From rails-agent-skills
Implements and tests authorization in Rails apps using Pundit or CanCanCan: policy objects, role-based access control, permission checks, and testing strategies.
npx claudepluginhub igmarin/rails-agent-skills --plugin rails-agent-skillsThis skill uses the workspace's default tool permissions.
Implement and test authorization patterns in Rails applications.
Creates ActionPolicy authorization in Rails: policy classes, controller integration with authorize!, scopes, caching, I18n, tests, GraphQL/ActionCable support. Proactive alternative to Pundit.
Guides selection and implementation of authorization models including RBAC, ABAC, ACL, ReBAC, and policy-as-code for permission systems and access control design.
Implements Role-Based Access Control (RBAC), permissions management, and authorization policies. Guides for Node.js, Python ABAC, Java Spring Security. Use for multi-tenant apps, APIs, admin dashboards.
Share bugs, ideas, or general feedback.
Implement and test authorization patterns in Rails applications.
Files: SKILL.md · EXAMPLES.md · references/workflow.md
ALWAYS test authorization with multiple roles (admin, user, guest)
NEVER rely on presence checks alone — check specific permissions
ALWAYS use policy objects, never inline authorization logic in controllers
| Gem | Pattern | Best For |
|---|---|---|
| Pundit | Explicit policy classes | Complex per-resource rules |
| CanCanCan | Centralized Ability class | Simple role-based permissions |
pundit or cancancan to Gemfile and run bundle installrails g pundit:install or rails g cancan:ability)authorize @record (Pundit) or authorize! :action, @record (CanCanCan) in each actionPundit::NotAuthorizedError or CanCan::AccessDenied as expectedpolicy_scope(Model) or accessible_by(current_ability) for index actionsSee references/workflow.md for the complete implementation guide with additional detail.
class PostPolicy < ApplicationPolicy
def update?
user.admin? || record.user_id == user.id
end
end
class Ability
include CanCan::Ability
def initialize(user)
can :update, Post, user_id: user.id
can :manage, :all if user.admin?
end
end
| Error | Likely Cause | Fix |
|---|---|---|
Pundit::NotDefinedError | No policy class found for the record | Create app/policies/model_policy.rb inheriting from ApplicationPolicy |
Pundit::AuthorizationNotPerformedError | authorize not called in a controller action | Add authorize @record in the action, or after_action :verify_authorized to catch misses |
CanCan::AccessDenied unexpectedly raised | Ability rules not matching the current user/role | Inspect current_ability.can?(:action, @record) in the console to debug rule evaluation |
Cover every role (admin, owner, guest) in both policy specs and request specs.
RSpec.describe PostPolicy do
subject { described_class.new(user, post) }
let(:post) { create(:post, user: owner) }
let(:owner) { create(:user) }
context 'as admin' do
let(:user) { create(:user, :admin) }
it { is_expected.to permit_action(:update) }
end
context 'as owner' do
let(:user) { owner }
it { is_expected.to permit_action(:update) }
end
context 'as guest' do
let(:user) { create(:user) }
it { is_expected.not_to permit_action(:update) }
end
end
See EXAMPLES.md for complete testing examples including:
permit_action matchers