authorize_me

authorize_me is a gem for Rails to handle simple role-based authorization. It is similar in style to can-can. The largest difference is that authorization rules are defined in the model they protect rather than one centralized location.

Set up the user model

Tell the gem which model to treat as the “user”.

class User
  authorize_me
end

The following methods are generated:

User#can_create?(obj)
User#can_read?(obj)
User#can_update?(obj)
User#can_destroy?(obj)

Each of these methods can take a model class, instance, or symbol.

The user model is expected to have a role method that returns a string or symbol. It could be a DB column or a method you define. Here is an example:

def role
  if admin?
    :admin
  else
    user_type
  end
end

Declare authorization rules

Authorization rules are declared in each model where they apply

class Article
  authorization do |role|
    role.admin     :can => :manage
    role.publisher :can => :manage, :if => :author?
    role.publisher :can => [:read, :create]
    role.any       :can => :read
  end
end

In this example a publisher can always read and create articles, but they can only manage articles for which they are the author.

This declaration assumes there is an Article#author? method which takes a user argument and returns a boolean.

:manage is shorthand for [:create, :read, :update, :destroy]

In your controllers

The unauthorized! method simply raises an AuthorizeMe::Unauthorized exception for you to handle as you choose.

def show
  @article = Article.find(params[:id])
  unauthorized! unless current_user.can_read?(@article)
end

In your views

<% if current_user.can_update?(@article) %>
  <%= link_to 'edit', edit_article_path(@article) %>
<% end %>

Copyright © 2010 Adam McCrea, released under the MIT license