A memo when investigating how to manage roles and access privileges in Rails
・ Cancancan ・ Pundit ・ Banken
The configuration file seems to be simple and pundit or banken that can be written with ruby seems to be easy to do. Pundit in terms of popularity. However, looking at banken's slide, banken seems to be good because it says "the creator cleared the dissatisfaction points of cancancan and pundit".
・ Rolify
The outline of each gem will be described later.
Of each gem
The following slides make it easy to understand the difference between cancancan, pundit, and banken. https://speakerdeck.com/kyuden/rails-authorization
The following is a reference for comparing cancancan and pudit. https://www.icare.jpn.com/dev_cat/pundit%E3%81%A8cancancan%E3%81%AE%E6%AF%94%E8%BC%83/
I see the description that sorcery is easier to customize for authentication, so I think sorcery is safer as a general-purpose template.
So Certification: sorcery Authorization: bunken (or pundit) Grant: rolify or unique
The image seems to be general purpose.
It feels similar to the structure of the gunosy blog below, or is dragged
https://tech.gunosy.io/entry/gunosy-admin-rails
https://github.com/CanCanCommunity/cancancan
What you can do -Permission conditions can be defined by model + action for each authority in one Ability class file.
Basic usage -Create an Ability class and write it in your own DSL. -The basic way of writing is "can / cannot action name, model, condition".
def initialize(user)
can :read, Post, public: true
if user.present?
can :read, Post, user_id: user.id
if user.admin?
can :read, Post
end
end
end
Demerit ・ There is a learning cost for original notation -Basically, authority * can / canont for each model is written in one Ability file, so it is easy to grow. If there are many conditional branches, the outlook will be worse.
Reference URL https://qiita.com/senou/items/e28ff548e93ad0eeed3f https://qiita.com/naoki85/items/266c8d7ab469cc6ab1fe https://qiita.com/umanoda/items/679419ce30d1996628ed https://happy-teeth.hatenablog.com/entry/2018/12/09/002905
https://github.com/varvet/pundit What you can do -A Policy class can be created for each Model and authorization conditions for Action names can be defined. ・ Can be written in ruby. ・ * Only one policy can be associated with one model. When referring to the same model on the api and the normal screen, it will be described in one policy file.
Basic usage -Create a Policy file for each model. -Write a function for condition judgment in the Policy file. -When using, execute authorize from the controller etc. to receive the judgment result and control it.
Demerit -Only one definition is applied to Model + action name. If the control is separated between the screen controller and the API controller, it seems that it is useless if the action name is duplicated.
Reference URL https://qiita.com/senou/items/e28ff548e93ad0eeed3f
https://github.com/kyuden/banken
What you can do The restriction that "model and policy must be one-to-one" in pundit is removed, and authorization conditions for Action can be described for each controller.
Basic usage -Generate a loyalty file for each controller. -Enter the authorization conditions for each action name and execute authorize on the controller side to make a judgment.
Demerit ・ The number of uses is small compared to pundit and cancancan. ・ Compared to pundit, there is no scope function
Reference URL Slideshare https://speakerdeck.com/kyuden/rails-authorization https://github.com/kyuden/banken Japanese document
https://github.com/RolifyCommunity/rolify
What you can do Role can be associated with the model used for authentication such as Users. Models and methods for roles are generated. A gem for granting authority, not the authorization mechanism in the previous stage. Role can be set multiple times for one user.
Basic usage -Set a specific role with add_role () when creating a user. -Whether the user has specific privileges can be obtained with user.has_role? (), So check the role there. The resulting access control is set with cancancan or pundit.
Reference URL https://qiita.com/tatsurou313/items/0f632887d049e9503e3b https://github.com/RolifyCommunity/rolify
There are also clearchnce and authlogic for authentication, but they are omitted.