I had a hard time with authentication and later authorization in Rails. There are gems like Devise and CanCanCan but I wanted more flexible solutions for that and doing the auth part in the controller, without actually having the auth logic in the controller. So I created my own lightweight authentication/authorization gem called ActionControl.
It’s pretty simple! You call the
authorization! method before the controller actions and define the rules for the user if he is actually allowed to continue in the
authorized? method. If these methods return
true everything is fine. But if it returns
false or nothing it raises the
You then catch these both two exceptions using
#rescue_from and respond properly.
You may ask yourself why doing it with that gem and not instead simply raising the exceptions in the authenticator methods? For multiple reasons. First I don't want to duplicate the exception raising all over your code. And second I want to make the exception to the rule. The exception is always raised except the authenticator methods explicitly return true. In that way you prevent unexpected authorizations when they shouldn’t happen – like for example on this other users preference page.
I’ve created this gem more than two years ago and use it in a lot of my projects. If you want to use it too, you can find it on Github: https://github.com/tobiasfeistmantl/action_control
I'm thankful for every feedback and help on the project I can get.