Pundit VS CanCanCan

https://github.com/varvet/pundit Popular open-source Ruby library focused around the notion of policies, giving you the freedom to implement your own approach based on that.

PS If you do mobile / web work (or something else with "detached" UI), I find that declarative access control rules are far superior to imperative ones, because they can be serialized and shipped over the wire. For example, backend running cancancan can be easily send the same rules to casl on the frontend, while if you used something like pundit to secure your backend, you either end up re-implementing it in the frontend, or sending ton of "canEdit" flags with every record.

You can use a combination of an authorization gem (https://github.com/varvet/pundit) and decorators (https://www.rubyguides.com/2018/04/decorator-pattern-in-ruby/) if you want to extend functionality based on their roles.

Use Action Policy or Pundit, and write tests for your policies. Authz is worth testing with near complete coverage.

Pundit: Pundit is a gem that uses simple Ruby objects, and it is probably the simplest policy gem we will cover. Is simple to use, has minimal authorization, and is similar to using pure Ruby. With 7.3k stars on GitHub, it is currently the most popular policy gem.

If you come from the Rails world, you might be familiar with some gems that provide APIs to handle this, the most popular ones being cancancan and pundit.

A very common pattern in Rails development is for a view to contain checks for things like current_user.can?(:take_some_action). These types of checks are common, especially in B2B applications that implement role-based permissions powered by a solution like Pundit.

authorization with pundit

Right now, all access control is done using Pundit and since most things are server side rendered, not only are the API endpoints authorized by Pundit policies, but some UI components conditionally render based on these policies as well.

You may ask what's makes Active Entry better or different from other gems like Pundit, Action Policy (especially), or CanCanCan.

https://github.com/CanCanCommunity/cancancan (Ruby on Rails ABAC) Same like casl.js, but for Ruby on Rails! Casl.js was actually inspired and modeled by cancancan.

In production code you would most likely use a library for access control, such as CanCanCan

PS If you do mobile / web work (or something else with "detached" UI), I find that declarative access control rules are far superior to imperative ones, because they can be serialized and shipped over the wire. For example, backend running cancancan can be easily send the same rules to casl on the frontend, while if you used something like pundit to secure your backend, you either end up re-implementing it in the frontend, or sending ton of "canEdit" flags with every record.

You can use a gem like cancancan (https://github.com/CanCanCommunity/cancancan )to manage authorization, and its helpers to show stuff based on what a user can do

It fails deadly -- forgetting to pass an instance grants unintended access, and this problem is so bad they have a document explaining how to avoid it. If you use a permission in an unintended way, it should not grant access.

CanCanCan: CanCanCan is another authorization library for Ruby and Ruby on Rails. It is an alternative to CanCan and is currently being maintained. With 4.9k stars on GitHub, it is the least popular, but it works pretty well and is well maintained.

I have worked on Ruby On Rails for 10 years now, and I also became the maintainer of one of the most historical gems, CanCanCan. Ruby On Rails was my bet ten years ago, when I quit my previous job, to switch from Java to Ruby, and to move from Italy to Switzerland at the same time.

If you come from the Rails world, you might be familiar with some gems that provide APIs to handle this, the most popular ones being cancancan and pundit.

I am using cancancan I will check it out when it's done thx!