Are there any gems for authorization?

by Denis '@denyago' Yagofarov, developer at Aejis

Slides: http://denyago.github.io/any-gems-for-authorization

Authentication vs. Authorization

Authentication - Who?

Authorization - Can?

Who acts?

Subject
Context
Action

can? current_user, :blow, @a_bomb

@a_bomb.restrict(current_user).blow!

What do we have?

CanCan
ryanb/cancan
Heimdallr
inossidabile/heimdallr
Authority
nathanl/authority
Declarative Authorization
stffn/declarative_authorization

What do I want?

(as a current_user)

Load collection of models
Auth an action (create, blow!, etc.)
... and do it fast!
... and be happy with the code
... and not require 'rails'

CanCan

Setup CanCan

class Ability
  include CanCan::Ability
  def initialize(user)
    user ||= User.new

    can :read, User,    'users.id > 10'
    can :edit, User,    id: user.id
    can :see_id, User,  id: user.id
  end
end

Use CanCan

puts 'Read: ' + User.accessible_by(current_ability).pluck(:name).join(', ')
# => Read: ...long line of names

user = User.accessible_by(current_ability).find_by_id(42)
user.update_attributes(name: '42th User') if current_ability.can? :edit, user
puts 'Write: ' + user.name
# => Write: ...not a name we tried to set

puts (current_ability.can?(:see_id, user) ? user.id : '#FILTERED')
# => #FILTERED

CanCan is good

Popular
Plays nice with rails
Fast to fetch records

CanCan is bad

Ability for all classes loaded on each request (God object ability.rb)
Need to have current_ability in all required places
Hard to filter secret information on viewes

Heimdallr

Setup Heimdallr

module UserAbility
  extend ActiveSupport::Concern

  included do
    include Heimdallr::Model

    restrict do |user, record|
      user ||= User.new

      scope :fetch, -> { where('users.id > 10') }

      if record
        can    :view
        cannot :view, [:id] unless record.id == user.id
        can    :update  if record.id == user.id
      end
    end
  end
end

class User
  include UserAbility
end

Use Heimdallr

puts 'Read: ' + User.restrict(@current_user).pluck(:name).join(', ')
# => Read: ...long line of names

user = User.restrict(@current_user).find_by_id(42)
begin
  user.update_attributes(name: '42th User')
rescue => e
  puts "Boom! #{e}"
end
puts 'Write: ' + user.name
# => Boom! Updating was not explicitly allowed
# => Write: 42th User
# ...but
puts 'Write again: ' + User.find(42).name
# => Write again: ... good old name

puts (user.implicit.id || '#FILTERED')
# => #FILTERED

Heimdallr is good

Modular
Loads only required data (from restrict block)
Uses Proxy object instead of original record

#<Heimdallr::Proxy::Record: #<User id: 42, name: "42th User">>




  Heimdallr is bad
  
    81 ★ and 8 forks
    Not so comfortable API
    Slow to instantiate much records (evaluates restrict block each time)
  



  :trollface:
  
    No bang! methods
    
      Unable to insert scopes into relations
      user.groups.with_tags([:trolls, :faces])
# => will raise exception
      
    
    
      Strange caching of permissions
      (evaluator.rb#L153)
      def evaluate(context, record=nil)
  if [context, record] != @last_context
      
    
  



  Compare CanCan and Heimdallr
  5000.times do |i|
  User.create!(id: i, name: 'Name ' + i.to_s)
end

Benchmark.bmbm(3) do |x|
  x.report("CanCan: ")    { User.accessible_by(@current_ability).all }
  x.report("Heimdallr: ") { User.restrict(@current_user).all }
  x.report("Heimdallr (insecure): ") { User.restrict(@current_user).insecure.all }
end
  



  Comparison results
  Rehearsal ----------------------------------------------------------
CanCan:                  0.200000   0.010000   0.210000 (  0.209705)
Heimdallr:               0.470000   0.000000   0.470000 (  0.500858)
Heimdallr (insecure):    0.210000   0.000000   0.210000 (  0.220875)
------------------------------------------------- total: 0.890000sec

                             user     system      total        real
CanCan:                  0.200000   0.010000   0.210000 (  0.207055)
Heimdallr:               0.450000   0.000000   0.450000 (  0.456898)
Heimdallr (insecure):    0.190000   0.000000   0.190000 (  0.235545)
  



  Authority



  Authority
  
    Rails-dependant
    ORM-neutral (use own scopes like available_for(current_user))
    Modular
  



  Declarative Authorization



  Declarative Authorization
  
    5 years old gem
    Looking like CanCan to me
    Uses roles to determine user permissions
  



  Still no perfect gems for authorization.



  
    Thank you!
    

    

    
      examples available at
    denyago/auithorization-gems-example

Are there any gems for authorization? by Denis '@denyago' Yagofarov, developer at Aejis

Authentication vs. Authorization

Who acts?

What do we have?

What do we have?

CanCan

Heimdallr

Authority

Declarative Authorization

What do I want?

CanCan

Setup CanCan

Use CanCan

CanCan is good

CanCan is bad

Heimdallr

Setup Heimdallr

Use Heimdallr

Heimdallr is good

Heimdallr is bad

:trollface:

Compare CanCan and Heimdallr

Comparison results

Authority

Authority

Declarative Authorization

Declarative Authorization

Still no perfect gems for authorization.

Thank you! examples available at denyago/auithorization-gems-example

Are there any gems for authorization?

by Denis '@denyago' Yagofarov, developer at Aejis

Thank you!

examples available at denyago/auithorization-gems-example