account)
  end
end

Nice. I will try.
Thanks ;)

Nicolas Metzger  this was super helpful and saved me a ton of time, thank you!