Authorization Implementation Workflow

Step-by-step guide for implementing authorization in Rails applications.

Step 1: Add Gem

Add to Gemfile:

# For Pundit
gem 'pundit'

# For CanCanCan
gem 'cancancan'

Run:

bundle install

Step 2: Generate Policy/Ability

Pundit:

rails g pundit:install
rails g pundit:policy Post

CanCanCan:

rails g cancan:ability

Step 3: Define Permissions

Define authorization logic in the generated file. See EXAMPLES.md for complete code samples.

Step 4: Authorize in Controller

Add authorization calls to controller actions:

def update
  @post = Post.find(params[:id])
  authorize @post        # Pundit
  # or
  authorize! :update, @post  # CanCanCan
  # ...
end

Step 5: Write Tests

Create policy specs and request specs covering all roles. See EXAMPLES.md for testing patterns.

Step 6: Validate Coverage

Run all policy specs before deploying:

bundle exec rspec spec/policies

Ensure every role and edge case is explicitly covered.

Step 7: Manual Denied-Action Verification

After automated policy and request specs pass, attempt one denied action manually and record the result.

For Pundit, call Pundit.authorize so the denied exception is explicit:

Pundit.authorize(unauthorized_user, protected_record, :update?)
# raises Pundit::NotAuthorizedError

For CanCanCan, call authorize!:

Ability.new(unauthorized_user).authorize! :update, protected_record
# raises CanCan::AccessDenied

If verifying through HTTP instead, record the request and the expected 403 Forbidden or app-specific denied-access response.