Gem Version Code Climate Build Status Dependency Status

Abilities

Authorization dsl to manage permissions in rails.

Why

I did this gem to:

  • Use a dsl instead of a plain class to simplify the syntax.
  • Limit authorizations to only controllers and their views.

Install

Put this line in your Gemfile:

gem 'abilities'

Then bundle:

$ bundle

Configuration

Generate the definitions file:

bundle exec rails g abilities:install

Ensure there is a current_user method in your controllers:

class ApplicationController < ActionController::Base
  def current_user
    @current_user ||= User.find(session[:user_id])
  end
end

Usage

Definitions

Use can and cannot methods to define the policies:

Abilities.define do
  can :view, :any
  can :manage, User do |user|
    user == self
  end
  can :detroy, Product if admin?
end

NOTE: Methods besides can and cannot are sent to the current_user.

Controllers

With the authorize! method Abilities::AccessDenied is raised if authorization fails:

class UsersController < ApplicationController
  def edit
    @user = User.find(params[:id])
    authorize! :edit, @user
  end
end

If you don't want an exception to be raised use can? and cannot? helpers:

class UsersController < ApplicationController
  def edit
    @user = User.find(params[:id])
    if can?(:edit, @user)
      @user.update post_params
    else
      # handle access denied
    end
  end
end

Views

The helpers can? and cannot? are available in the controller views too:

<% if can?(:detroy, @product) %>
  <%= link_to product_path(@product), method: 'delete' %>
<% end %>

Credits

This gem is maintained and funded by mmontossi.

License

It is free software, and may be redistributed under the terms specified in the MIT-LICENSE file.