Rails 4 authorization gem

Question

I am looking an authorization gem for rails 4. Before I used cancan, but it looks outdated nowadays...

I found the_role here https://github.com/the-teacher/the_role It is nearly what I want, but has a few annoying issues. Maybe similar gems exist? I need roles, store roles in database and association actions with rules. It wound be great if gem cooperate with bootstrap.

P.S. For authentication I use devise.

Try using [rolify](https://github.com/EppO/rolify) gem for manage roles and [pundit](https://github.com/elabs/pundit) gem for authorization. — Thanh, Dec 01 '13 at 06:05

score 30 · Answer 1 · answered Sep 03 '14 at 22:52

CanCanCan

CanCan was a popular gem for authorization developed by Ryan Bates (best known for RailsCasts) and abandoned prior to the release of Rails 4.0. Due to its popularity, the community-based CanCanCan project maintains an updated version of CanCan. CanCan provides a DSL (domain-specific language) that isolates all authorization logic in a single Ability class.

Pundit

The Pundit gem is gaining in popularity for Rails authorization. Pundit is an authorization system that uses simple Ruby objects for access rules. Pundit uses a folder named app/policies/ containing plain Ruby objects that implement access rules.

CanCanCan or Pundit or ?

As an application grows in complexity, the CanCan Ability class can grow unwieldy. Also, every authorization request requires evaluation of the full CanCan Ability class, adding performance overhead. Pundit also offers the advantage of segregating access rules into a central location, keeping controllers skinny. Pundit policy objects are lightweight, adding authorization logic without as much overhead as CanCan.

Simple Role-Based Authorization

With Rails 4.1, you can implement role-based authorization using Active Record Enum. You can use CanCanCan or Pundit to keep controllers skinny if your access rules are complex but for simple requirements, you may not need CanCanCan or Pundit.

I've written an article on Rails Authorization that goes into more detail, comparing CanCanCan and Pundit and simple role-based authorization.

score 3 · Answer 2 · answered Dec 01 '13 at 08:19

You should look at the bigger picture even outside Ruby and consider authorization model. The traditional prevalent model is role-based access control (RBAC) and this is what most frameworks and - in Ruby - most gems implement.

But if you have more advanced scenarios you want to consider attribute-based access control and XACML, the eXtensible Access Control Markup Language.

With XACML, you can implement context-aware authorization that is policy-based. For instance you can write rules such as:

managers can edit documents they own
doctors can view the medical record of patients they are assigned to

And so on...

I am not aware of any Ruby gem to apply XACML to your Ruby projects but the nature of XACML is such that you can easily implement your own authorization agents (enforcement points). I've written some in PHP, Java, .NET, and Perl.

You'll need an authorization engine. There are several open-source and vendor solutions out there such as SunXACML and Axiomatics.

Here are some interesting resources:

NIST RBAC - the official definition of the RBAC Model
NIST ABAC
OASIS XACML

someone might down voted your answer, probably because @mystdeim is asking for a 'puppy' and you are trying to give him a 'dinosaur' :) — sameera207, Mar 06 '14 at 02:43
or someone is trying to tighten a screw with a hammer... Use the right tools and don't reinvent the wheel — David Brossard, Mar 06 '14 at 21:08
This is fine background reading but the original poster is looking for ruby and rails specifically, so this doesn't advance a specific, implementable solution. — Jim Wrubel, Nov 18 '14 at 11:15

score 3 · Answer 3 · answered Apr 27 '14 at 18:39

3

Cancancan is the new version of can can:

https://github.com/CanCanCommunity/cancancan

answered Apr 27 '14 at 18:39

Mosselman

1,718
15
27

score 2 · Answer 4 · answered Apr 08 '15 at 20:44

Action Access works great with Rails 4, has very clear syntax and it's really lightweight.

It boils down to this:

class ArticlesController < ApplicationController
  let :admin, :all
  let :user, [:index, :show]

  # ...
end

This will automatically lock the controller, allowing admins to access every action, users only to show or index articles and anyone else will be rejected and redirected with an alert.

Everything related to the controller is within the controller making it really modular and avoids leaving forgotten trash when you refactor.

For granular control you can use not_authorized! inside actions to check against data from the database or whatever you need.

It's completely independent of the authentication system and it can work even without User models or predefined roles. All you need is to set the clearance level for the current request:

class ApplicationController < ActionController::Base
  def current_clearance_level
    session[:role] || :guest
  end
end

You may return whatever your app requires, like current_user.role for example.

It also bundles a set of handy model additions that allow to extend user models and do things like:

<% if current_user.can? :edit, :article %>
  <%= link_to 'Edit article', edit_article_path(@article) %>
<% end %>

Here :article refers to ArticlesController, so the link will only be displayed if the current user is authorized to access the edit action in ArticlesController. Namespaces are supported too.

You can lock controllers by default, customize the redirection path and the alert message, etc. Checkout the documentation for more.

score 0 · Answer 5 · answered Apr 28 '16 at 16:12

0

Pundit and Cancancan are the best gems for rails 4

answered Apr 28 '16 at 16:12

nizniz

77
1
9

Rails 4 authorization gem

5 Answers5

Linked