Rails 4 authorization gem [closed]

Question

I am looking an authorization gem for rails 4. Before I used cancan, but it looks outdated nowadays...

I found the_role here https://github.com/the-teacher/the_role It is nearly what I want, but has a few annoying issues. Maybe similar gems exist? I need roles, store roles in database and association actions with rules. It wound be great if gem cooperate with bootstrap.

P.S. For authentication I use devise.

Answer 1

You should look at the bigger picture even outside Ruby and consider authorization model. The traditional prevalent model is role-based access control (RBAC) and this is what most frameworks and - in Ruby - most gems implement.

But if you have more advanced scenarios you want to consider attribute-based access control and XACML, the eXtensible Access Control Markup Language.

With XACML, you can implement context-aware authorization that is policy-based. For instance you can write rules such as:

• managers can edit documents they own
• doctors can view the medical record of patients they are assigned to

And so on...

I am not aware of any Ruby gem to apply XACML to your Ruby projects but the nature of XACML is such that you can easily implement your own authorization agents (enforcement points). I've written some in PHP, Java, .NET, and Perl.

You'll need an authorization engine. There are several open-source and vendor solutions out there such as SunXACML and Axiomatics.

Here are some interesting resources:

• NIST RBAC - the official definition of the RBAC Model
• NIST ABAC
• OASIS XACML

Answer 2

CanCanCan

CanCan was a popular gem for authorization developed by Ryan Bates (best known for RailsCasts) and abandoned prior to the release of Rails 4.0. Due to its popularity, the community-based CanCanCan project maintains an updated version of CanCan. CanCan provides a DSL (domain-specific language) that isolates all authorization logic in a single Ability class.

Pundit

The Pundit gem is gaining in popularity for Rails authorization. Pundit is an authorization system that uses simple Ruby objects for access rules. Pundit uses a folder named app/policies/ containing plain Ruby objects that implement access rules.

CanCanCan or Pundit or ?

As an application grows in complexity, the CanCan Ability class can grow unwieldy. Also, every authorization request requires evaluation of the full CanCan Ability class, adding performance overhead. Pundit also offers the advantage of segregating access rules into a central location, keeping controllers skinny. Pundit policy objects are lightweight, adding authorization logic without as much overhead as CanCan.

Simple Role-Based Authorization

With Rails 4.1, you can implement role-based authorization using Active Record Enum. You can use CanCanCan or Pundit to keep controllers skinny if your access rules are complex but for simple requirements, you may not need CanCanCan or Pundit.

I've written an article on Rails Authorization that goes into more detail, comparing CanCanCan and Pundit and simple role-based authorization.

Answer 3

Cancancan is the new version of can can:

https://github.com/CanCanCommunity/cancancan