Need help with restful_acl?
Click the “chat” button below for chat support from the developer who created it, or find similar developers for support.

About the developer

122 Stars 14 Forks MIT License 127 Commits 0 Opened issues


Rails gem/plugin that provides contextual access control to RESTful resources.

Services available


Need anything else?

Contributors list

# 450,946
112 commits
# 346,770
1 commit


RESTful_ACL is a full-stack context-based permission engine. It provides access control that is contextually aware. (If a parent is closed, a child is not editable, etc.) Permission is as simple as true or false.

Rails 3

RESTful_ACL 3.1 and on are Rails 3 ready. Rails 2 will no longer be supported. Sorries.


RESTfulACL requires the notion of a `currentuser`. Most authenticaion plugins provide this (AuthLogic, RESTful_Authentication, etc.)

How to Install

Install the RESTful_ACL gem:

sudo gem install restful_acl -s

Add the gem to your Gemfile file as thus:

gem "restful_acl"

RESTful_ACL requires a named route named "denied". Add the following to your routes.rb file:

map.denied 'denied', :controller => 'some_controller', :action => 'denied_action'



before_filter :has_permission?
into any controller that you'd like to restrict access to (or
for your entire app).


Define the following five methods in the model of every resource you'd like to restrict access to. The five methods can contain anything you'd like so long as they return a boolean true or false. This allows you to define your User's roles any way you wish.

class Issue < ActiveRecord::Base

This method checks permissions for the :index action

def self.is_indexable_by(user, parent = nil) end

This method checks permissions for the :create and :new action

def self.is_creatable_by(user, parent = nil) end

This method checks permissions for the :show action

def is_readable_by(user, parent = nil) end

This method checks permissions for the :update and :edit action

def is_updatable_by(user, parent = nil) end

This method checks permissions for the :destroy action

def is_deletable_by(user, parent = nil) end


Parent / Child resources

Sometimes actions should only be allowable on a resource if some "parent" resource allows them. Contextual permissions FTW.

Link your "child" resource with its "parent" resource by using the

macro and you'll have access to the "parent" resource in your child's RESTful_ACL methods.
class Child < ActiveRecord::Base
  logical_parent :parent

If the "child" resource is a singleton, just pass

to the
class Car < ActiveRecord::Base
  logical_parent :owner, :singleton

View Helper

RESTfulACL adds a view helper called

. Simply pass this method a block containing the URL you'd like to check permission on and it will do the rest. The link will appear if the `currentuser` is allowed to access the passed-in link's action.

= allowed?{ link_to ‘Foo Index’, foos_path }
= allowed?{ link_to 'Edit Foo', edit_foo_path(@foo) }
= allowed?{ link_to 'Create Foo', new_foo_path }
= allowed?{ link_to 'View Foo', foo_path(@foo) }
= allowed?{ link_to 'Delete Foo', foo_path(@foo), :method => :delete }

Huh? Here's an example

Let's say that you have two resources:

. A Project has many Issues, an Issue belongs to a Project. I'd like to make sure that the current user is a member of the Project before they can create a new Issue in that Project:
class Issue < ActiveRecord::Base
  logical_parent :project

belongs_to :author belongs_to :project

def self.is_indexable_by(user, parent = nil) user.projects.include?(parent) end

def self.is_creatable_by(user, parent = nil) user.projects.include?(parent) end

def is_updatable_by(user, parent = nil) user == author && parent.is_active? end

def is_deletable_by(user, parent = nil) user == author end

def is_readable_by(user, parent = nil) user.projects.include?(parent) end end

If you still have questions, please checkout the test app

Admins RULE!

RESTfulACL grants global access to all actions to site administrators. To enable this, make sure that your User model defines an `isadmin?

method *and/or* an
attribute. If the
user.is_admin?` returns true, access will be granted automatically.

How to Test

I normally do something along these lines in RSpec:

describe "Issue" do
  before do
    @project = mock_model(:project)
    @author  = mock_model(:user, :projects => [@project])
    @issue   = Factory(:issue, :author => @author, :project => @project)

it "should be modifiable by the author when the Project is active" do @project.stub!(:is_active? => true) @issue.is_updatable_by(@author, @project).should be_true end

it "should be deletable by the author" do @issue.is_deletable_by(@author, @project).should be_true end

it "should be readable by those assigned to the Project" do Issue.is_readable_by(@author, @project).should be_true end

it "should be creatable by those assigned to the Project" do Issue.is_creatable_by(@author, @project).should be_true end end

About the Author

My name is Matt Darby. I’m an IT Manager and pro-web-dev at for Dynamix Engineering and hold a Master’s Degree in Computer Science from Franklin University in sunny Columbus, OH.

Feel free to check out my site or recommend me

We use cookies. If you continue to browse the site, you agree to the use of cookies. For more information on our use of cookies please see our Privacy Policy.