How do you organize your policies? #290

stephannv · 2025-01-30T14:54:03Z

stephannv
Jan 30, 2025

When I started using action_policy, I thought that "1 policy per controller" was the best way to organize my policies, eg:

PostsController => PostPolicy
Admin::PostsController => Admin::PostPolicy
PostReportsController => API::PostPolicy
Admin::FeaturedPostsController => Admin::FeaturedPostPolicy

It is working for my projects, I'm working on other projects that use "1 policy per model/resource" and reuse the policy on multiple controllers, eg.:

class PostPolicy < ApplicationPolicy
  def index? = ...
  
  def create? = ...
  
  def export_report? = ...
  
  def feature? = ...
end

# On PostReportsController 
def create
  authorize :export_report?, ..., with: PostPolicy
end

# On FeaturedPostsController
def create
    authorize :feature?, ..., with: PostPolicy
end

I don't have any objections with the second approach, but I have the feeling it will become harder to maintain, while I know the first approach can be easier to have duplicated/outdated permission code without a proper.

How do you organize your policies and has it worked well??

ezekg · 2025-01-30T15:12:11Z

ezekg
Jan 30, 2025

I maintain a modest codebase with over 100 policies. I typically do per-model policies. I use a plural namespace for nested resources, which typically line up with nested resource controllers. Sometimes policies are per-controller, and I use a similar naming convention, and explicitly use with: like you mentioned. I also use per-action policies sometimes, too, which I'd look into for e.g. exporting or reports, if you see a need for some separation of concerns.

Lastly, personally, I'm not a fan of the singular namespaces, because it ends up nesting the policy under the Admin class, if you have one, which seems wrong to me — makes more sense to put it under a module (but I wouldn't die on that hill).

1 reply

stephannv Jan 30, 2025
Author

Nice, I was looking keygen-sh codebase this morning, it seems like a nice action_policy study case. Thanks for sharing.

In this example, admin is more like a admin area, and not an admin class, but I understand your point, it could be like AdminDashboard::PostsController, for example. I don't like nesting classes inside AR model classes.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Uh oh!

How do you organize your policies? #290

Uh oh!

{{title}}

Uh oh!

Replies: 1 comment 1 reply

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{editor}}'s edit

{{editor}}'s edit

Uh oh!

Uh oh!

{{title}}

Uh oh!

Select a reply

Uh oh!

Uh oh!

How do you organize your policies? #290

Uh oh!

stephannv Jan 30, 2025

Replies: 1 comment · 1 reply

Uh oh!

Uh oh!

ezekg Jan 30, 2025

Uh oh!

stephannv Jan 30, 2025 Author

stephannv
Jan 30, 2025

Replies: 1 comment 1 reply

ezekg
Jan 30, 2025

stephannv Jan 30, 2025
Author