← Back
active-admin pundit rails

Add pundit to ActiveAdmin

Add Pundit to active_admin #

config/initializers/active_admin.rb:

  config.authorization_adapter = ActiveAdmin::PunditAdapter
  config.pundit_default_policy = 'ApplicationPolicy'

Add pundit to ApplicationController:

app/controllers/application_controller.rb:

# frozen_string_literal: true

require 'application_responder'

class ApplicationController < ActionController::Base

  include Pundit
  protect_from_forgery with: :exception

  self.responder = ApplicationResponder
  respond_to :html, :json

end

Create an ApplicationPolicy #

Pundit has a generator for that purpose:

rails g pundit:install

Make ApplicationPolicy true by default for all actions. Some rational aliases:

app/policies/application_policy.rb:

# frozen_string_literal: true

class ApplicationPolicy

  attr_reader :user, :record

  def initialize(user, record)
    @user = user
    @record = record
  end

  def index?
    true
  end

  def show?
    scope.where(id: record.id).exists?
  end

  def new?
    create?
  end

  def create?
    true
  end

  def edit?
    update?
  end

  def update?
    true
  end

  def destroy?
    true
  end

  def destroy_all?
    true
  end

  def scope
    Pundit.policy_scope!(user, record.class)
  end

  class Scope

    attr_reader :user, :scope

    def initialize(user, scope)
      @user = user
      @scope = scope
    end

    def resolve
      scope
    end

  end

end

Add a model policy with scope #

This example policy scopes the result of the ActiveAdmin interface based on user.products relation. It also prevents a normal user of creating or deleting products:

app/policies/product_policy.rb:

# frozen_string_literal: true

class ProductPolicy < ApplicationPolicy

  class Scope

    attr_reader :user, :scope
    def initialize(user, scope)
      @user = user
      @scope = scope
    end

    def resolve
      if user.admin?
        scope.all
      else
        ids = user.products.pluck(:id)
        scope.where(id: ids)
      end
    end

  end

  def create?
    user.admin?
  end

  def destroy?
    user.admin?
  end

end

Continue with all your models.

Pages and comments #

ActiveAdmin's pages and comments can be authorized too:

app/policies/active_admin/page_policy.rb:

# frozen_string_literal: true

module ActiveAdmin
  class PagePolicy < ApplicationPolicy
    def show?
      case record.name
      when "Dashboard"
        true
      else
        false
      end
    end
  end
end