What's the difference between this gem and pundit?

[killernova]

Are there any advantages in this gem over pundit?

[buszu]

Yup, the gems are very similar. I hope my post won't be considered as off-topic but as the gem is quite fresh I decided to post it here.

Please let me share my insights here:

• authorizations should allow developer to inject dependent object in nice way,
• authorization method can be more than just halting filter, it can return e.g. return privilages object like allowed fields to be displayed in json response.

That's why I've wrote some time ago a gem with different approach and successfully used it in both Rails and Hanami, also think would fit plain ruby app: https://github.com/buszu/auth_strategist.

I'm not trying to advertise it here, just hope it will inspire you in some way.
Kind regards.

[palkan]

Hi @killernova,

tl;dr Pundit is pretty much just a helper for your controller; it doesn't help you in any way to write better policy classes (from performance and usability point of view). Action Policy is full-featured framework.

Check out our documentation or the recent RailsConf talk slides.

[palkan]

@buszu Thanks for the feedback (and for the gem, btw).

authorizations should allow developer to inject dependent object in nice way,

Agree. And we do allow this in a nice, Rails, way (see docs).

authorization method can be more than just halting filter, it can return e.g. return privilages object like allowed fields to be displayed in json response.

Good point. This one is in our TODO list (along with scopes and strong parameters support).

[buszu]

Thanks for ur reply @palkan. I'm still not convinced about building context how u do it but maybe I'm not getting the docs correctly.

class ApplicationController < ActionController::Base
  authorize :account, through: :current_account
end

Does it mean that controller's current_account is being called by authorize? What if I have to pass the object that is already found by time-taking query and I don't wan't to call it second time? (that's why I'm using authorization "components" - to inject things already found by controller).

Also, pretty like above, let's say that I want to add 3 objects from different sources to be compared somewhere in policy. Is it possible to add few contexts or your way is to build single context object (that's what you call "composition of subjects", right?)?

If so, doesn't it lead to leveraging controller too much for building such a context (responsibility grounds)?

[palkan]

Does it mean that controller's current_account is being called by authorize?

Yep, correct.

What if I have to pass the object that is already found by time-taking query and I don't wan't to call it second time?

Hm, I haven't about it) I assume that such methods (current_user, current_account, current_whatever) are memoized (and they should always be). It worth noting this in the docs.

It's pretty easy to add support for explicit context though, e.g.:

authorize! record, context: { user: @user }

Also, pretty like above, let's say that I want to add 3 objects from different sources to be compared somewhere in policy. Is it possible to add few contexts or your way is to build single context object (that's what you call "composition of subjects", right?)?

I'm not sure I got the idea. What are these 3 objects? Do you want to authorize multiple resources or provide multiple contexts?

If so, doesn't it lead to leveraging controller too much for building such a context (responsibility grounds)?

The reason why we add this configuration is to avoid duplication/boilerplate – no need to specify the context (acting subject) for all the authorization calls; it's very unlikely that it differs between actions and even controllers.

[buszu]

It's pretty easy to add support for explicit context though, e.g.:
ruby authorize! record, context: { user: @user }

I think this is what I was looking for.
Some code that might be written (partially inspired by real app that's using pundit):

class RequirementsDocPolicy
  def create?
    user.documenter?(project) &&
      (user.requirement_doc.blank? || user.requirement_doc.versions.empty?) &&
      project.document_set.state == 'preparing' &&
      user.google.uploader? # assume this makes API call
  end
end

(And now imagine not using ActiveRecord.)
We need to fetch a lot of entities actually (user, project, document_set) and make external API call.

class RequirementsDocsController
  def create
    find_user_in_google
    authorize! RequirementsDoc, context: { user: current_user,
                                           user_in_google: @user_in_google }
  end
end

If I can do so, it's ok. :)

[palkan]

@buszu Could you, please, extract it into a separate issue (the above comment would work fine as a description)?

[casiodk]

@palkan I saw your talk at rails conf, very good, thanks for that. Do you have something similar to pundits policy_scope in this gem?

[palkan]

@casiodk Thanks for the feedback!

Do you have something similar to pundits policy_scope in this gem?

Not yet; this feature is currently in progress. Gonna release it (along with a few other WIP features) in a couple if weeks.

[casiodk]

Sounds good!

[palkan]

@casiodk I've added an issue to discuss scopes API #5