Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Compare Pundit and Action Policy and define if we should change the standard #519

Open
malparty opened this issue Jun 7, 2024 · 0 comments
Open

Compare Pundit and Action Policy and define if we should change the standard #519

malparty opened this issue Jun 7, 2024 · 0 comments
Labels
type : feature

Comments

@malparty
Copy link
Member

malparty commented Jun 7, 2024
edited
Loading

Why

Pundit is very flexible, but does not provide some important features:

Caching permissions within the context of the requests

Permissions often rely on DB calls. By default, you might end up with the N+1 queries issues (e.g. in an index view, show/hide the edit button with a call to the policy. 20 items per page means 20 DB calls just for 1 button).

Building a custom cache is possible with Pundit, but it opens doors for error. Action Policy ships with a built-in cache feature, that works with Redis too :)

Named Scopes

When the business logic becomes more complex, we often need more than 1 single authorization Scope.

For example, in an HR tool to manage "employee leave requests", a "Manager" is both an Employee and a Manager.
The Manager will have a page to view and approve/refuse the requests of their reporting employees. In these pages, you want a different Scope (e.g. scope_for :manager) than on the page where any employee can request for it's own leaves (e.g. scope_for :own) – Managers will use both, but in different use cases.

Once again, this is possible with Pundit, you can either use 2 different Policies and explicitly select the right policy when needed. But this breaks the beauty of 1 model, 1 policy and it adds complexity (e.g. which policy to use to check "leaves" permissions for the main menu?!).

Read more in the Action Policy / Scoping doc.

Custom contexts

In many projects, we rely on more than just current_user to check permissions. current_tenant, or other Models might be needed too. Action Policy enables to configure custom policy contexts.

More

Watch https://www.youtube.com/watch?v=NVwx0DARDis&list=WL&index=1&t=1s&ab_channel=Vercel and read the documentation for more insights.

What?

This issue requires some research, practice, and discussion.
The most appropriate format would be an Engineering Initiative, but it can also be solved within other projects.

In the end, we need to create:

  • GitHub Discussion with the pros/cons found while putting Action Policy into practice (as opposed to Pundit)
  • GitHub Discussion poll for voting

If the result leads to the adoption of Action Policy:

  • Compass PR to update the new "recommended" tool
  • Rails Template PR to update the GemFile

Who Benefits?

Ruby Developers with the possibility of improved tools for handling Authorization.
@byhbt byhbt self-assigned this Jun 13, 2024
@byhbt byhbt removed their assignment Aug 8, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
type : feature
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@byhbt @malparty