declarative_authorization 0.4

I just pushed the decl_auth 0.4 gem to gemcutter.

Major changes since the 0.3 release:

  • Improved DSL: allow nesting of has_many associations for if_permitted_to and if_attribute:

    has_permission_on :companies, :to => :read do
      if_attribute :branches => { 
          :manager => { :last_name => is { user.last_name } } }
      if_permitted_to :read, :branches
  • Simplified controller authorization for RESTful controllers with filter_resource_access. Instead of multiple filter_access_to statements, one line is often sufficient:

    class BranchController < ApplicationController
      filter_resource_access :nested_in => :companies
  • Controller namespace handling.  Now, the decl_auth context in controllers is prefixed by the underscored namespace by default. Thanks for all those implementation suggestions in the Github forks.

  • Improved STI handling by allowing to explicitly define the model’s decl_auth context.  Just override AModel.decl_auth_context.

  • Test helper to test authorization rules, e.g.

    with_user a_normal_user do
      should_not_be_allowed_to :update, :conferences
      should_not_be_allowed_to :read, an_unpublished_conference
      should_be_allowed_to :read, a_published_conference
  • permitted_to?/! on model level. You may now use those methods in models as you are used to from controllers and views.

  • Switched to gemcutter for gem distribution.

  • Change support in the development support backend (I’ll write a separate Blog post on decl_auth change support soon)

And lots of smaller fixes: full change log.


  1. Thanks for the update, just let you know that declarative authorization is the best one out there imho. In long run it’s really much easier to manage rules in one place than searching around code. Cheers!

  2. Hi there. I’m just learning rails and I’m looking for authorization solutions. This one looks really interesting, but your github links are all giving me 404.. oops never mind looks like github is having issues in general :)
    OK I’ll keep my eye on this an hope to learn more soon!

  3. I found the namespace documentation a little hard to follow. It would be nice if the documentation said something like.

    Given the following Controller:
    class SubscriptionAdmin::AccountsController [:index, :show, :new, :create, :edit, :update, :destroy]


  4. my last comment got messed up, not sure how. Just to clarify I did figure it out then.

  5. How to set permission for a custom method?
    has_permission_on :foos, :to => :ownmethod doesnt work (is blocked by default) :/

  6. For usage questions, please turn to the mailing list

    Actually, this should just work. Maybe you have an error elsewhere in your code.

  7. Not to nitpick, but you’re missing a closing curly brace in your first example for your improved DSL, it should be as follows:

    has_permission_on :companies, :to => :read do
    if_attribute :branches => {
    :manager => { :last_name => is { user.last_name } } }
    if_permitted_to :read, :branches

  8. You are right. Now it’s correct.