{"id":37988,"date":"2024-07-16T06:27:39","date_gmt":"2024-07-16T06:27:39","guid":{"rendered":"https:\/\/www.railscarma.com\/?p=37988"},"modified":"2024-07-16T06:27:43","modified_gmt":"2024-07-16T06:27:43","slug":"mastering-authorization-in-rails-with-pundit-gem","status":"publish","type":"post","link":"https:\/\/www.railscarma.com\/sv\/blogg\/mastering-authorization-in-rails-with-pundit-gem\/","title":{"rendered":"Mastering Authorization in Rails with Pundit Gem"},"content":{"rendered":"
\n\t\t\t\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t\t
\n\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t

Authorization is a critical component of any web application, ensuring that users can only access resources they are permitted to. Pundit is a popular authorization library for Ruby on Rails that allows developers to define fine-grained access rules. This article will guide you through using the Pundit gem for authorization in a Rails ans\u00f6kan<\/a>, complete with an example.<\/p>\n

<\/p>\n

Step-by-Step Guide <\/b><\/h2>\n

1. Adding Pundit to Your Rails Application<\/b><\/p>\n

First, add Pundit to your Gemfile and run bundle install:<\/p>\n

<\/p>\n

gem 'pundit'<\/pre>\n

<\/p>\n
paketinstallation<\/pre>\n
Next, generate the Pundit installation files:<\/p>\n
<\/p>\n
rails generate pundit:install<\/pre>\n
This will create an application_policy.rb<\/b> file in the app\/policies directory, which serves as the default policy for all models.<\/p>\n
2. Defining Policies
<\/b>Policies in Pundit are Plain Old Ruby Objects (POROs) that encapsulate the authorization logic. Each policy corresponds to a model in your application. Let’s consider a simple example where we have a Post model and we want to define authorization rules for it.<\/p>\n
Create a policy for the Post model:<\/b><\/p>\n
<\/p>\n
rails generate pundit:policy post<\/pre>\n
This generates a post_policy.rb <\/b>file in the app\/policies directory.<\/p>\n
3. Implementing Authorization Logic
<\/b>Open the post_policy.rb file and define the authorization rules:<\/p>\n
class PostPolicy < ApplicationPolicy\n  def index?\n    true\n  end\n\n  def show?\n    true\n  end\n\n  def create?\n    user.present?\n  end\n\n  def update?\n    user.present? && user == record.user\n  end\n\n  def destroy?\n    user.present? && user == record.user\n  end\nend
<\/pre>\n
Here, we define methods corresponding to each action (index?, show?, create?, update?, and destroy?). These methods return true or false based on the user and the record being accessed.<\/p>\n
4. Using Policies in Controllers
<\/b>In your controllers, you can use Pundit to authorize actions. First, include the Pundit module in the ApplicationController:<\/p>\n
<\/p>\n
class ApplicationController < ActionController::Base
include Pundit
slutet<\/pre>\n
Then, use the authorize method to check authorization in your PostsController:<\/p>\n
<\/p>\n
class PostsController < ApplicationController\n  before_action :authenticate_user!\n  before_action :set_post, only: [:show, :edit, :update, :destroy]\n\n  def index\n    @posts = Post.all\n    authorize @posts\n  end\n\n  def show\n  end\n\n  def new\n    @post = Post.new\n    authorize @post\n  end\n\n  def create\n    @post = current_user.posts.build(post_params)\n    authorize @post\n    if @post.save\n      redirect_to @post, notice: 'Post was successfully created.'\n    else\n      render :new\n    end\n  end\n\n  def edit\n    authorize @post\n  end\n\n  def update\n    authorize @post\n    if @post.update(post_params)\n      redirect_to @post, notice: 'Post was successfully updated.'\n    else\n      render :edit\n    end\n  end\n\n  def destroy\n    authorize @post\n    @post.destroy\n    redirect_to posts_url, notice: 'Post was successfully destroyed.'\n  end\n\n  private\n\n  def set_post\n    @post = Post.find(params[:id])\n  end\n\n  def post_params\n    params.require(:post).permit(:title, :body)\n  end\nend
<\/pre>\n
In this controller, we use authorize to check permissions before performing any actions.<\/p>\n
5. Handling Unauthorized Access
<\/b>Pundit raises a Pundit::NotAuthorizedError if a user is not authorized to perform an action. You can handle this error globally in the ApplicationController:<\/p>\n
class ApplicationController < ActionController::Base\n  include Pundit\n\n  rescue_from Pundit::NotAuthorizedError, with: :user_not_authorized\n\n  private\n\n  def user_not_authorized\n    flash[:alert] = \"You are not authorized to perform this action.\"\n    redirect_to(request.referrer || root_path)\n  end\nend
<\/pre>\n
This way, if a user tries to perform an unauthorized action, they will be redirected with an error message.<\/p>\n
<\/p>\n
Slutsats<\/b><\/h2>\n
Using Pundit for authorization in Rails is a powerful and flexible way to control access to resources in your application. By defining policies and using them in your controllers, you can ensure that users can only perform actions they are authorized for. This covered the basics, but Pundit also supports more complex scenarios, including scopes and custom policy generators.<\/p>\n
For more detailed information, check out the Pundit GitHub repository<\/a><\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<\/div>\n\t\t  
\r\n        
relaterade inl\u00e4gg<\/div>\r\n    
\r\n\r\n            
\r\n            
\r\n    \r\n\r\n      \"Offliberty\r\n\r\n    <\/a>\r\n  <\/div>\r\n\r\n  \r\n        Vad \u00e4r Offliberty Ruby Gem och hur fungerar den?  <\/a>\r\n\r\n        <\/div>\r\n              
\r\n            
\r\n    \r\n\r\n      \"Rails\r\n\r\n    <\/a>\r\n  <\/div>\r\n\r\n  \r\n        Rails link_to Metod: Den kompletta guiden med exempel  <\/a>\r\n\r\n        <\/div>\r\n              
\r\n            
\r\n    \r\n\r\n      \"Bygg\r\n\r\n    <\/a>\r\n  <\/div>\r\n\r\n  \r\n        Hur man bygger en skalbar SaaS-plattform med Ruby on Rails  <\/a>\r\n\r\n        <\/div>\r\n              
\r\n            
\r\n    \r\n\r\n      \"Ruby\r\n\r\n    <\/a>\r\n  <\/div>\r\n\r\n  \r\n        Ruby Regex Match Guide (2026) med exempel  <\/a>\r\n\r\n        <\/div>\r\n      \r\n  <\/div>\r\n\r\n