Action Policy

Appearance

Authorization framework for Ruby and Rails

Composable. Extensible. Performant.

Get Started View on GitHub

Composable Policies

Write clean, reusable authorization rules. Compose policies with aliases, pre-checks, and scoping for any complexity level.

Rails Integration

Seamless integration with Rails controllers, views, and channels. Works out of the box with zero configuration.

Caching

Comprehensive caching system to ensure authorization checks are evaluated once per request.

Testing Tools

First-class testing support with RSpec and Minitest matchers. Verify authorization with expressive, readable specs.

Failure Reasons

Track exactly why authorization failed. Debug complex policies and provide meaningful feedback to users.

i18n & Debugging

Built-in internationalization for error messages and detailed instrumentation for debugging authorization flows.

Define policies, authorize actions

Policy
# app/policies/post_policy.rb
class PostPolicy < ApplicationPolicy
  def update?
    user.admin? || (record.author_id == user.id)
  end

  def destroy?
    user.admin?
  end

  # Scope for collections
  relation_scope do |scope|
    if user.admin?
      scope.all
    else
      scope.where(author: user)
    end
  end
end
Controller
# app/controllers/posts_controller.rb
class PostsController < ApplicationController
  def index
    # Scoped collection
    @posts = authorized_scope(Post.all)
  end

  def update
    @post = Post.find(params[:id])
    # Authorize the action
    authorize! @post
    @post.update!(post_params)
    redirect_to @post
  end
end