Description
Authorization framework for Ruby and Rails applications.
Composable. Extensible. Performant.
Action Policy alternatives and similar gems
Based on the "Authorization" category.
Alternatively, view Action Policy alternatives based on common mentions on social networks and blogs.
-
Declarative Authorization
An unmaintained authorization plugin for Rails. Please fork to support current versions of Rails -
RatyRate Stars Rating Gem
:star: A Ruby Gem that wraps the functionality of jQuery Raty library, and provides optional IMDB style rating. -
Awesome Ruby blogs
A curated list of Awesome Ruby Blogs and Newsletters for Ruby Developers and Newbies -
Canard
Makes role based authorization in Rails really simple. Wraps CanCan and RoleModel up with a smattering of syntactic sugar, some generators and scopes. -
Kno Ruby
DID is an Identity Provider, that authenticates users by verifying access to either an email address or securely stored private key.
WorkOS - The modern identity platform for B2B SaaS
* Code Quality Rankings and insights are calculated and provided by Lumnify.
They vary from L1 to L5 with "L5" being the highest.
Do you think we are missing an alternative of Action Policy or a related project?
README
Action Policy
Authorization framework for Ruby and Rails applications.
Composable. Extensible. Performant.
๐ Documentation
Resources
RubyRussia, 2019 "Welcome, or access denied?" talk (video [RU], slides)
Seattle.rb, 2019 "A Denial!" talk (slides)
Integrations
- GraphQL Ruby (
action_policy-graphql
)
Installation
Add this line to your application's Gemfile
:
gem "action_policy"
And then execute:
bundle install
Usage
Action Policy relies on resource-specific policy classes (just like Pundit).
First, add an application-specific ApplicationPolicy
with some global configuration to inherit from:
class ApplicationPolicy < ActionPolicy::Base
end
This may be done with rails generate action_policy:install
generator.
Then write a policy for a resource. For example:
class PostPolicy < ApplicationPolicy
# everyone can see any post
def show?
true
end
def update?
# `user` is a performing subject,
# `record` is a target object (post we want to update)
user.admin? || (user.id == record.user_id)
end
end
This may be done with rails generate action_policy:policy Post
generator.
Now you can easily add authorization to your Rails* controller:
class PostsController < ApplicationController
def update
@post = Post.find(params[:id])
authorize! @post
if @post.update(post_params)
redirect_to @post
else
render :edit
end
end
end
* See [Non-Rails Usage](docs/non_rails.md) on how to add authorize!
to any Ruby project.
When authorization is successful (i.e., the corresponding rule returns true
), nothing happens, but in case of authorization failure ActionPolicy::Unauthorized
error is raised.
There is also an allowed_to?
method which returns true
or false
, and could be used, in views, for example:
<% @posts.each do |post| %>
<li><%= post.title %>
<% if allowed_to?(:edit?, post) %>
<%= link_to post, "Edit">
<% end %>
</li>
<% end %>
Read more in our Documentation.
Alternatives
There are many authorization libraries for Ruby/Rails applications.
What makes Action Policy different? See this section in our docs.
Contributing
Bug reports and pull requests are welcome on GitHub at https://github.com/palkan/action_policy.
License
The gem is available as open source under the terms of the MIT License.
*Note that all licence references and agreements mentioned in the Action Policy README section above
are relevant to that project's source code only.