Action Policy is an authorization framework for Ruby and Rails applications.
- GraphQL Ruby (
action_policy-graphql
)
Add this line to your application's Gemfile
:
gem "action_policy", "~> 0.3.0"
And then execute:
$ bundle
Action Policy relies on resource-specific policy classes (just like Pundit).
First, add an application-specific ApplicationPolicy
with some global configuration to inherit from:
class ApplicationPolicy < ActionPolicy::Base
end
Then write a policy for a resource. For example:
class PostPolicy < ApplicationPolicy
# everyone can see any post
def show?
true
end
def update?
# `user` is a performing subject,
# `record` is a target object (post we want to update)
user.admin? || (user.id == record.user_id)
end
end
Now you can easily add authorization to your Rails* controller:
class PostsController < ApplicationController
def update
@post = Post.find(params[:id])
authorize! @post
if @post.update(post_params)
redirect_to @post
else
render :edit
end
end
end
* See Non-Rails Usage on how to add authorize!
to any Ruby project.
When authorization is successful (i.e., the corresponding rule returns true
), nothing happens, but in case of authorization failure ActionPolicy::Unauthorized
error is raised.
There is also an allowed_to?
method which returns true
or false
, and could be used, in views, for example:
<% @posts.each do |post| %>
<li><%= post.title %>
<% if allowed_to?(:edit?, post) %>
= link_to post, "Edit"
<% end %>
</li>
<% end %>
Read more in our Documentation.
There are many authorization libraries for Ruby/Rails applications.
What makes Action Policy different? See this section in our docs.
Bug reports and pull requests are welcome on GitHub at https://github.com/palkan/action_policy.
The gem is available as open source under the terms of the MIT License.
To report a security vulnerability, please use the Tidelift security contact. Tidelift will coordinate the fix and disclosure.