rails-templates icon indicating copy to clipboard operation
rails-templates copied to clipboard

Published 20 hours ago verified publisher icon nimblehq

Compare Pundit and Action Policy and define if we should change the standard

Open malparty opened this issue 8 months ago • 0 comments

Why

Pundit is very flexible, but does not provide some important features:

Caching permissions within the context of the requests

Permissions often rely on DB calls. By default, you might end up with the N+1 queries issues (e.g. in an index view, show/hide the edit button with a call to the policy. 20 items per page means 20 DB calls just for 1 button).

Building a custom cache is possible with Pundit, but it opens doors for error. Action Policy ships with a built-in cache feature, that works with Redis too :)

Named Scopes

When the business logic becomes more complex, we often need more than 1 single authorization Scope.

For example, in an HR tool to manage "employee leave requests", a "Manager" is both an Employee and a Manager. The Manager will have a page to view and approve/refuse the requests of their reporting employees. In these pages, you want a different Scope (e.g. scope_for :manager) than on the page where any employee can request for it's own leaves (e.g. scope_for :own) – Managers will use both, but in different use cases.

Once again, this is possible with Pundit, you can either use 2 different Policies and explicitly select the right policy when needed. But this breaks the beauty of 1 model, 1 policy and it adds complexity (e.g. which policy to use to check "leaves" permissions for the main menu?!).

Read more in the Action Policy / Scoping doc.

Custom contexts

In many projects, we rely on more than just current_user to check permissions. current_tenant, or other Models might be needed too. Action Policy enables to configure custom policy contexts.

More

Watch https://www.youtube.com/watch?v=NVwx0DARDis&list=WL&index=1&t=1s&ab_channel=Vercel and read the documentation for more insights.

What?

This issue requires some research, practice, and discussion. The most appropriate format would be an Engineering Initiative, but it can also be solved within other projects.

In the end, we need to create:

  • GitHub Discussion with the pros/cons found while putting Action Policy into practice (as opposed to Pundit)
  • GitHub Discussion poll for voting

If the result leads to the adoption of Action Policy:

  • Compass PR to update the new "recommended" tool
  • Rails Template PR to update the GemFile

Who Benefits?

Ruby Developers with the possibility of improved tools for handling Authorization.

malparty avatar Jun 07 '24 07:06 malparty