Abilities
Authorization dsl to manage permissions in rails.
Why
We did this gem to:
- Use a dsl instead of a plain class to simplify the syntax.
- Limit authorizations to only controllers and their views.
Install
Put this line in your Gemfile:
gem 'abilities'
Then bundle:
$ bundle
Configuration
Generate the definitions file:
bundle exec rails g abilities:install
Set the user helper name to use in the controllers in the abilities.rb initializer:
Abilities.configure do |config|
config.helper = :user
end
Usage
Definitions
Use can and cannot methods to define the policies:
Abilities.define do
can :view, :any
can :manage, User do |user|
user == self
end
can :detroy, Product if admin?
end
NOTE: Methods besides can and cannot are sent to the current_user.
Controllers
With the authorize! method Abilities::AccessDenied is raised if authorization fails:
class UsersController < ApplicationController
def edit
@user = User.find(params[:id])
:edit, @user
end
end
If you don't want an exception to be raised use can? and cannot? helpers:
class UsersController < ApplicationController
def edit
@user = User.find(params[:id])
if can?(:edit, @user)
@user.update post_params
else
# handle access denied
end
end
end
Views
The helpers can? and cannot? are available in the controller views too:
<% if can?(:detroy, @product) %>
<%= link_to product_path(@product), method: 'delete' %>
<% end %>
Contributing
Any issue, pull request, comment of any kind is more than welcome!
We will mainly ensure compatibility to Rails, AWS, PostgreSQL, Redis, Elasticsearch and FreeBSD.
Credits
This gem is maintained and funded by museways.
License
It is free software, and may be redistributed under the terms specified in the MIT-LICENSE file.