Authorization libs, addons, experiences?


What do you guys use for advanced authorization beyond, user, guest and admin?

I created a project permit-authorize, which is a bit similar to CanCan in the Rails world.

It uses permit objects as an extra abstraction to encapsulate a specific set of permission rules for some “domain” (any logical entity/grouping/category really). It includes caching for performance and loading of rules from any JSON source (file, data store etc.)

Available for both client and server via npm and bower.

Give it a try :wink:

Minimal dependencies (a few lodash functions, custom light build of lodash).


Disclaimer: I haven’t looked at your repo yet, just responding based off your comment about this begin similar to CanCan.

My initial response is: please make it more like Pundit and less like CanCan. After having unfortunately had to deal with CanCan, then CanCanCan, on a very large app for the last year, I would never ever use it again. There is too much black box behaviour and assumptions within load_and_authorize_x that more often than not requires overriding, or gets thrown out altogether when using service objects rather than plan jane scaffolding. It simply tries to do too much.

Pundit on the other hand is a very lightweight authorization lib that is a bit more verbose in usage, but ultimately very clear and easier to cherry pick into non-scaffold type scenarios (i.e. real life). You simply authorize where required, and use your own code to load objects.

Now, I apologize, as this comes off ranty. But its been a particularly bad week for me regarding CanCan. :slight_smile: So I’ll go look at your code now, haha. Cheers for the effort.


Thanks for your comments and concerns. I should definitely give Pundit a closer look to learn some new ideas and concepts… :wink: The library I created makes no such assumptions. It just provides some APIs you can use where, how and when you like. It provides an Ability class to encapsulate it all with can and cannot functions, but you could easily use it at a lower level if you prefer :slight_smile: There are many hooks for customization and I’m sure there is great room for improvement, simplification (and better performance…).


Would love to hear any other thoughts on this subject myself. Everything I can find (with the exception of ember-declarative-authorization) seems aimed at authorizing requests back to the server. That seems quite important, but also a fairly well-discussed issue.

What seems relatively un-addressed is enabling / disabling UI components that promise functionality that I may or may not deliver. Any best practices in this regard? Seems like it would involve a list of permissions from the server that would be consulted, but haven’t seen much on that topic anywhere …



Yes, I would love to see Pundit-like features myself. I did quite a bit of reading between the different authorization libs; and Pundit came highly recommended. But I really appreciate you taking a stab at this. It looks wonderfully useful and will certainly give it a try! Cheers!


I recently released ember-can which attempts to be as simple and Ember-like as possible.

Example usage:

// app/abilities/post.js
import { Ability } from 'ember-can';
export default Ability.extend({
  canCreate: function() {
    return this.get('user.isAdmin');

Then in your views:

{{#if-can "create post"}}
  {{#link-to ""}}New Post{{/link-to}}

This handles all the bindings, so if the user gets admin rights etc then the view will automatically update as expected.

Or your routes / controllers:

import { CanMixin } from 'ember-can';
export default Ember.Route.extend(CanMixin, {
  beforeModel: function() {
    if (!this.can("create post")) {


Awesome to see that there is finally some action on this… I’m afraid my permit-authorize library had been getting pretty advanced big/complex and I need to divide it into smaller parts that can be added as needed. Not sure when I will have time for that :open_mouth: so good to see other stepping up to the plate. My lib was intended as a stand-alone solution that can be integrated into frontend/backend or in any framework with minimal some wrapper functions. Cheers!