• Stars
    star
    1,404
  • Rank 33,490 (Top 0.7 %)
  • Language
    Ruby
  • License
    MIT License
  • Created over 6 years ago
  • Updated about 2 months ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Authorization framework for Ruby/Rails applications

Gem Version Build JRuby Build Documentation Coverage Status

Action Policy

Authorization framework for Ruby and Rails applications.

Composable. Extensible. Performant.

📑 Documentation

Sponsored by Evil Martians

Resources

  • RubyRussia, 2019 "Welcome, or access denied?" talk (video [RU], slides)

  • Seattle.rb, 2019 "A Denial!" talk (slides)

  • RailsConf, 2018 "Access Denied" talk (video, slides)

Integrations

Installation

Add this line to your application's Gemfile:

gem "action_policy"

And then execute:

bundle install

Usage

Action Policy relies on resource-specific policy classes (just like Pundit).

First, add an application-specific ApplicationPolicy with some global configuration to inherit from:

class ApplicationPolicy < ActionPolicy::Base
end

This may be done with rails generate action_policy:install generator.

Then write a policy for a resource. For example:

class PostPolicy < ApplicationPolicy
  # everyone can see any post
  def show?
    true
  end

  def update?
    # `user` is a performing subject,
    # `record` is a target object (post we want to update)
    user.admin? || (user.id == record.user_id)
  end
end

This may be done with rails generate action_policy:policy Post generator. You can also use rails generate action_policy:policy Post --parent=BasePolicy to make the generated policy inherits from BasePolicy.

Now you can easily add authorization to your Rails* controller:

class PostsController < ApplicationController
  def update
    @post = Post.find(params[:id])
    authorize! @post

    if @post.update(post_params)
      redirect_to @post
    else
      render :edit
    end
  end
end

* See Non-Rails Usage on how to add authorize! to any Ruby project.

When authorization is successful (i.e., the corresponding rule returns true), nothing happens, but in case of authorization failure ActionPolicy::Unauthorized error is raised.

There is also an allowed_to? method which returns true or false, and could be used, in views, for example:

<% @posts.each do |post| %>
  <li><%= post.title %>
    <% if allowed_to?(:edit?, post) %>
      <%= link_to post, "Edit">
    <% end %>
  </li>
<% end %>

Read more in our Documentation.

Alternatives

There are many authorization libraries for Ruby/Rails applications.

What makes Action Policy different? See this section in our docs.

Contributing

Bug reports and pull requests are welcome on GitHub at https://github.com/palkan/action_policy.

License

The gem is available as open source under the terms of the MIT License.

More Repositories

1

logidze

Database changes log for Rails
Ruby
1,596
star
2

isolator

Detect non-atomic interactions within DB transactions
Ruby
850
star
3

anyway_config

Configuration library for Ruby gems and applications
Ruby
735
star
4

active_delivery

Ruby framework for keeping all types of notifications (mailers, push notifications, whatever) in one place
Ruby
595
star
5

n_plus_one_control

RSpec and Minitest matchers to prevent N+1 queries problem
Ruby
556
star
6

store_attribute

ActiveRecord extension which adds typecasting to store accessors
Ruby
376
star
7

view_component-contrib

A collection of extension and developer tools for ViewComponent
Ruby
345
star
8

litecable

Lightweight Action Cable implementation (Rails-free)
Ruby
298
star
9

acli

Action Cable command-line client
Ruby
230
star
10

action-cable-testing

Action Cable testing utils
Ruby
212
star
11

rubanok

Parameters-based transformation DSL
Ruby
205
star
12

active_event_store

Rails Event Store in a more Rails way
Ruby
180
star
13

action_policy-graphql

Action Policy integration for GraphQL
Ruby
151
star
14

engems

Rails component-based architecture on top of engines and gems (showroom)
Ruby
136
star
15

influxer

InfluxDB ActiveRecord-style
Ruby
118
star
16

abstract_notifier

ActionMailer-like interface for any type of notifications
Ruby
116
star
17

turbo-music-drive

Exploring Turbo future features while building a music library app
Ruby
102
star
18

wsdirector

All the world's a server, and all the men and women merely clients
Ruby
102
star
19

gem-check

GemCheck: Writing Better Ruby Gems Checklist
CSS
95
star
20

pgrel

ActiveRecord extension for querying hstore and jsonb
Ruby
93
star
21

rbytes

Ruby Bytes helps you build, deploy and install Ruby and Rails application templates
Ruby
68
star
22

faqueue

Researching background jobs fairness
Ruby
66
star
23

downstream

Straightforward way to implement communication between Rails Engines using the Publish-Subscribe pattern.
Ruby
51
star
24

newgem

Custom script to generate new gems
Ruby
35
star
25

turbo-view-transitions

View Transitions API for Turbo
TypeScript
33
star
26

influx_udp

Erlang InfluxDB UDP writer
Erlang
31
star
27

ruby-dip

Docker-based development environment for hacking Ruby MRI
Dockerfile
30
star
28

erlgrpc

GRPC client for Erlang
Erlang
25
star
29

as3_p2plocal

as3 lib for local p2p connections (serverless rtmfp)
ActionScript
25
star
30

rails-intest-views

Generate view templates dynamically in Rails tests
Ruby
21
star
31

docsify-namespaced

Docsify plugin to work with namespaces
JavaScript
12
star
32

sharelatex-vagrant-ansible

Vagrant + Ansible configuration for ShareLatex
Shell
12
star
33

slog-spy

Slog handler to temporary deliver formatted verbose logs to an arbitrary target
Go
12
star
34

docs-example

Playground for dealing with documentation engines
7
star
35

ruby-russia-2020

RubyRussia 2020 "Frontendless Rails" workshop demo app
Ruby
6
star
36

engine-cable-app

Experimenting with Action Cable and engines
Ruby
6
star
37

rails-on-wasm-playground

A minimal Rails app to showcase Rails on Wasm features
Ruby
5
star
38

palkan

It's me
4
star
39

ruby-compatibility-examples

Collections of reproduction cases for TruffleRuby vs. MRI (in)compatibility
Ruby
3
star
40

erffmpeg

Erlang wrapper for some ffmpeg
C
3
star
41

th-dummy

TH Dummy
Ruby
2
star
42

ulitos

Erlang utils modules
Erlang
2
star
43

meetings

Good old Teachbase Meetings client
ActionScript
2
star
44

rebar_templates

Custom rebar templates
Erlang
1
star
45

macos-setup

Shell
1
star
46

bitrix-orm

Bitrix kinda ORM for IBlockElements and CUser.
PHP
1
star
47

anycable-elements

Web Components for AnyCable console
JavaScript
1
star
48

adventofcode2018

https://adventofcode.com
Rust
1
star
49

tb_utils

ActionScript 3 library
ActionScript
1
star