I’ve been planning to try something new with regard to authorization in my current side-project and I’m tossing up between a few different options. I’m curious to know what you guys think about the following?
1. Moving authorization logic to constraints in your router?
I’m sort of liking this idea as it removes logic from your controller altogether and authorization + redirects are happening when the request comes in. I’m a bit unsure about what’s going to happen when the constraints begin to require a bit more logic and if my routes file is going to become littered with redirects containing flash notices.
I noticed Clearance has an option to use Constraints so I was wondering if the team at Thoughtbot are using them as a means for Authorization?
2. Create ‘Policy’ objects (perhaps using a gem such as Pundit)?
A clean and simple solution. The gem does make a few decisions for you and applies syntactic sugar, so I guess the question is why not just roll your own or something similar?
3. Use CanCanCan (assuming you want a more up to date CanCan gem)?
Slightly older approach with regard to Authorization. Is it still good?
4. Roll your own custom Authorization? (I’m sort of digging the approach laid out here https://sethvargo.com/authorizers-extractors-and-policy-objects/)
This blog post is obviously just one example of rolling your own Authorization but it’s a good example to highlight my point. I was a bit unsure about his approach when I first looked at it, but the more times I read his post, the more I begin to like what he’s done with the
Authorizer::Base class. His tests are also pretty tight too.
Did I miss any other solutions? What do you guys think?