DEV Community: Evgenii S.

Rabarber v6: Major Update for the Rails Role-Based Authorization Gem

Evgenii S. — Wed, 08 Apr 2026 17:18:24 +0000

Rabarber, a role-based authorization gem for Rails, releases v6.0.0.

The new version finalizes the API cleanup started in v5, deprecated methods were removed making the API cleaner and more intuitive. Another notable, and hopefully not noticeable, change is the reworked caching mechanism which improves reliability and fixes a bug that prevented Rabarber from working correctly with Memcached.

This is a major version with breaking changes, so please refer to the migration guide when upgrading.

Check out the gem here.

Happy coding!

Veri v2.0: Important Fixes for Rails Authentication Gem

Evgenii S. — Tue, 06 Jan 2026 12:27:29 +0000

Veri, a minimal authentication framework for Rails, releases v2.0. This release fixes the major user impersonation issue that existed in v1. Upgrading is highly recommended.

Since this is a major version with breaking changes, please review the migration guide.

Check out the gem here.

Happy coding!

Grepfruit v3.2: Programmatic API for Text Search

Evgenii S. — Sat, 03 Jan 2026 12:39:31 +0000

Grepfruit, a ractor-powered text search gem, adds a programmatic API in v3.2, a count-only mode, and Ruby 4 support.

What's new?

Programmatic API

The gem can now be used programmatically directly in Ruby applications:

Grepfruit.search(
  regex: /TODO/, 
  path: "spec/test_dataset", 
  exclude: ["foo.md", "baz.py"]
)
# returns =>
{
  search: {
    pattern: /TODO/,
    directory: "/Users/enjaku/Development/grepfruit/spec/test_dataset",
    exclusions: ["foo.md", "baz.py"],
    inclusions: []
  },
  summary: {
    files_checked: 2,
    files_with_matches: 2,
    total_matches: 4
  },
  matches: [
    {file: "bar.txt", line: 3, content: "TODO: Fix the alignment issue in the header."},
    {file: "bar.txt", line: 7, content: "TODO: Update the user permissions module."},
    {file: "bar.txt", line: 14, content: "TODO: Review the new design specifications."},
    {file: "folder/bad.yml", line: 21, content: "# TODO: Add configuration for cache settings"}
  ]
}

All CLI options are available as keyword arguments, and the API returns structured data that should be easy to work with in Ruby scripts.

Count-only mode

Use the --count flag (or count: true in the API) to show only match statistics without displaying the actual matches.

Ruby 4 support

Grepfruit now supports Ruby 4 and its updated Ractor implementation.

Check out the gem here.
Happy coding!

Role-Based Authorization for Rails: How We Built Rabarber

Evgenii S. — Mon, 10 Nov 2025 10:53:36 +0000

The Problem

We built an admin area for a sales company that included a custom CRM, marketing tools, content management, and internal developer utilities. Different employees had different responsibilities:

Managers handled customer calls and notes
Analysts worked with marketing reports
Accountants dealt with invoices
Administrators oversaw everything
Developers maintained internal tools

The business needed an authorization system that enforced access strictly according to employee responsibilities. When employees left the company, we also needed to revoke their access without deleting accounts and associated historical data.

Our system needed to:

Support different access levels for employees
Provide admin-managed role assignments
Preserve user accounts
Allow revoking access when an employee leaves
Be secure by default (everything denied unless explicitly permitted)

We looked at existing solutions but none fit perfectly:

Pundit - was too verbose for our taste, we'd need to create policy objects everywhere just to answer questions like "can a manager access Companies controller?"
CanCanCan - we preferred checks in controllers before business logic runs, not spread across the application.

Other less popular solutions were either too complex or poorly maintained.

We needed something simpler: controller-level checks that answer "can this role access this resource?"

The Solution

We created a simple role-based authorization system. It worked so well that we continued to use it across several projects and eventually extracted it into Rabarber - a gem that handles role management, storage, and authorization checks while developers simply define the rules.

Note: The code examples use Rabarber 5.2 API, but the concepts are the same as our original implementation.

Basic Controller Setup

class Admin::BaseController < ApplicationController
  include Rabarber::Authorization

  # Apply authorization checks to all actions
  with_authorization

  # Administrators and developers can access everything in the admin area
  grant_access roles: [:admin, :developer]
end

Assuming users must be authenticated at this point (Devise was configured in ApplicationController), this basic setup gave us a clean inheritance model, all actions require authorization, and administrators and developers can access everything by default.

