Pundit and Cancancan are the best gems for rails 4

CanCanCan

CanCan was a popular gem for authorization developed by Ryan Bates (best known for RailsCasts) and abandoned prior to the release of Rails 4.0. Due to its popularity, the community-based CanCanCan project maintains an updated version of CanCan. CanCan provides a DSL (domain-specific language) that isolates all authorization logic in a single Ability class.

Pundit

The Pundit gem is gaining in popularity for Rails authorization. Pundit is an authorization system that uses simple Ruby objects for access rules. Pundit uses a folder named app/policies/ containing plain Ruby objects that implement access rules.

CanCanCan or Pundit or ?

As an application grows in complexity, the CanCan Ability class can grow unwieldy. Also, every authorization request requires evaluation of the full CanCan Ability class, adding performance overhead. Pundit also offers the advantage of segregating access rules into a central location, keeping controllers skinny. Pundit policy objects are lightweight, adding authorization logic without as much overhead as CanCan.

Simple Role-Based Authorization

With Rails 4.1, you can implement role-based authorization using Active Record Enum. You can use CanCanCan or Pundit to keep controllers skinny if your access rules are complex but for simple requirements, you may not need CanCanCan or Pundit.

I've written an article on Rails Authorization that goes into more detail, comparing CanCanCan and Pundit and simple role-based authorization.

Action Access works great with Rails 4, has very clear syntax and it's really lightweight.

It boils down to this:

class ArticlesController < ApplicationController
  let :admin, :all
  let :user, [:index, :show]

  # ...
end

This will automatically lock the controller, allowing admins to access every action, users only to show or index articles and anyone else will be rejected and redirected with an alert.

Everything related to the controller is within the controller making it really modular and avoids leaving forgotten trash when you refactor.

For granular control you can use not_authorized! inside actions to check against data from the database or whatever you need.

It's completely independent of the authentication system and it can work even without User models or predefined roles. All you need is to set the clearance level for the current request:

class ApplicationController < ActionController::Base
  def current_clearance_level
    session[:role] || :guest
  end
end

You may return whatever your app requires, like current_user.role for example.

It also bundles a set of handy model additions that allow to extend user models and do things like:

<% if current_user.can? :edit, :article %>
  <%= link_to 'Edit article', edit_article_path(@article) %>
<% end %>

Here :article refers to ArticlesController, so the link will only be displayed if the current user is authorized to access the edit action in ArticlesController. Namespaces are supported too.

You can lock controllers by default, customize the redirection path and the alert message, etc. Checkout the documentation for more.

Cancancan is the new version of can can:

https://github.com/CanCanCommunity/cancancan

You should look at the bigger picture even outside Ruby and consider authorization model. The traditional prevalent model is role-based access control (RBAC) and this is what most frameworks and - in Ruby - most gems implement.

But if you have more advanced scenarios you want to consider attribute-based access control and XACML, the eXtensible Access Control Markup Language.

With XACML, you can implement context-aware authorization that is policy-based. For instance you can write rules such as:

• managers can edit documents they own
• doctors can view the medical record of patients they are assigned to

And so on...

I am not aware of any Ruby gem to apply XACML to your Ruby projects but the nature of XACML is such that you can easily implement your own authorization agents (enforcement points). I've written some in PHP, Java, .NET, and Perl.

You'll need an authorization engine. There are several open-source and vendor solutions out there such as SunXACML and Axiomatics.

Here are some interesting resources:

• NIST RBAC - the official definition of the RBAC Model
• NIST ABAC
• OASIS XACML