ruby

Advanced Usages of Action Policy for Ruby on Rails

Aestimo Kirina

Aestimo Kirina on

Advanced Usages of Action Policy for Ruby on Rails

In part one of this series, we looked at some basic usages of Action Policy. Now we'll leverage Action Policy for more advanced authorization use cases.

First up, let's explore applying pre-checks.

Pre-checks

Let's say we want users with "editor" status to have access to a post's show, update, and destroy actions, like so:

Ruby
# app/policies/posts_policy.rb class PostPolicy < ApplicationPolicy def show? user.editor || user.reader || user.id == record.user_id end def update? user.editor || (user.id == record.user_id) end def destroy? user.editor || user.id == record.user_id end end

We can refactor this policy code using an Action Policy pre-check that extracts common rules into pre-checks:

Ruby
# app/policies/posts_policy.rb class PostPolicy < ApplicationPolicy pre-check :allow_editors def show? user.reader || user.id == record.user_id end def update? user.id == record.user_id end def destroy? user.id == record.user_id end private def allow_editors allow! if user.editor end end

Scopes

Another Action Policy feature that deserves our attention is scoping. Scopes filter data depending on any authorization rules you've set.

Using our blog app as an example, let's say we want to apply the following rules to the posts index action:

  • List all posts for all users with the "editor" role
  • List only posts that a user has created if they have the "author" role

Without using any Action Policy authorization, the posts controller index action looks like any generic index action:

Ruby
# app/controllers/posts_controller.rb class PostsController < ApplicationController ... def index @posts = Post.all end ... end

We'll need to utilize Action Policy scoping to refactor this action and apply the outlined access rules. Scoping rules are defined within a policy class and applied in the respective controller using the authorized_scope or authorized methods.

First modify the Post policy, like so:

Ruby
# app/policies/posts_policy.rb class PostPolicy < ApplicationPolicy ... relation_scope do |scope| if user.editor? scope end end end relation_scope(:own) do |scope| scope.where(user: user) end end ... end

Then the posts controller's index action, as shown below:

Ruby
# app/controllers/posts_controller.rb class PostsController < ApplicationController ... def index @posts = authorized_scope(Post, type: :relation, as: :own) end ... end

Caching in Action Policy for Ruby and Rails

Action Policy is a performant authorization library, partly thanks to its efficient use of caching.

It has several cache layers for you to leverage, including memoization and external caching.

Memoization

Consider a situation where the same rule is called several times on an object instance. For example, let's say we need to load all comments associated with a post within the index action:

Ruby
# app/controllers/posts_controller.rb class PostsController < ApplicationController ... def index @posts = authorized_scope(Post.includes(comments), ...) end ... end

Now, imagine there's an "edit" link for every comment a post has within the index view. As you can see, this is a resource-intensive undertaking since we need to check if the current user is allowed to first access the post index, and then edit a post's comments. If a post has multiple comments, this would mean loading the authorization policy multiple times.

In a situation like this, Action Policy will re-use the required policy instance — specifically, the record.policy_cache_key — as one of the identifiers in the local store.

This kind of caching works well for short-lived requests, but if you need to cache resource-intensive rules that will be persisted across requests, using an external cache store is a better option.

Using an External Cache Store

If you need to run access control rules that utilize complex database queries, for example, you can use an external cache store such as Redis. Your rules cache will be made available across requests. You just need to remember to explicitly define which rules to cache within the policy class:

Ruby
# app/policies/post_policy.rb class PostPolicy < ApplicationPolicy cache :index? def show? # some complex database heavy rules... end .... end

And configure the cache store for your app:

Ruby
# config/application.rb Rails.application.configure do |config| config.action_policy.cache_store = :redis_cache_store end

Quick tip: There's a lot more to this. Dig into the Action Policy caching documentation for more information.

Aliases in Action Policy for Rails

An alias is an alternative way to name policies so that they make more sense.

Let's check out an example using our blog app. Consider this Post policy:

Ruby
# app/policies/post_policy.rb class PostPolicy < ApplicationPolicy alias_rule :destroy?, :update?, to: :manage_post? ... def manage_article? user.editor || user.id == record.user_id end ... end

Here, we combine the update? and destroy? rules into one alias called manage_post?.

Then we use it in the controller, like so:

Ruby
# app/controllers/posts_controller.rb class PostsController < ApplicationController ... def update authorize! :manage_post?, @post ... end # DELETE /posts/1 or /posts/1.json def destroy authorize! :manage_post?, @post ... end ... end

Finally, let's quickly look at how to handle unauthorized access.

Handling Unauthorized Access in a Ruby and Rails App

If a user tries to access a resource they shouldn't, an ActionPolicy::Unauthorized error is raised.

You need to explicitly handle this error in your app's ApplicationController, like so:

Ruby
# app/controllers/application_controller.rb class ApplicationController < ActionController::Base rescue_from ActionPolicy::Unauthorized do redirect_to root_path, alert: 'Access denied.' end end

And that's it!

Wrapping Up

In this post, we explored advanced Action Policy features, including pre-checks, scopes, caching, aliases, and finally, handling unauthorized access.

From basic rules to complex conditional scenarios, Action Policy has everything you need to handle almost any authorization scenario. Use this library in your next project and see how powerful it is.

Happy coding!

P.S. If you'd like to read Ruby Magic posts as soon as they get off the press, subscribe to our Ruby Magic newsletter and never miss a single post!

Aestimo Kirina

Aestimo Kirina

Our guest author Aestimo is a full-stack developer, tech writer/author and SaaS entrepreneur.

All articles by Aestimo Kirina

Become our next author!

Find out more

AppSignal monitors your apps

AppSignal provides insights for Ruby, Rails, Elixir, Phoenix, Node.js, Express and many other frameworks and libraries. We are located in beautiful Amsterdam. We love stroopwafels. If you do too, let us know. We might send you some!

Discover AppSignal
AppSignal monitors your apps