
Role-based authorization in Rails - opiotrek
http://blog.chaps.io/2015/11/13/role-based-authorization-in-rails.html
======
ebola1717
I've been using Pundit, which is model-based, rather than role-based, and it
works really nicely with Rails conventions. Model-based feels more natural
than role based, IMO.

~~~
gkop
Indeed, the author is framing Access Granted against CanCan/CanCanCan, when
Pundit has already picked up the torch of Rails authorization.

Pundit made the design decision to be as close to pure Ruby as possible, and
therefore is extremely flexible (similar to the design philosophy of Strong
Parameters). Access Granted seems like a step backwards (toward a DSL) from
Pundit. So it would take a strong argument to show why Access Granted is
preferable to Pundit.

~~~
opiotrek
I personally dislike Pundit's way of defining permissions, but as always it's
a preference.

I really wanted to keep CanCan's simplicity, but add roles while cleaning
abilities/policies up.

------
atomical
I think the pattern that needs to be explored is a rails engine that has a web
interface to manage permissions for different models. Usually stakeholders
want to control the roles and permissions.

~~~
danmaz74
We were recently working on designing a moderately complicated permissions
system, and my impression is that it's impossible to create such a general-
purpose engine and gem that covers enough of the cases that you'll have to
manage, without creating something that is incredibly complicated to set up
and manage. Except for a few standardized domains, you'll always have rules
that are easier to express and maintain with some custom, domain-specific
code.

------
hopsoft
I do like the access-granted DSL. It seems to address some of CanCan's
problems on larger more complex projects. Also... if you prefer a more OO
style, I wrote a 50 line authorization lib that has proved workable on some of
my larger projects.
[https://github.com/hopsoft/perm](https://github.com/hopsoft/perm)

~~~
jph
Nice work - your OO style and wrapper is well done. And the OO style makes it
easier to do dynamic roles, such as DCI.

------
taf2
I like the approach to describe permissions but I also think that a good data
model to sit behind this that includes roles and capabilities ultimately is
needed in most applications. Users and use cases will almost always arise that
require arbitrary roles with a mix of capabilities...

~~~
opiotrek
You are allowed to mix any roles in any combinations. This shows only a flat
hierarchy, but I'd love to explore that in an example sooner than later :)

------
Glyptodon
I strongly prefer Pundit. Not that my opinion adds a whole lot to the
conversation.

------
wldcordeiro
CanCan + Rolify does exactly what the OP wants.

~~~
seivan
I thought CanCan was abandoned when Rbates took some time off?
[https://github.com/ryanb/cancan](https://github.com/ryanb/cancan)

~~~
seivadmas
What happened with that guy? Did he ever come back?

~~~
ch4s3
Yeah, he's back online, but hasn't done any more casts or OSS work.

------
ericrr
There's also Rollout:

[https://github.com/FetLife/rollout](https://github.com/FetLife/rollout)

~~~
atomical
That doesn't have anything to do with roles and permissions.

