When you build a rails app with many roles of user, I think at this time the thing that you are most worried about is decentralizing your users. Now you have a lot of solutions to solve this problem. But now in this article I will show you a gem pundit
to manage user roles.
What is pundit ?
Gem pundit
is a library that helps build a system to limit the resources of an authorized user.
If you need to limit access resoures to certain users, seperating role for the user in your app will be appear. So you can use Pundit
for manage that problem. Pundit
helps us to define policy as PORC.
We will still need to determine the role of our users. But now our advantage is mitigating for controllers and models. Policy will handle the most complex part for the model / controller is to allow access to a specific page.
How you work with Pundit
Step 1: You create a Policy class that deals with authorizing access to a specific type of record.
Step 2: You call the built-in authorize function, passing in what you’re trying to authorize access to.
Step 3: Pundit will find the appropriate Policy class and call the Policy method that matches the name of the method you are authorizing. If it returns true, you have permission to perform the action. If not, it’ll throw an exception.
Set up Pundit
I think it is quit easy to set up this gem. For clearly instruction you can check Gem’s documentation. Now start to set up it:
- Add
gem "pundit"
toGemfle
- Add
Include Pundit
into theapplication controller
- Running
bundle install
rails g pundit:install
will create and set the default policy for your application and be defined at the path app/polices.
Now you can check example application_controller.rb
as below:
1 2 3 4 5 6 7 8 9 10 11 12 | class ApplicationController < ActionController::Base include Pundit rescue_from Pundit::NotAuthorizedError, with: :user_not_authorized protect_from_forgery with: :exception private def user_not_authorized flash[:error] = "Access Deny" redirect_to request.referrer || new_user_session_path end end |
Now you see the default file of Pundit is application_policy.rb as follows:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 | class ApplicationPolicy attr_reader :user, :model def initialize current_user, model raise Pundit::NotAuthorizedError,"login" unless user @user = user @model = model end def index end def show end . . . end |
For the code above you can see:
- First veriable is
user
and in the controllerpundit
will be passed thecurrent_user
- Second veriable is model that we need to authorize.
Policy in pundit and controller will have the same function to check policy in that function.
Example: in your users_controller.rb
:
1 2 3 4 5 6 7 8 9 10 11 | class UsersController < ApplicationController def show end def index @users = User.all end end |
Then in user_policy.rb will have the corresponding functions as follows:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 | class UserPolicy < ApplicationPolicy class Scope attr_reader :user, :scope def initialize user, scope @user = user @scope = scope end def index? @user.admin? end def show? @user.present? end end |