Project

access_forge-permissions

0.0
The project is in a healthy, maintained state
access_forge-permissionscodetectonics/access_forge-permissionsHomepageDocumentationSource CodeBug TrackerWiki
The official permission layer for AccessForge.
2005
2006
2007
2008
2009
2010
2011
2012
2013
2014
2015
2016
2017
2018
2019
2020
2021
2022
2023
2024
2025
2026
 Popularity
Downloads
496
Stars
0
Forks
0
Watchers
0
 Releases
Current version
1.0.1
Total releases
5
First release
2026-02-15
Latest release
2026-02-16
 Development
Primary Language
Ruby
Licenses
MIT
Average date of last 50 commits
2026-02-16
Reverse Dependencies
0

 Dependencies

Development

rake
~> 13.0
rspec
~> 3.12
rubocop
~> 1.21

Runtime

rails
>= 6.1
 Project Readme

AccessForge::Permissions

AccessForge::Permissions provides a production-ready PermissionPolicyRule for Ruby on Rails applications using AccessForge.

It introduces a simple, composable way to express permission-based authorization - without imposing a fixed persistence model.

If you are using AccessForge and want permission checks backed by your own data model, this is the first extension you should reach for.

Philosophy

AccessForge defines how policies are evaluated.

AccessForge::Permissions defines a reusable rule for permission checks.

This gem deliberately keeps its contract minimal:

If your User has a has_many :permissions association, PermissionPolicyRule will work.

That’s it.

How permissions are assigned - directly, via groups, or through any other structure - is entirely up to you.

Installation

Add to your Gemfile:

gem "access_forge-permissions"

Then:

bundle install

The Core Rule: PermissionPolicyRule

PermissionPolicyRule checks whether the current user has a required permission.

It expects:

  • A User model
  • A has_many :permissions association on that model

Example:

class User < ApplicationRecord
  has_many :permissions
end

Or via has_many :through:

class User < ApplicationRecord
  has_many :access_group_users
  has_many :access_groups, through: :access_group_users
  has_many :permissions, through: :access_groups
end

Usage with AccessForge

Inside your AccessForge policy:

class EmployeePolicy < AccessForge::Policy
  def index?
    authorized?(
      [ PermissionPolicyRule ],
      { permission: "employees.read" }
    )
  end
end

The required permission is passed explicitly via the :permission option.

When evaluated, the rule checks:

user.permissions.exists?(name: options[:permission])

If the permission exists, the rule passes.

If not, authorization fails.

Because it is a rule object, it composes naturally with other AccessForge rules.

Flexible Data Models

This gem does not enforce a particular authorization architecture.

You may:

  • Assign permissions directly to users
  • Implement group-based RBAC
  • Build hierarchical group structures
  • Introduce multi-tenant permission scoping
  • Extend the Permission model with metadata

The only requirement is that the user responds to:

user.permissions

This design keeps your authorization model:

  • Explicit
  • Evolvable
  • Aligned with your domain

Access Group Generator

To help you get started, this gem includes a generator that creates a conventional group-based permission structure.

Run:

rails generate access_forge:access_groups

This creates:

  • AccessGroup
  • AccessGroupUser
  • AccessGroupPermission
  • Permission

Along with their corresponding migrations.

The generated structure provides:

  • Many-to-many Users ↔ AccessGroups
  • Many-to-many AccessGroups ↔ Permissions
  • A has_many :permissions, through: setup on User

You are free to modify or extend these models after generation.

The generator exists for convenience - not constraint.

Why This Design?

Many authorization libraries tightly couple:

  • Policy logic
  • Persistence model
  • DSL assumptions

AccessForge::Permissions intentionally separates these concerns.

  • AccessForge evaluates policies.
  • PermissionPolicyRule checks permissions.
  • Your application owns the data model.

This separation provides:

  • Architectural control
  • Testable rule objects
  • Clear domain boundaries
  • Long-term flexibility

When to Use This Extension

Use AccessForge::Permissions if:

  • You want permission-based authorization
  • You prefer explicit policy objects over implicit callbacks
  • You want full control over your persistence model
  • You are building a system where authorization must evolve over time

Relationship to AccessForge

AccessForge is a controller-oriented policy engine built for experienced Rails developers who value architectural control.

AccessForge::Permissions is the first official extension — providing a clean, composable permission rule that integrates seamlessly into the core engine.

Together they provide:

  • Explicit controller authorization
  • Composable rule objects
  • Flexible persistence strategies
  • Clear separation of concerns

Development

After checking out the repository:

bin/setup
rake spec

To release a new version:

  1. Update the version number in version.rb
  2. Run:
bundle exec rake release

This will tag the release, push commits, and publish the gem to RubyGems.

Contributing

Bug reports and pull requests are welcome on GitHub:

https://github.com/CodeTectonics/access_forge-permissions.

This project is intended to be a safe, welcoming space for collaboration, and contributors are expected to adhere to the code of conduct.

License

The gem is available as open source under the terms of the MIT License.

Code of Conduct

Everyone interacting in the AccessForge project's codebases, issue trackers, chat rooms and mailing lists is expected to follow the code of conduct.