# varvet/pundit **Attribution required: if you use, quote, or summarise this content, you must credit and link back to [awesome-repositories.com](https://awesome-repositories.com/repository/varvet-pundit).** 8,509 stars · 644 forks · Ruby · MIT ## Links - GitHub: https://github.com/varvet/pundit - awesome-repositories: https://awesome-repositories.com/repository/varvet-pundit.md ## Topics `ruby` ## Description Pundit is an authorization framework for Ruby applications that enforces permissions through plain Ruby policy objects. It maps controller actions to policy methods, automatically inferring which policy class and query method to call based on the action name, and raises a custom exception when access is denied. The framework distinguishes itself by using plain Ruby classes without external DSLs or configuration files, and by providing a development-time verification guard that raises an error if a controller action runs without an authorization call. It also supports namespace-based policy organization, allowing different contexts to use separate policy classes, and includes a scope-class mechanism that restricts database query results to records the current user is permitted to see. Additional capabilities include the ability to override the default user resolution method, rescue denied authorization exceptions to redirect users with custom messages, and test policy permissions through expressive specs that validate which roles are allowed or denied specific actions. The project also maintains a code of conduct to govern community interactions. ## Tags ### Security & Cryptography - [Ruby Authorization Frameworks](https://awesome-repositories.com/f/security-cryptography/ruby-authorization-frameworks.md) — An authorization library that enforces permissions through plain Ruby policy objects. - [Authorization Policies](https://awesome-repositories.com/f/security-cryptography/authorization-policies.md) — Encapsulates authorization logic in plain Ruby policy objects with query methods for actions. - [Controller Action Authorization](https://awesome-repositories.com/f/security-cryptography/permission-based-access-control/team-action-permission-checks/controller-action-authorization.md) — Authorizes controller actions by inferring policy classes and calling the matching query method. ([source](https://cdn.jsdelivr.net/gh/varvet/pundit@main/README.md)) - [Policy-Based Access Control](https://awesome-repositories.com/f/security-cryptography/policy-based-access-control.md) — Maps controller actions to policy classes and query methods for permission checks. - [Authorization Coverage Auditing](https://awesome-repositories.com/f/security-cryptography/secure-storage/security-auditing/authorization-coverage-auditing.md) — Raises an exception in development if a controller action runs without an authorization check. ([source](https://cdn.jsdelivr.net/gh/varvet/pundit@main/README.md)) - [Customizable User Lookups](https://awesome-repositories.com/f/security-cryptography/default-credential-lookups/customizable-user-lookups.md) — Overrides the default user lookup so authorization uses a different method or object. ([source](https://cdn.jsdelivr.net/gh/varvet/pundit@main/README.md)) - [Policy Permission Specs](https://awesome-repositories.com/f/security-cryptography/identity-access-management/access-control/data-resource-permissions/relationship-based-access-controls/permission-model-test-suites/policy-permission-specs.md) — Provides expressive test specs for validating which roles are allowed or denied specific actions. ([source](https://cdn.jsdelivr.net/gh/varvet/pundit@main/README.md)) - [Authorization Exception Rescue](https://awesome-repositories.com/f/security-cryptography/identity-access-management/access-control/deny-list-policies/authorization-exception-rescue.md) — Catches denied-permission exceptions to redirect users with custom messages or error pages. ([source](https://cdn.jsdelivr.net/gh/varvet/pundit@main/README.md)) - [Namespace Grouping](https://awesome-repositories.com/f/security-cryptography/policy-based-access-control/namespace-grouping.md) — Groups policies under module prefixes to separate authorization rules for different contexts. ### Business & Productivity Software - [Authorization Coverage Guards](https://awesome-repositories.com/f/business-productivity-software/time-tracking-software/development-time-attribution/authorization-coverage-guards.md) — Provides a development-only guard that raises an error if an action runs without authorization. ### Data & Databases - [Authorization Scope Classes](https://awesome-repositories.com/f/data-databases/database-query-builders/query-scopes/authorization-scope-classes.md) — Restricts database queries to authorized records using policy-defined scope classes. ([source](https://cdn.jsdelivr.net/gh/varvet/pundit@main/README.md)) ### Development Tools & Productivity - [Authorization Query Scopes](https://awesome-repositories.com/f/development-tools-productivity/search-query-filters/scope-restrictions/authorization-query-scopes.md) — Limits database query results to records the current user is permitted to see. - [Policy-Defined Query Scopes](https://awesome-repositories.com/f/development-tools-productivity/search-query-filters/scope-restrictions/policy-defined-query-scopes.md) — Filters database queries through policy-defined scope classes to restrict results to authorized records. ### Software Engineering & Architecture - [Authorization Exception Flows](https://awesome-repositories.com/f/software-engineering-architecture/exception-raising-mechanisms/exception-driven-control-flows/authorization-exception-flows.md) — Raises custom exceptions on denied permissions that can be rescued for user-friendly responses. ### Web Development - [Controller Action Resolution](https://awesome-repositories.com/f/web-development/controller-action-resolution.md) — Maps controller action names to policy methods for automatic permission checking. ### Part of an Awesome List - [Customizable User Resolution](https://awesome-repositories.com/f/awesome-lists/devtools/user-permissions/per-user-permission-overrides/customizable-user-resolution.md) — Enables customization of the user lookup method for authorization checks.