Specific Controller Rules

class Admin::ClientsController < Admin::BaseController
  grant_access action: :index, roles: [:manager, :analyst]
  def index
    # Managers and analysts can see client list
  end

  grant_access action: :show, roles: [:manager, :analyst]
  def show
    # Managers and analysts can see client details
  end

  grant_access action: :update, roles: :manager
  def update
    # Only managers can update client info
  end

  def destroy
    # Only administrators and developers can delete (from base controller)
  end
end

class Admin::ClientNotesController < Admin::BaseController
  # Only managers work with client notes
  grant_access roles: :manager

  def index; end
  def create; end
end

We followed this pattern throughout the admin area: InvoicesController let accountants view invoices but only managers could modify them, MarketingReportsController was analyst-only, and internal dev tools were restricted to developers.

We even protected developer utilities such as Sidekiq UI with role checks using Rabarber's has_role? helper and Devise's authenticate constraint:

authenticate :user, ->(user) { user.internal? && user.has_role?(:developer) } do
  mount Sidekiq::Web => '/sidekiq'
end

We also needed to hide UI elements that certain roles couldn't access, which we did using view helpers:

<%= visible_to(:accountant, :admin) do %>
  <%= link_to "Invoices", admin_invoices_path %>
<% end %>

This kept our navigation menu clean - employees only saw links they were authorized to access.

Dynamic Rules

Initially, we added dynamic rules for a specific use case: one manager needed exclusive access to user activity reports.

class Admin::UserActivityReportsController < Admin::BaseController
  grant_access roles: :analyst

  grant_access action: :show, roles: :manager, if: -> { current_user.special_manager? }
  def show
    # ...
  end
end

Later, we realized this was overengineering. We didn't need a dynamic check - we needed a role:

class Admin::UserActivityReportsController < Admin::BaseController
  grant_access roles: [:analyst, :user_activity_report_viewer]

  def show
    # ...
  end
end

Then we simply assigned user_activity_report_viewer to whoever needed it. This pattern applied to all our granular permissions: shop_manager, blog_editor, and other roles where a specific work position didn't exist but someone still needed access to parts of the system to do the job.

That said, dynamic rules still proved themselves useful for edge cases, like time-based access or checking team membership, so we left them for those rare complex scenarios.

Role Management Interface

We built a simple admin interface for role management:

class Admin::EmployeesRolesController < Admin::BaseController
  grant_access roles: :admin

  def index
    @employees = User.where(internal: true) # iterate and show roles for each employee
  end

  def edit
    @employee = User.find(params[:id])
    @available_roles = Rabarber.roles
  end

  def update
    User.find(params[:id]).assign_roles(*params[:roles]) # array of roles [:manager, :blog_editor]
    redirect_to employees_path, notice: 'Roles updated'
  end

  def destroy
    User.find(params[:id]).revoke_all_roles
    redirect_to employees_path, notice: 'Access revoked'
  end
end

This gave administrators a simple UI to assign and revoke roles. When someone left the company, we'd revoke all their roles - keeping their historical data intact while blocking admin area access.

And when adding new features that required new roles, we'd create them via data migrations:

class AddBlogEditorRole < ActiveRecord::Migration[7.0]
  def up
    Rabarber.create_role(:blog_editor)
  end

  def down
    Rabarber.delete_role(:blog_editor)
  end
end

After deployment, the new role would appear in the admin UI, ready to be assigned.

When Rabarber Works And When It Doesn't

Rabarber excels when:

Authorization is primarily role-based
Controller-level checks are sufficient
You have clear role definitions
You need a simple role assignment UI
You're not dealing with complex permission logic

However, if you need complex logic like "can user X edit post Y based on ownership, status, and team membership," you most likely need policy-based authorization. In this case, reach for Pundit or ActionPolicy, or even use plain Ruby objects - every policy is just a simple class after all.

You can mix approaches - Rabarber for most checks and custom policies for edge cases, but keep in mind that this mixed approach only makes sense if your app is primarily role-based with very few exceptions. If your entire app requires complex policies everywhere, a policy-based gem is a better fit from the start.

So, if your app fits Rabarber's model, check out Rabarber on GitHub. The README has comprehensive examples and the gem supports both global and contextual roles for multi-tenant applications, which I'll talk about in a future article.

