action_policy

Authorization framework for Ruby/Rails applications

934
69
Ruby

Gem Version
Build
JRuby Build
Documentation
Coverage Status

Action Policy

Authorization framework for Ruby and Rails applications.

Composable. Extensible. Performant.

đź“‘ Documentation

Sponsored by Evil Martians

Resources

  • RubyRussia, 2019 “Welcome, or access denied?” talk (video [RU], slides)

  • Seattle.rb, 2019 “A Denial!” talk (slides)

  • RailsConf, 2018 “Access Denied” talk (video, slides)

Integrations

Installation

Add this line to your application’s Gemfile:

gem "action_policy"

And then execute:

bundle install

Usage

Action Policy relies on resource-specific policy classes (just like Pundit).

First, add an application-specific ApplicationPolicy with some global configuration to inherit from:

class ApplicationPolicy < ActionPolicy::Base
end

This may be done with rails generate action_policy:install generator.

Then write a policy for a resource. For example:

class PostPolicy < ApplicationPolicy
  # everyone can see any post
  def show?
    true
  end

  def update?
    # `user` is a performing subject,
    # `record` is a target object (post we want to update)
    user.admin? || (user.id == record.user_id)
  end
end

This may be done with rails generate action_policy:policy Post generator.
You can also use rails generate action_policy:policy Post --parent=BasePolicy to make the generated policy inherits
from BasePolicy.

Now you can easily add authorization to your Rails* controller:

class PostsController < ApplicationController
  def update
    @post = Post.find(params[:id])
    authorize! @post

    if @post.update(post_params)
      redirect_to @post
    else
      render :edit
    end
  end
end

* See Non-Rails Usage on how to add authorize! to any Ruby project.

When authorization is successful (i.e., the corresponding rule returns true), nothing happens, but in case of authorization failure ActionPolicy::Unauthorized error is raised.

There is also an allowed_to? method which returns true or false, and could be used, in views, for example:

<% @posts.each do |post| %>
  <li><%= post.title %>
    <% if allowed_to?(:edit?, post) %>
      <%= link_to post, "Edit">
    <% end %>
  </li>
<% end %>

Read more in our Documentation.

Alternatives

There are many authorization libraries for Ruby/Rails applications.

What makes Action Policy different? See this section in our docs.

Contributing

Bug reports and pull requests are welcome on GitHub at https://github.com/palkan/action_policy.

License

The gem is available as open source under the terms of the MIT License.