Simple fundctional authorization library for ruby. Inspired by transproc
Add this line to your application's Gemfile:
gem 'kan'And then execute:
$ bundle
Or install it yourself as:
$ gem install kan
class Post::Abilities
include Kan::Abilities
register 'read' { |_, _| true }
register 'edit' { |user, post| user.id == post.user_id }
register 'delete' { |_, _| false }
end
# register more than one ability in one place
class Post::AdminAbilities
include Kan::Abilities
register :read, :edit, :delete { |user, _| user.admin? }
end
class Comments::Abilities
include Kan::Abilities
register 'read' { |_, _| true }
register 'edit' { |user, _| user.admin? }
register :delete do |user, comment|
user.id == comment.user_id && comment.created_at < Time.now + TEN_MINUTES
end
end
abilities = Kan::Application.new(
post: Post::Abilities.new,
comment: Comments::Abilities.new,
)
abilities['post.read'].call(current_user, post) # => true
abilities['post.delete'].call(current_user, post) # => false
abilities['comment.delete'].call(current_user, post) # => false
# Default ability eq `proc { true }`
abilities['comment.invalid'].call(current_user, post) # => true
# But you can rewrite default ability block
admin_abilities = Kan::Application.new(
post: Post::AdminAbilities.new(default_ability_block: proc { false}),
comment: Comments::Abilities.new,
)
admin_abilities['post.delete'].call(current_user, post) # => false
admin_abilities['post.delete'].call(admin_user, post) # => true
admin_abilities['post.invalid'].call(current_user, post) # => false
global_abilities = Kan::Application.new(
post: [Post::Abilities.new, Post::AdminAbilities.new],
comment: Comments::Abilities.new,
)
global_abilities['post.edit'].call(current_user, post) # => false
global_abilities['post.edit'].call(owner_user, post) # => true
global_abilities['post.edit'].call(admin_user, post) # => trueAbilitiesImport = Dry::AutoInject(Kan::Application.new({}))
# Operation
class UpdateOperation
include AbilitiesImport[ability_checker: 'post.edit']
def call(user, params)
return Left(:permission_denied) unless ability_checker.call(user)
# ...
end
end
# Specs
UpdateOperation.new(ability_checker: ->(*) { true })
UpdateOperation.new(ability_checker: ->(*) { false })Bug reports and pull requests are welcome on GitHub at https://github.com/davydovanton/kan. This project is intended to be a safe, welcoming space for collaboration, and contributors are expected to adhere to the Contributor Covenant code of conduct.
The gem is available as open source under the terms of the MIT License.
Everyone interacting in the Kan project’s codebases, issue trackers, chat rooms and mailing lists is expected to follow the code of conduct.