Action Policy is an authorization framework for Ruby and Rails applications.
- RailsConf, 2018 "Access Denied" talk [slides]
Add this line to your application's
And then execute:
Action Policy relies on resource-specific policy classes (just like Pundit).
First, add an application-specific
ApplicationPolicy with some global configuration to inherit from:
class ApplicationPolicy < ActionPolicy::Base end
Then write a policy for a resource. For example:
class PostPolicy < ApplicationPolicy # everyone can see any post def show? true end def update? # `user` is a performing subject, # `record` is a target object (post we want to update) user.admin? || (user.id == record.user_id) end end
Now you can easily add authorization to your Rails* controller:
class PostsController < ApplicationController def update @post = Post.find(params[:id]) authorize! @post if @post.update(post_params) redirect_to @post else render :edit end end end
* See Non-Rails Usage on how to add
authorize! to any Ruby project.
When authorization is successful (i.e., the corresponding rule returns
true), nothing happens, but in case of authorization failure
ActionPolicy::Unauthorized error is raised.
There is also an
allowed_to? method which returns
false, and could be used, in views, for example:
<% @posts.each do |post| %> <li><%= post.title %> <% if allowed_to?(:edit?, post) %> = link_to post, "Edit" <% end %> </li> <% end %>
Read more in our Documentation.
Bug reports and pull requests are welcome on GitHub at https://github.com/palkan/action_policy.
The gem is available as open source under the terms of the MIT License.