Skip to content


Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
A plugin for authorization in a ReSTful Ruby on Rails application
branch: master

Fetching latest commit…

Cannot retrieve the latest commit at this time



Authorization-san allows you to specify access policies in your controllers. The plugin assumes a number of things about the application.

  • If a user has authenticated with the application, it's stored in @authenticated. The method of authentication doesn't matter. It also doesn't matter what you put in @authenticated, as long as it's truthy.

  • @authenticated has either a role attribute or a number of methods to query for the role: admin?, editor?, guest?. When the @authenticated object doesn't have role methods you can't use role based authentication rules, but the rest still works.

What does it look like?

class BooksController < ActionController::Base
  # Visitors can see list of books and book pages
  allow_access :all, :only => [:index, :show]
  # An editor can create new books, but…
  allow_access :editor, :only => [:new, :create]
  # …she can only update her own books.
  allow_access(:editor, :only => [:edit, :update]) { @book = @authenticated.books.find(params[:id]) }
  # Admin users can do it all.
  allow_access :admin

The best place to start learning more is the examples directory in the source.

Will it run?

Authorization-San runs on all Ruby on Rails versions above 2.3 and their supported Ruby versions.


In order of appearance:

  • Manfred Stienstra <>

  • Eloy Duran <>

  • Hrvoje Šimić <>

  • Jeff Kreeftmeijer <>

Something went wrong with that request. Please try again.