Action Access works great with Rails 4, has very clear syntax and it's really lightweight.
It boils down to this:
class ArticlesController < ApplicationController let :admin, :all let :user, [:index, :show] # ... end
This will automatically lock the controller, allowing admins to access every action, users only to show or index articles and anyone else will be rejected and redirected with an alert.
Everything related to the controller is within the controller making it really modular and avoids leaving forgotten trash when you refactor.
For granular control you can use
not_authorized! inside actions to check against data from the database or whatever you need.
It's completely independent of the authentication system and it can work even without
User models or predefined roles. All you need is to set the clearance level for the current request:
class ApplicationController < ActionController::Base def current_clearance_level session[:role] || :guest end end
You may return whatever your app requires, like
current_user.role for example.
It also bundles a set of handy model additions that allow to extend user models and do things like:
<% if current_user.can? :edit, :article %> <%= link_to 'Edit article', edit_article_path(@article) %> <% end %>
:article refers to
ArticlesController, so the link will only be displayed if the current user is authorized to access the
edit action in
ArticlesController. Namespaces are supported too.
You can lock controllers by default, customize the redirection path and the alert message, etc. Checkout the documentation for more.