How do you organize your policies?

[stephannv]

When I started using action_policy, I thought that "1 policy per controller" was the best way to organize my policies, eg:

• PostsController => PostPolicy
• Admin::PostsController => Admin::PostPolicy
• PostReportsController => API::PostPolicy
• Admin::FeaturedPostsController => Admin::FeaturedPostPolicy

It is working for my projects, I'm working on other projects that use "1 policy per model/resource" and reuse the policy on multiple controllers, eg.:

class PostPolicy < ApplicationPolicy
  def index? = ...
  
  def create? = ...
  
  def export_report? = ...
  
  def feature? = ...
end

# On PostReportsController 
def create
  authorize :export_report?, ..., with: PostPolicy
end

# On FeaturedPostsController
def create
    authorize :feature?, ..., with: PostPolicy
end

I don't have any objections with the second approach, but I have the feeling it will become harder to maintain, while I know the first approach can be easier to have duplicated/outdated permission code without a proper.

How do you organize your policies and has it worked well??

[ezekg]

I maintain a modest codebase with over 100 policies. I typically do per-model policies. I use a plural namespace for nested resources, which typically line up with nested resource controllers. Sometimes policies are per-controller, and I use a similar naming convention, and explicitly use with: like you mentioned. I also use per-action policies sometimes, too, which I'd look into for e.g. exporting or reports, if you see a need for some separation of concerns.

Lastly, personally, I'm not a fan of the singular namespaces, because it ends up nesting the policy under the Admin class, if you have one, which seems wrong to me — makes more sense to put it under a module (but I wouldn't die on that hill).

[stephannv]

Nice, I was looking keygen-sh codebase this morning, it seems like a nice action_policy study case. Thanks for sharing.

In this example, admin is more like a admin area, and not an admin class, but I understand your point, it could be like AdminDashboard::PostsController, for example. I don't like nesting classes inside AR model classes.