ActionGuard is a simple authorization module to be used in rails applications. It well be usable for any other ruby based web framework.

It's been developed as part of some of my own rails application with the following design principles in mind:

• roles are string values, and role definitions reside in program code, not in a database.
• authorisation rules are collected in one configuration file, rather than spreading them out over controller definitions.
• authorisations are on url path matches. In rails' case, you pass 'fullpath' to the authorization which is then matched against a set of authorisation rules.

Documentation

Documentation is work in progress. PLease this besides this readme, you can read the specs and find the rdoc here:

http://rubydoc.info/gems/action-guard

Installing

    gem install action-guard 

or put action-guard in your Gemfile and

    bundle install

Getting started

Assuming a Rails application, you specify an initializer with the following content:

    ActionGuard.load_from_file(File.join(Rails.root, 'config', 'authorization.rules'))

and a file called authorization.rules in the config directory with something like:

    role :god , 0
    role :admin, 1
    role :worker, 2

    allow '/'
    allow '/tracking', :only_by => :admin
    allow '/maintenance', :at_least => :worker
    allow '/maintenance/[0-9]*/edit', :at_least => :admin
    allow '/maintenance/[0-9]*$', :at_least => :admin

and some model with a string typed attribute called 'role', in an account or user model e.g.:

    class Account
      attr_reader :role
    end

then in your (Application) controller you can

    class ApplicationController < ActionController::Base
      prepend_before_filter :authorize_action

      protected
      def authorized?(fullpath)
        ActionGuard.authorized?(current_account, fullpath)
      end
      helper_method :authorized?

      private
      def authorize_action
        unless authorized?(request.fullpath)
          flash[:alert] = I18n.t("not_authorized")
          sign_out current_account if current_account
          redirect_to new_account_session_path
        end
      end
    end

(In the example above, the path helpers, sign_out and current_account methods are from [Devise]i(https://github.com/plataformatec/devise))

This is in essence all you need to get actionguard working. You could also hide non authorized linkes by adding an authorized_link_to method like so:

  def authorized_link_to(what, path, options = {})
    if (authorized?(path)) 
      link_to(what, path, options)
    end
  end

or overwrite link_to

Issues - bugs

If you find any issues in the code please let me know through:

https://github.com/rwestgeest/action-guard/issues

also consult that list for known issues in ActionGuard