Veri v1.0: Minimal Rails Authentication Framework Now Stable

Evgenii S. — Tue, 07 Oct 2025 17:02:01 +0000

After months of development and testing, Veri has reached its first stable release!

For those unfamiliar, Veri is a minimal authentication framework for Rails that gives you building blocks for custom authentication flows. No generated controllers, views, and mailers, no forced business logic - just the core mechanics of secure authentication that you can build upon.

What’s included:

Cookie-based authentication with database-stored sessions
Multiple password hashing algorithms (argon2, bcrypt, pbkdf2, scrypt)
Granular session management and control
User impersonation for admin features
Account lockout functionality
Multi-tenancy support
Return path handling

Who it’s for:

Developers who want control over their authentication flow. If you’ve ever felt constrained by Devise or similar gems, Veri might be your cup of tea.

Check it out here.

Happy coding!

Veri v0.4.0 – Multi-Tenancy Update for the Rails Authentication Gem

Evgenii S. — Fri, 12 Sep 2025 21:48:00 +0000

We just released Veri v0.4.0, introducing multi-tenancy support. Now you can isolate authentication sessions per tenant, whether that’s a subdomain or a model representing an organization.

This update also adds several useful scopes and renames a couple of methods.

⚠️The gem is still in early development, so expect breaking changes in minor versions until v1.0!

Check it out here: https://github.com/enjaku4/veri

Introducing Veri – Minimal Cookie-Based Authentication for Rails

Evgenii S. — Wed, 25 Jun 2025 06:32:48 +0000

https://github.com/enjaku4/veri

Veri is a new minimalistic authentication framework for Rails built around granular session management. Unlike full-stack solutions, Veri doesn’t impose business logic or provide pre-built views and controllers. It focuses on secure authentication primitives with detailed session control and gives you the building blocks for custom authentication flows.

Key features:

Database-stored sessions with detailed tracking info
Sessions can be listed and terminated selectively
Built-in user impersonation for admin features
Secure password storage with multiple hashing algorithms
Return path handling

It’s functional and ready to try, although still in early development with potential breaking changes before v1.0.

Grepfruit 3.0.0 Released

Evgenii S. — Mon, 16 Jun 2025 19:23:12 +0000

Just released version 3.0.0 of Grepfruit, a Ruby gem for searching text patterns in files with enhanced output.

This version adds:

Parallel processing using Ractors
JSON-formatted output

There are breaking changes from 2.x, so check the changelog when upgrading.

Repository: https://github.com/enjaku4/grepfruit

Rabarber v5: Cleaner, Leaner, and More Stable

Evgenii S. — Tue, 20 May 2025 13:03:11 +0000

It’s been a while since our last major announcement - now, we’re happy to share Rabarber version 5, a new release of our role-based authorization gem for Rails.

This release focuses on cleaning up and simplifying. We dropped legacy features that only added complexity, bringing Rabarber closer to what it was always meant to be. We also added more granular authorization controls and resolved a number of issues and design flaws along the way.

With many improvements and fixes accumulated over the past year, upgrading is highly recommended. There are breaking changes, so be sure to check the migration guide.

Find the repo and docs here: https://github.com/enjaku4/rabarber

Happy coding!

Rabarber Developers

Kreds v1 is out

Evgenii S. — Mon, 07 Apr 2025 21:54:32 +0000

It provides a safer, cleaner interface for accessing Rails credentials with strict error handling, optional fallback to environment variables, and support for environment-specific structures.

This release finalizes the API, improves error clarity, and adds a few practical tools.

More info: https://github.com/enjaku4/kreds

Kreds – the Missing Shorthand for Rails Credentials Access

Evgenii S. — Mon, 10 Mar 2025 10:05:25 +0000

Managing Rails application credentials can sometimes lead to hard-to-debug issues when keys are mistyped or values are unexpectedly blank. Kreds is a small gem that provides a shorthand for fetching credentials, raising clear errors for missing keys or empty values. More details here: https://github.com/enjaku4/kreds

Grepfruit – A Ruby Gem for User-Friendly Regex Search in Files

Evgenii S. — Fri, 07 Mar 2025 09:12:08 +0000

Grepfruit is a Ruby gem for searching text patterns in files with colorized output, making the process more user-friendly than standard tools like grep. It offers options to exclude files or directories, truncate output, and include hidden files. Originally created for CI/CD pipelines to search for TODO comments in Rails apps, it’s flexible for a wide range of use cases. Check it out here: https://github.com/enjaku4/grepfruit