Rails authority / role survey

Overview

A memo when investigating how to manage roles and access privileges in Rails

Access authority check (authorization)

・ Cancancan ・ Pundit ・ Banken

About authorization

The configuration file seems to be simple and pundit or banken that can be written with ruby seems to be easy to do. Pundit in terms of popularity. However, looking at banken's slide, banken seems to be good because it says "the creator cleared the dissatisfaction points of cancancan and pundit".

role setting (authority management)

・ Rolify

The outline of each gem will be described later.

Of each gem

For setting the role (authority)

  1. If there is only one role per user, it seems enough to have it in the users table as an enum. (Rolify is OK)
  2. If you want to enable multiple settings, it seems easy to use rolify.
  3. If the role table also has additional information such as job title Japanese name, do you create your own role master and association table?

I see the description that sorcery is easier to customize for authentication, so I think sorcery is safer as a general-purpose template.

So Certification: sorcery Authorization: bunken (or pundit) Grant: rolify or unique

The image seems to be general purpose.

It feels similar to the structure of the gunosy blog below, or is dragged

https://tech.gunosy.io/entry/gunosy-admin-rails

Overview of each gem

cancancan (DL number: 22,394,057)

https://github.com/CanCanCommunity/cancancan

What you can do -Permission conditions can be defined by model + action for each authority in one Ability class file.

Basic usage -Create an Ability class and write it in your own DSL. -The basic way of writing is "can / cannot action name, model, condition".

  def initialize(user)
    can :read, Post, public: true

    if user.present?  
      can :read, Post, user_id: user.id
      
      if user.admin?  
        can :read, Post
      end
    end
  end

Demerit ・ There is a learning cost for original notation -Basically, authority * can / canont for each model is written in one Ability file, so it is easy to grow. If there are many conditional branches, the outlook will be worse.

Reference URL https://qiita.com/senou/items/e28ff548e93ad0eeed3f https://qiita.com/naoki85/items/266c8d7ab469cc6ab1fe https://qiita.com/umanoda/items/679419ce30d1996628ed https://happy-teeth.hatenablog.com/entry/2018/12/09/002905

pundit (DL number: 20,682,033)

https://github.com/varvet/pundit What you can do -A Policy class can be created for each Model and authorization conditions for Action names can be defined. ・ Can be written in ruby. ・ * Only one policy can be associated with one model. When referring to the same model on the api and the normal screen, it will be described in one policy file.

Basic usage -Create a Policy file for each model. -Write a function for condition judgment in the Policy file. -When using, execute authorize from the controller etc. to receive the judgment result and control it.

Demerit -Only one definition is applied to Model + action name. If the control is separated between the screen controller and the API controller, it seems that it is useless if the action name is duplicated.

Reference URL https://qiita.com/senou/items/e28ff548e93ad0eeed3f

banken (DL number: 285,710)

https://github.com/kyuden/banken

What you can do The restriction that "model and policy must be one-to-one" in pundit is removed, and authorization conditions for Action can be described for each controller.

Basic usage -Generate a loyalty file for each controller. -Enter the authorization conditions for each action name and execute authorize on the controller side to make a judgment.

Demerit ・ The number of uses is small compared to pundit and cancancan. ・ Compared to pundit, there is no scope function

Reference URL Slideshare https://speakerdeck.com/kyuden/rails-authorization https://github.com/kyuden/banken Japanese document

Rolify (DL number: 6,307,168) (Permission setting gem)

https://github.com/RolifyCommunity/rolify

What you can do Role can be associated with the model used for authentication such as Users. Models and methods for roles are generated. A gem for granting authority, not the authorization mechanism in the previous stage. Role can be set multiple times for one user.

Basic usage -Set a specific role with add_role () when creating a user. -Whether the user has specific privileges can be obtained with user.has_role? (), So check the role there. The resulting access control is set with cancancan or pundit.

Reference URL https://qiita.com/tatsurou313/items/0f632887d049e9503e3b https://github.com/RolifyCommunity/rolify

other

There are also clearchnce and authlogic for authentication, but they are omitted.

Recommended Posts

Rails authority / role survey
Rails + ElasticSearch Survey Memo