Skills

oop-policy-objects

Installation
SKILL.md

Policy Objects

What it is

A Policy Object answers the question "can this user perform this action on this resource?" It encapsulates authorization logic for one resource, with one method per action. Controllers and views query the policy rather than embedding inline admin? or ownership checks.

Policy objects work well with Pundit (the gem), but the pattern is plain Ruby and doesn't require it.

Would inline checks do?

Keep authorization inline when:

  • There is only one role check (admin? or owner?) at one call site
  • The app is simple enough that current_user.admin? everywhere is clear

Extract a policy object when:

  • The same resource has different rules for different actions (can view? != can edit?)
  • Multiple roles with different permissions (admin, editor, viewer)
  • Authorization logic is duplicated across 2+ controllers or views
  • You want to test authorization in isolation
Installs
2
Repository
gierd-inc/dev-skills
First Seen
May 8, 2026
Security Audits
Gen Agent Trust HubPass
SocketPass
SnykPass
oop-policy-objects — gierd-inc/dev-skills