Awesome
Action Policy
<img align="right" height="150" width="129" title="Action Policy logo" src="./docs/assets/images/logo.svg">
Authorization framework for Ruby and Rails applications.
Composable. Extensible. Performant.
📑 Documentation
<a href="https://evilmartians.com/?utm_source=action_policy"> <img src="https://evilmartians.com/badges/sponsored-by-evil-martians.svg" alt="Sponsored by Evil Martians" width="236" height="54"></a>Resources
-
RubyRussia, 2019 "Welcome, or access denied?" talk (video [RU], slides)
-
Seattle.rb, 2019 "A Denial!" talk (slides)
Integrations
- GraphQL Ruby (
action_policy-graphql
) - Graphiti (JSON:API) (
action_policy-graphiti
)
Installation
Add this line to your application's Gemfile
:
gem "action_policy"
And then execute:
bundle install
Usage
Action Policy relies on resource-specific policy classes (just like Pundit).
First, add an application-specific ApplicationPolicy
with some global configuration to inherit from:
class ApplicationPolicy < ActionPolicy::Base
end
This may be done with rails generate action_policy:install
generator.
Then write a policy for a resource. For example:
class PostPolicy < ApplicationPolicy
# everyone can see any post
def show?
true
end
def update?
# `user` is a performing subject,
# `record` is a target object (post we want to update)
user.admin? || (user.id == record.user_id)
end
end
This may be done with rails generate action_policy:policy Post
generator.
You can also use rails generate action_policy:policy Post --parent=BasePolicy
to make the generated policy inherits
from BasePolicy
.
Now you can easily add authorization to your Rails* controller:
class PostsController < ApplicationController
def update
@post = Post.find(params[:id])
authorize! @post
if @post.update(post_params)
redirect_to @post
else
render :edit
end
end
end
* See Non-Rails Usage on how to add authorize!
to any Ruby project.
When authorization is successful (i.e., the corresponding rule returns true
), nothing happens, but in case of authorization failure ActionPolicy::Unauthorized
error is raised.
There is also an allowed_to?
method which returns true
or false
, and could be used, in views, for example:
<% @posts.each do |post| %>
<li><%= post.title %>
<% if allowed_to?(:edit?, post) %>
<%= link_to post, "Edit">
<% end %>
</li>
<% end %>
Read more in our Documentation.
Alternatives
There are many authorization libraries for Ruby/Rails applications.
What makes Action Policy different? See this section in our docs.
Contributing
Bug reports and pull requests are welcome on GitHub at https://github.com/palkan/action_policy.
License
The gem is available as open source under the terms of the MIT License.