23 comments

[ 3.2 ms ] story [ 45.4 ms ] thread
I think the pattern that needs to be explored is a rails engine that has a web interface to manage permissions for different models. Usually stakeholders want to control the roles and permissions.
We were recently working on designing a moderately complicated permissions system, and my impression is that it's impossible to create such a general-purpose engine and gem that covers enough of the cases that you'll have to manage, without creating something that is incredibly complicated to set up and manage. Except for a few standardized domains, you'll always have rules that are easier to express and maintain with some custom, domain-specific code.
Neat idea, you might be able to quickly throw together a really compelling proof-of-concept by building off of https://github.com/RolifyCommunity/rolify, which seems to strike a nice balance of opinionated, flexible, and doing a fair amount of work for you (IE it gets involved in / takes care of the db data modeling).
Interesting, this is very project specific so might be tough to implement for general user-base.
I like the approach to describe permissions but I also think that a good data model to sit behind this that includes roles and capabilities ultimately is needed in most applications. Users and use cases will almost always arise that require arbitrary roles with a mix of capabilities...
You are allowed to mix any roles in any combinations. This shows only a flat hierarchy, but I'd love to explore that in an example sooner than later :)
CanCan + Rolify does exactly what the OP wants.
I've been using Pundit, which is model-based, rather than role-based, and it works really nicely with Rails conventions. Model-based feels more natural than role based, IMO.
I've used Pundit in my last few projects and loved the simplicity of it. Would recommend to others.
Indeed, the author is framing Access Granted against CanCan/CanCanCan, when Pundit has already picked up the torch of Rails authorization.

Pundit made the design decision to be as close to pure Ruby as possible, and therefore is extremely flexible (similar to the design philosophy of Strong Parameters). Access Granted seems like a step backwards (toward a DSL) from Pundit. So it would take a strong argument to show why Access Granted is preferable to Pundit.

Yea I thought the same thing when reading this. Pundit is already well adopted and covers this use case, this seems like re-inventing the wheel a bit atm.
I personally dislike Pundit's way of defining permissions, but as always it's a preference.

I really wanted to keep CanCan's simplicity, but add roles while cleaning abilities/policies up.

Pundit is excellent, it doesn't tie you to any one model of authorization, it just gives you a standard way to implement your own in a very light-weight fashion.
I do like the access-granted DSL. It seems to address some of CanCan's problems on larger more complex projects. Also... if you prefer a more OO style, I wrote a 50 line authorization lib that has proved workable on some of my larger projects. https://github.com/hopsoft/perm
Nice work - your OO style and wrapper is well done. And the OO style makes it easier to do dynamic roles, such as DCI.
I strongly prefer Pundit. Not that my opinion adds a whole lot to the conversation.