ruby
45 lines · 9 steps
Policy-based authorization in a Rails controller
Every write action loads the article, checks a policy, and only then mutates state.
Explained by
highlit
1class ArticlesController < ApplicationController
2 before_action :set_article, only: %i[show edit update destroy publish]
3
4 def edit
5 authorize! ArticlePolicy.new(current_user, @article), to: :edit?
6 end
7
8 def update
9 authorize! ArticlePolicy.new(current_user, @article), to: :update?
10
11 if @article.update(article_params)
12 redirect_to @article, notice: "Article updated."
13 else
14 render :edit, status: :unprocessable_entity
15 end
16 end
17
18 def publish
19 authorize! ArticlePolicy.new(current_user, @article), to: :publish?
20
21 @article.publish!
22 redirect_to @article, notice: "Article published."
23 end
24
25 def destroy
26 authorize! ArticlePolicy.new(current_user, @article), to: :destroy?
27
28 @article.destroy
29 redirect_to articles_path, notice: "Article deleted."
30 end
31
32 private
33
34 def authorize!(policy, to:)
35 raise ActiveRecord::RecordNotFound unless policy.public_send(to)
36 end
37
38 def set_article
39 @article = Article.find(params[:id])
40 end
41
42 def article_params
43 params.require(:article).permit(:title, :body, :category_id)
44 end
45end
01 / 01
STEP 01
‹ swipe to step through ›
Walkthrough
Space play
←→ step
click any line
Three takeaways
- 1Centralizing the authorization check in one private method keeps each action's intent focused on its policy question.
- 2Raising RecordNotFound on a failed check hides a resource's existence instead of leaking a 403 to unauthorized users.
- 3A shared before_action for record loading removes repetitive find calls across related actions.
Related explainers
ruby
class ArticlesController < ApplicationController DEFAULT_LIMIT = 25 MAX_LIMIT = 100
Cursor-based pagination in a Rails controller
pagination
cursor
query-building
Intermediate
7 steps
ruby
module ConfigMerge module_function def deep_merge(base, override)
Recursively merging nested config hashes in Ruby
recursion
hash-merge
immutability
Intermediate
8 steps
ruby
module DeepFreeze module_function def call(obj)
Recursively freezing nested Ruby data
recursion
immutability
pattern matching
Intermediate
9 steps
ruby
class Webhooks::StripeController < ApplicationController skip_before_action :verify_authenticity_token skip_before_action :authenticate_user!
How a Rails Stripe webhook controller works
webhooks
signature verification
event dispatch
Intermediate
7 steps
ruby
class ReportGenerator def initialize(account, period) @account = account @period = period
Memoized report metrics in Ruby in Rails
memoization
query-composition
service-object
Intermediate
7 steps
typescript
import { inject } from '@angular/core'; import { CanActivateFn, Router,
Functional route guards in Angular
route-guards
dependency-injection
observables
Intermediate
5 steps
Share this explainer
Here's the card — post it anywhere.
Made with highlit — turn any snippet into a walkthrough like this in about a minute.
Explain your code
Embed this explainer
Drop the interactive walkthrough into a blog or docs. Views never cost a credit.
<iframe src="https://highlit.co/explainers/policy-based-authorization-in-a-rails-controller-explained-ruby-ce4b/embed?autoplay=1" width="100%" height="520" loading="lazy" style="border:0"></iframe>
Autoplay is on by default — add ?autoplay=0 to start paused.