AccessAllow is a powerful and flexible tool for managing access and permissions in Rails applications.

It allows you to configure roles, abilities and permissions for users. You can easily create, modify and assign roles to users or apply user specific permissions.

you can control access to certain sections of the application using rules which define what permissions are needed to access resources.

Example

Consider the following view fragment, and then the controller heirarchy defined below:

tags_controller.rb

class TagsController < AdminController
  # Allow any admin to access the :index and :show actions
  access_allow :admin, to: [:index, :show]
  # Only let admins with the ability `tag_management: :manage` to execute other actions.
  # Also in our view we can use the check name `tag_management` to conditionally add say an "Add new Tag" button
  access_allow :admin, with: {tag_management: :manage}, to: :all, as: :tag_management
  # On the index page we also conditionally show some statistics about Tag usage, but only to admins with the right
  # ability. This is done with the named check `:view_usage_stats`
  access_allow :admin, with: {tag_management: :usage_stats}, as: :view_usage_stats
  # Admins with a special flag called "im_magic" can also access the :magic action
  access_allow :magic_admin, to: :magic
  
  def allow_admin?
    current_user.admin?
  end
  
  def allow_magic_admin?
    current_user.im_magic? && allow_admin?
  end
  
  # ...
end

class AdminController < AuthenticatedController
  # Only admins can access actions on this controller or its sub controllers. Any authenticated user who is not an
  # admin user will generate a severe access violation. They will see a 404 but the violation will be logged.
  access_require :admin, violation: :severe
  # Once we have verified the user is an admin we can 403 them instead of 404 when they try to access a page they
  # dont have permission for. We don't need to hide the existence of the action from them.
  access_no_match :not_permitted
  # ...
end

class AuthenticatedController < ApplicationController
  # Any action requires an authenticated user. The defined behaviour is that if the user trying to access the action
  # is not authenticated they are redirected to the sign-in page.
  access_require :authenticated_user, violation: :redirect do
    sign_in_path
  end

  # ...
end

class ApplicationController < ActionController::Base
  # By default, if no access rules match when executing an action then show the user a 404 to prevent leaking the
  # existence of the end point
  access_no_match :hidden
  # ...
end

tags/index.html.erb

<p>Tags Index</p>
<% if access_allowed? :tag_management %%>
  <button>Add new tag</button>
<% end %%>
<% if access_allowed? :view_usage_stats %%>
  <div> ... </div>
<% end %%>
<ul> ... </ul>