Choosing an authorization framework for rails

Posted in rails, ruby by elisehuard on February 26, 2010

At my main customer’s we needed to choose an authorization framework. This is for a complex enterprise application, and requiring fine-grained authorization on:

  • roles
  • actions
  • model: most users can only access their own objects.

I’d had a look around, and after some digging ended up looking at 3 plugins, Declarative Authorization, grant and cancan.

Grant fell off almost immediately. It centered all authorization in the model, and I felt it was a bit too lightweight for our application.

Then I looked at declarative authorization and cancan.
At first sight, declarative authorization looked like a winner: I’m a believer in open source natural selection, and with about 650 people watching the plugin on github, it looked like a lot of people had found it a good fit. It’s also been lovingly polished since september 2008, so the kinks have probably been ironed out.

I cloned both plugins, and looked at the code and documentation.
Cancan is partly based on declarative_authorization. What struck me at first sight, is how simple cancan looked. Much less code, much less meta-monkey-magic. And a very friendly DSL and documentation.

And get this: I ran reek on both plugins (it’s a hobby of mine). And cancan came out practically clean ! That’s like having an alien in the living room ! It *never* happens ! Run reek on your own code, just for laughs, and you’ll see what I mean.

So we ended up choosing cancan, although declarative_authorization might have more features out of the box, we feel we’ll be able to extend cancan with much more ease, if at all necessary. It feels better to have a clean, fathomable codebase, than a larger engine. I’m aware that cancan has the unfair advantage of having learned from its predecessors, and kudos to the maintainers of declarative_authorization for having inspired others.

Note: I’m aware there are quite a few other plugins out there. If you found another one and you’re very happy about it, please share.

Tagged with: , , ,

6 Responses

Subscribe to comments with RSS.

  1. Maxim Filatov said, on February 27, 2010 at 9:06 am

    Devise rocks!


    Already rails3 compatible.

  2. elisehuard said, on February 28, 2010 at 12:44 pm

    Hi Maxim, I believe you πŸ™‚
    But devise is an authentication framework, not authorization.
    Once you have identified yourself, you still have to decide what the person can and cannot do.

  3. Maxim Filatov said, on February 28, 2010 at 1:02 pm

    Because of its architecture devise can be partially implement this function. Like this:

    $ ./script/generate devise User
    $ ./script/generate devise Admin

    In e.g. app/controllers/comments_controller.rb
    before_filter :authenticate_user!

    In e.g. app/controllers/admin/base_controller.rb
    before_filter :authenticate_admin!

    BTW there is not a problem to use devise with declarative_authorization πŸ˜‰

  4. Julian Fischer said, on March 12, 2010 at 11:05 am


    I’d not recommend using an authorization framework. We need to refactor apps for customers comming from foreign developers on a regular basis. Often they have used an authorization framework plugin which then has not been further maintained. Since authorization goes a long way those refactorings are always very painful for customers and us πŸ™‚ So I’d suggest to think twice if and which framework/plugin to use.

    — Julian

  5. elise said, on March 12, 2010 at 11:36 am

    Hi Julian,
    your comment is applicable to pretty much any plugin πŸ™‚ The choice is between reinventing the wheel with own plugins and app components, or using what’s out there, and the danger that it’s going to become obsolete always exists …

    cancan has the advantage of being really light-weight, so it’s not really introducing a heavy dependency. But you are right, keeping an eye on whether it’s maintained is an important point.

  6. Julian Fischer said, on March 16, 2010 at 7:04 pm

    You’re right. It’s applicable to many plugins but authorization is somewhat special. Not many aspects pervade an application like authorization logic. I don’t speak about controller or action level authorization but more fine grained controls including data level authorization. Beside of that: yes, cancan looks pretty nice.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: