Skip to content
master
Go to file
Code

Latest commit

 

Git stats

Files

Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
app
 
 
bin
 
 
 
 
db
 
 
lib
 
 
log
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

README.md

Activity Based Authorization with Pundit

The basic idea is that we should avoid checking the role for authorization and instead check for the current action (renamed as activity due to the overloading of the name by the MVC pattern)

How it works:
  • instead of complicating our domain with Permissions or something similar we use reflection for auth.
  • we store the activities into an ARRAY type column in the roles table (we can update this to JSONB)
  • we use reflection to generate a key per action e.g. 'class:method_name', this is the most basic version
  • the Policies in Pundit are only required for exceptional cases (when something depends on the Role, think of scopes)
How to play with it:
$ bundle
$ rails db:setup
$ rails s
  • GET /articles => simple scaffolded resource
  • use ?role={ admin or simpleton } to change the Role on the fly and play with the code
How to manage the activities

One issue is that for dynamic, editable permissions something like 'article:update' makes no sense to the app user and leaks details into the UI hence:

article:
  view:
     - action: article:index
       description: Show all the articles
     - action: article:show
       description: Show one article
  edit:
     - action: article:new
       description: Show the new article page
     - action: article:edit
       description: Show the edit article page
     - action: article:create
       description: Be able to create an article
     - action: article:update
       description: Be able to update an article
  destroy:
     - action: article:destroy
       description: Be able to destroy an article

in config\activities.yml

We can describe them a priori in a simple, centralised, YML file and also use them for the initial seeds:

simpleton_activities =
    activities['article']['view'].map { |a| a['action'] }

Role.create(name: 'simpleton', activities: simpleton_activities)
Source files of interest:
Notes:

The roles and users tables are just mock-ups.

Credits:

About

Activity Based Authorization

Topics

Resources

Releases

No releases published

Packages

No packages published
You can’t perform that action at this time.