JavaScript isn't enabled in your browser, so this file can't be opened. Enable and reload.

1 of 16

Internals of a permission system

(in 3 lines of code!)

Newvick Lee

2 of 16

Outline

Background�
Intro to Pundit�
Pundit Internals

3 of 16

Background

Required a role-based access control (RBAC) system�
Evaluated some options…�
Settled on Pundit

forking it with some modifications

4 of 16

Background

Dug into Pundit’s code�
Realized it was actually quite simple to implement!

5 of 16

Intro to Pundit

6 of 16

Using it in a controller

7 of 16

Creating a policy class

Two arguments:

current_user
model object�

A query method

8 of 16

Pundit Internals

9 of 16

3 Simple Steps

Find the policy class�
Pass in the arguments from controller�
Run the query method

10 of 16

Example

Model: @post�Query: :update?�Policy: PostPolicy

11 of 16

Retrieve the Policy class

12 of 16

2. Pass in the params (user, object checking permission on)

13 of 16

3. Run the query method

14 of 16

What does public_send do?

policy.public_send(query)

policy = PostPolicy

query = update?

public_send calls the method identified by the arg (must be a public method)

15 of 16

Example

Model: @post�Query: :update?�Policy: PostPolicy

16 of 16

Thank you!

newvick.com