[Proposal]: Adding Role-Based Accessor Methods in ActiveModel

rubyonrails-core
,
1

Hi Team, Recently in our rails application, while implementing a role based access for some of our features we got into creating multiple custom methods, so on that point we thought to have a common solution for it, let me breakdown it more clear below:

Problem Statement

In many applications, different users have different access levels, meaning they can see or edit only certain data based on their role (e.g., admin, user). Currently, to control this access, Rails developers have to write custom code, typically spread across models, controllers, or views. This approach can make code harder to maintain and can introduce security issues if access control isn’t consistently applied.

For example, if we want only an admin to edit an employee’s salary but allow regular users to view it, we often have to add custom role-checking code in multiple places. This adds complexity and can lead to inconsistencies in access control.

Proposed Solution

I propose adding role-based access control directly within ActiveModel attributes. This would allow developers to define access levels on attributes in one place, making it easier to secure and understand.

With this feature, we could set access permissions like this:

class Employee
  include ActiveModel::Model
  attr_accessor :salary, :notes

  attribute :salary, roles: { admin: :rw, user: :r }
  attribute :notes, roles: { admin: :rw, manager: :r }
end

In this example:

Admins could read and write to both salary and notes.

Users could only read the salary attribute, not modify it.

Managers could read notes but not salary.

This approach would automatically apply role-based access to the defined attributes, reducing the need for repetitive role-checking code throughout the application.

Benefits

  • Cleaner Code: By defining access control at the attribute level, we keep the code clear and reduce the need for repetitive logic across the application.
  • Better Security: Centralized control ensures that data access rules are applied consistently.
  • Ease of Maintenance: Updating access policies would be simple, as access control would be specified within the model itself.

We would love feedback to see if this idea resonates with the community and could be a useful addition to Rails.

if it found to be useful addtion, kindly let us know, we will create a pull request for this to implement the feature.

Thank you

2

TL;DR: putting authorization logic into models doesn’t seem to be a Rails way.

That’s why attr_accessible & attr_protected were removed from models in favor of strong parameters back in Rails 4. How is your solution is meant to pair with strong parameters, BTW?

If one still is eager to put it into models, I’d suggest the implementation not to rely on role-based authorization or any other authorization model, but use callables instead.

It could be implemented as a method decorator and doesn’t need to depend on Active Model API.

authorize_reader :salary, -> { Current.user }
authorize_reader :notes,  -> { Current.user.manager? }

authorize :salary, :notes -> { Current.user.admin? }