- GoodRuby
- Posts
- Pundit
At some point while you’re developing your Rails application you will likely get to a point where you need to authorize access to an object. You can do this in a few different ways such as scoping the lookup calls to the current user or company, using a library, or completely segregating data in the database. When it comes to Rails authorization libraries there are three real contenders Pundit, CanCanCan, and ActionPolicy. I have always been a Pundit guy myself because it’s simple, familiar, and easy to work with.
In this weeks edition we are going to look at the code behind Pundit and see how it stacks up, let’s get to it.
Documentation
The documentation for Pundit is great. It shows you the ins and outs of using the library as well as more advanced usage options. It shows you how to get up and running quickly and gradually walks you through the various patterns and options such as scopes and ensuring that policies and scopes are used.
If you are browsing the source code or API docs you will notice that all of public methods are documented. This really helps the developer out when attempting to customize Pundit or perform more advanced tasks.
pundit.rb
The main Pundit module is pretty minimal, which I believe is a good thing. It defines a few error classes and helper methods for performing actions such as authorizing an object or looking up a policy or scope. The methods themselves are wrappers around PolicyFinder, delegating most of the responsibility to that class.
Policy Lookup
For backward compatibility purposes it also has a guard just in case you attempt to include Pundit directly, warning the developer that they likely meant to include Pundit::Authorization. I thought that was a nice touch of developer experience.
Pundit#included
Methods
The first thing that I noticed when browsing the source code is how small most of the methods are. The majority of the methods in the library are 3 or fewer lines of code. That is a great sign that the methods only have a single responsibility. They do one thing and do it well. The names of the methods clearly reveal what it does or what is returned. This makes using the library feel very intuitive.
authorization.rb
The most complex method in my opinion is PolicyFinder#find. It still manages to weighs in at only 12 lines of code. The method, as you may have guessed, attempts to find the appropriate policy class for your object. It uses a little meta-programming and duck typing to figure out the appropriate policy class name. The most complex bit is if you pass an array and it has to build a nested namespace.
PolicyFinder#find
TL;DR
Pundit is a great gem to reach for when you need an authorization library. It is simple to read and well documented. The library does do more than strictly authorization (scopes and permitted attributes) but it does those things well. If you’re interested in the code you can read it in less than an hour and have a good understanding of how things work. It’s also a great library to recreate from scratch to really gain an understanding of what it does, how it does it, and why it does it a specific way.
Until next time!