Build with us
Build with us
20-
Sep
21
Meet us at Borderless JS Community Day!

Action Policy

Action Policy logo

Services & Skills

Share on

Action Policy is a composable, extensible, and performant authorization framework for Ruby on Rails applications.

1.2K
stars
85
forks
21
watching
30
contributors

Usage

Action Policy relies on resource-specific policy classes (just like Pundit).

First, add an application-specific ApplicationPolicy with some global configuration to inherit from:

class ApplicationPolicy < ActionPolicy::Base
end

This may be done with the rails generate action_policy:install generator.

Then, write a policy for a resource. For example:

class PostPolicy < ApplicationPolicy
  # everyone can see any post
  def show?
    true
  end

  def update?
    # `user` is a performing subject,
    # `record` is a target object (post we want to update)
    user.admin? || (user.id == record.user_id)
  end
end

This may be done with the rails generate action_policy:policy Post generator.

Now you can easily add authorization to your Rails controller:

class PostsController < ApplicationController
  def update
    @post = Post.find(params[:id])
    authorize! @post

    if @post.update(post_params)
      redirect_to @post
    else
      render :edit
    end
  end
end

When the authorization is successful (i.e., the corresponding rule returns true), nothing happens, but in case of authorization failure ActionPolicy::Unauthorized an error is raised.

There is also an allowed_to? method which returns true or false, and could be used in views:

<% @posts.each do |post| %>
  <li><%= post.title %>
    <% if allowed_to?(:edit?, post) %>
      <%= link_to post, "Edit">
    <% end %>
  </li>
<% end %>

Read more in the Documentation.

Author

Further reading

In the same orbit

  • Action Policy GraphQL

    Action Policy GraphQL

    An integration for using Action Policy as an authorization framework for Rails GraphQL applications.
    Action Policy GraphQL logo
  • Gemfile of dreams: the libraries we use to build Rails apps

    Gemfile of dreams: the libraries we use to build Rails apps

    Cover for Gemfile of dreams: the libraries we use to build Rails apps
  • Apollo launch: Building a migration architecture for 2U

    Apollo launch: Building a migration architecture for 2U

    Cover for Apollo launch: Building a migration architecture for 2U
  • Product design that sells: the smart UX for Tines

    Product design that sells: the smart UX for Tines

    Cover for Product design that sells: the smart UX for Tines
  • Catch a batch: Making Mayhem 5 times more responsive

    Catch a batch: Making Mayhem 5 times more responsive

    Cover for Catch a batch: Making Mayhem 5 times more responsive
  • Ruby Next: Make all Rubies quack alike

    Ruby Next: Make all Rubies quack alike

    Cover for Ruby Next: Make all Rubies quack alike
  • It deserved its own tome: Layered Design and the Extended Rails Way

    It deserved its own tome: Layered Design and the Extended Rails Way

    Cover for It deserved its own tome: Layered Design and the Extended Rails Way
  • My Ruby 2018: Around the world in nine conferences

    My Ruby 2018: Around the world in nine conferences

  • GemRuby Show: Vladimir Dementyev & Action Policy
    Podcast with Vladimir Dementyev

    GemRuby Show: Vladimir Dementyev & Action Policy

    GemRuby Show
    Cover for GemRuby Show: Vladimir Dementyev & Action Policy
  • Rails as a piece of birthday cake
    By Vladimir Dementyev

    Rails as a piece of birthday cake

    RailsConf
    Cover for Rails as a piece of birthday cake
  • The Rails Changelog: CTEs In Rails, CPKs coming soon with Vladimir Dementyev
    Podcast with Vladimir Dementyev

    The Rails Changelog: CTEs In Rails, CPKs coming soon with Vladimir Dementyev

    The Rails Changelog
    Cover for The Rails Changelog: CTEs In Rails, CPKs coming soon with Vladimir Dementyev
  • Authorization in the GraphQL era
    By Nikolay Sverchkov

    Authorization in the GraphQL era

    RailsConf
  • Welcome, or access denied
    By Vladimir Dementyev

    Welcome, or access denied

    RubyRussia
  • A denial!
    By Vladimir Dementyev

    A denial!

    Seattle.rb
  • My Ruby Story 078: Vlad Dem
    Podcast with Vladimir Dementyev

    My Ruby Story 078: Vlad Dem

    My Ruby Story
  • Access denied: the missing guide to authorization in Rails
    By Vladimir Dementyev

    Access denied: the missing guide to authorization in Rails

    RailsConf
  • Fountain
    As a core technical team behind Fountain’s software, doing backend and frontend development and being responsible for scaling the software, we were happy to see them become an industry leading hiring platform for hourly workers.
    $220M
    total funding
    Backed
    by Softbank, Y Combinator
    Fountain logo
  • Tines
    Evil Martians helped an advanced security orchestration and automation platform, Tines, with the core product, covering UI design, frontend, and backend. Our team designed a pro-oriented interface easy-to-use even for newcomers.
    Backed
    by Index Ventures
    $90M+
    total funding
    Tines logo
  • StackBlitz
    Stackblitz is an online IDE for creating, editing, and deploying full-stack apps via browser using WebContainers. We worked on both backend and API development, official release preparations, and helped implement some enterprise features.
    $8M
    total funding
    Backed
    by GV
    StackBlitz logo
  • Common
    As a leading co-living platform, Common designs, creates, and operates all-inclusive homes. Martians were responsible for backend, frontend, and mobile development for the Connect by Common app.
    11
    cities
    $110M+
    total funding
    Common logo
  • Playbook
    Playbook, a platform for the modern creator, allows you to store, share and collaborate on visual content. Now with 50,000 active customers, they came to us for API optimizations, integrations, and to help develop a machine learning-powered search to simplify working with a large number of images.
    $22M+
    total funding
    Playbook logo
  • Mayhem
    Mayhem brings gamers together in tournaments, leagues, and other real-time community-driven events. Evil Martians resolved performance bottlenecks in the project’s backend, stemming from Mayhem’s active user base’s rapid growth.
    $5.7M
    total funding
    Backed
    by Y Combinator, Accel
    Mayhem logo
  • 2U
    Martians helped 2U achieve the strategic goal of reorganizing its microservices architecture by safe migration GraphQL API to Apollo Federation with zero downtime and fewer expenses.
    $427M
    total funding
    225K
    students
    2U logo
  • Mily
    Evil Martians helped Mily (ex-Kin)—a community-driven, tailor-made housing platform for families, to launch their mobile application.
    Mily logo
  • Feed
    FEED is a social video iOS app with real-time communication, collective movies, and co-streaming features built from scratch by a core tech team from Evil Martians using the latest mobile technologies and machine learning systems.
    Feed logo

Explore more open source projects

  • Mock Suey

    Mock Suey

    A collection of tools to keep Ruby mocks in line with real objects.
    Mock Suey logo
  • Yabeda

    Yabeda

    Make Ruby and Rails application monitoring as easy as possible.
    Yabeda logo

Contact us

We’d love to hear from you! We’re not really all that evil, and we love discussing potential projects, intriguing ideas, and new opportunities. Complete the form below or drop us a line at surrender@evilmartians.com. Alternatively, schedule a Calendly appointment with us right now!

Martians at a glance
17
years in business

A product development consultancy that works with startups and established businesses, while also creating open source-based products and services