Scaler
Academy
Data Science
Neovarsity
New
Skill Test
Free Masterclass
Search for Articles, Topics
Ruby on Rails Tutorial
Using Pundit Gem for Authorization in Rails

Using Pundit Gem for Authorization in Rails

By Srinjoy Ray
5 mins read
Last updated: 17 Jul 2023
157 views
Learn via video courses
Topics Covered

Overview

Authentication is the process of verifying someone's identity. Authorization, on the other hand, is the process of granting or refusing access to a specific resource. Rails is a well-known web development framework that includes numerous tools for implementing authorization in its applications. The Rails Pundit gem is one such tool.

What is Pundit in Rails?

Rails Pundit, a Ruby gem, provides a simple and lightweight method for setting up role-based authorization in Rails applications. Its simple and adaptable architecture enables developers to establish authorization policies using Plain Old Ruby Classes (PORC), which do not inherit from other classes or involve other framework modules. As a result, the code becomes simpler to understand and maintain.

With Pundit Rails, we can define policies that indicate which users may execute specified activities or access specific resources within the program. By keeping the policies distinct from the models and controllers, we can keep our code clean and manageable. While we will still need to create roles for our users, Rails Pundit simplifies authorization implementation and makes our lives simpler.

Working with Rails Pundit

Rails Pundit allows us to create policy classes that handle authorization for different types of records. Here's an example:

In this example, we have the update? method in the PostPolicy class that checks the role of the user and returns a boolean value.

We're calling authorize @post to ensure that the user is authorized to act. Pundit Rails finds the appropriate Policy class and invokes the Policy method that corresponds to this action. If the method returns true, we have the authorization to act. Otherwise, Pundit Rails throws an exception.

By using Pundit, we can keep the controllers and models simple and avoid complex code by defining authorization policies in plain Ruby classes.

How to Set Up Pundit?

Here are the steps to set up Rails Pundit in our application:

  • Add gem pundit to the Gemfile
  • Include Pundit in the application controller
  • Execute the command bundle install

Additionally,

  • We can also run rails g pundit:install to create an application policy with some useful defaults.
  • Define our policies in the app/policies/ directory.
  • Restart the Rails server after defining new classes so that Rails can pick them up.

By following these simple steps, we can easily incorporate Rails Pundit into our application and start defining policies that control user access.

Policy Addition

Corresponding to each action in a controller we can create authorization rules in a policy class meant for that specific controller.

Suppose we want to restrict access to create the action of the Post model to only admins. We can do that by making the following changes to the PostPolicy class:

In the above example, the create? method checks if the user is an admin or not. It returns true if the user is an admin, signifying that only admins have permission to create a new post.

We added the authorize method to the PostsController to check if the user is authorized to perform the create action on the @post object.

Some key points to remember are:

  • Policies should be created in a new file in the app/policies directory with the same name as the model class and the suffix Policy.
  • The first argument is a user. In our controller, Pundit Rails will call the current_user method to retrieve what to send into this argument.
  • The second argument of the policy method is a model object whose authorization is being checked. This can be any kind of object, not just an ActiveRecord or ActiveModel object.
  • Set authorization rules for each action in a controller by creating a corresponding method in the policy class with the same name suffixed with a ?.
  • Alternatively we can also create a method with a different name like new? for the create action and specify it like:

Pundit Policy Scopes

Suppose we have a BlogPost model with a published boolean attribute, and we want to restrict access to unpublished blog posts to only admins. In this case, we can define a policy scope method in the BlogPostPolicy class that returns only published blog posts for non-admin users, as follows:

This policy scope method checks if the user is an admin or not and returns all blog posts for admins and only published blog posts for non-admin users.

Here, the policy_scope method returns the authorized subset of blog posts based on the policy scope defined in the BlogPostPolicy class, and the authorize method ensures that the user is authorized to view the subset of blog posts.

By using policy scopes, we can easily apply authorization rules to collections of records within a model, making it easier to manage access control in our application.

Policy with Multiple Roles

It is fairly common to authorize multiple roles to perform particular actions based on different conditions. For example, we can allow admins and creator of a post to perform the delete operation on that post by defining the delete? function in the following manner in the PostPolicy class:

The delete? method in this example returns true if the user is an admin or the user who created the post and returns false otherwise. Hence, restricting the delete action on that particular post object.

FAQs

Q. Can we use Rails Pundit with other authorization libraries in a Rails application?

A. Yes, Rails Pundit is versatile and may be used in a Rails application with other authorization frameworks like Devise, etc.

Q. Can we customize Pundit's default error messages in a Rails application?

A. Yes, by creating a unique policy class for the application, we may modify the default error messages displayed by Pundit.

Conclusion

  • Pundit is a well-known Rails gem for implementing authorization.
  • It offers a versatile and user-friendly approach for setting authorization policies and policy scopes using PORC.
  • Developers may utilize Pundit to set authorization rules for each model in the application and limit access to certain actions or resources depending on the user's role or other criteria.
  • Pundit Rails integrates well with other libraries, such as Devise for authentication, to give a complete solution for protecting Rails applications.
  • The simple syntax of Pundit Rails and clear error messages make it simple to comprehend and troubleshoot authorization issues.
  • Developers may utilize Pundit Rails to enhance the security and usability of their Rails apps by guaranteeing that only authorized users can execute particular activities or access specific resources.