ActionGuard is a simple authorization module to be used in rails applications. It well be usable for any other ruby based web framework.

It's been developed as part of some of my own rails application with the following design principles in mind:

  • roles are string values, and role definitions reside in program code, not in a database.
  • authorisation rules are collected in one configuration file, rather than spreading them out over controller definitions.
  • authorisations are on url path matches. In rails' case, you pass 'fullpath' to the authorization which is then matched against a set of authorisation rules.


Documentation is work in progress. PLease this besides this readme, you can read the specs and find the rdoc here:


    gem install action-guard 

or put action-guard in your Gemfile and

    bundle install

Getting started

Assuming a Rails application, you specify an initializer with the following content:

    ActionGuard.load_from_file(File.join(Rails.root, 'config', 'authorization.rules'))

and a file called authorization.rules in the config directory with something like:

    role :god , 0
    role :admin, 1
    role :worker, 2

    allow '/'
    allow '/tracking', :only_by => :admin
    allow '/maintenance', :at_least => :worker
    allow '/maintenance/[0-9]*/edit', :at_least => :admin
    allow '/maintenance/[0-9]*$', :at_least => :admin

and some model with a string typed attribute called 'role', in an account or user model e.g.:

    class Account
      attr_reader :role

then in your (Application) controller you can

    class ApplicationController < ActionController::Base
      prepend_before_filter :authorize_action

      def authorized?(fullpath)
        ActionGuard.authorized?(, fullpath)
      helper_method :authorized?

      def authorize_action
        unless authorized?(request.fullpath)
          flash[:alert] = I18n.t("not_authorized")
          sign_out  if 

(In the example above, the path helpers, sign_out and current_account methods are from [Devise]i(

This is in essence all you need to get actionguard working. You could also hide non authorized linkes by adding an authorized_link_to method like so:

  def authorized_link_to(what, path, options = {})
    if (authorized?(path)) 
      link_to(what, path, options)

or overwrite link_to

Issues - bugs

If you find any issues in the code please let me know through:

also consult that list for known issues in ActionGuard