activeadmin · amkisko · Apr 28, 2025 · May 2, 2025 · tagliala · May 2, 2025
diff --git a/Gemfile b/Gemfile
@@ -6,6 +6,7 @@ group :development, :test do
 
   gem "cancancan"
   gem "pundit"
+  gem "action_policy"
 
   gem "draper"
   gem "devise"

diff --git a/Gemfile.lock b/Gemfile.lock
@@ -14,6 +14,8 @@ PATH
 GEM
   remote: https://rubygems.org/
   specs:
+    action_policy (0.7.4)
+      ruby-next-core (>= 1.0)
     actioncable (8.0.2)
       actionpack (= 8.0.2)
       activesupport (= 8.0.2)
@@ -397,6 +399,7 @@ GEM
     rubocop-rspec (3.6.0)
       lint_roller (~> 1.1)
       rubocop (~> 1.72, >= 1.72.1)
+    ruby-next-core (1.1.1)
     ruby-progressbar (1.13.0)
     ruby2_keywords (0.0.5)
     securerandom (0.4.1)
@@ -453,6 +456,7 @@ PLATFORMS
   x86_64-linux
 
 DEPENDENCIES
+  action_policy
   activeadmin!
   cancancan
   capybara

diff --git a/docs/13-authorization-adapter.md b/docs/13-authorization-adapter.md
@@ -283,3 +283,63 @@ in your application instead of default one generated by Pundit's
 
 In addition, there are [example policies](https://github.com/activeadmin/activeadmin/tree/master/spec/support/templates/policies/active_admin)
 for restricting access to ActiveAdmin's pages and comments.
+
+## Using the ActionPolicy Adapter
+
+Active Admin also provides an adapter out of the box for [ActionPolicy](https://github.com/palkan/action_policy).
+
+To use the ActionPolicy adapter, update the configuration in the Active Admin
+initializer:
+
+```ruby
+config.authorization_adapter = ActiveAdmin::ActionPolicyAdapter
+```
+
+Once that's done, Active Admin will pick up your ActionPolicy policies, and use
+them for authorization. For more information about setting up ActionPolicy, see
+[their documentation](https://actionpolicy.evilmartians.io/#/).
+
+You can specify a default policy class that will be used when ActionPolicy is unable
+to find a suitable policy:
+
+```ruby
+config.action_policy_default_policy = MyDefaultPolicy
+```
+
+If you wish to maintain a separate set of ActionPolicy policies for admin
+resources, you may set a namespace here that ActionPolicy will search
+within when looking for a resource's policy:
+
+```ruby
+config.action_policy_namespace = ActiveAdmin
+```
+
+Example policy with namespace and scope type:
+
+```ruby
+module ActiveAdmin
+  class UserPolicy < ApplicationPolicy
+    scope_for(:active_admin) do |relation|
+      user.administrator? ? relation : relation.none
+    end
+
+    def index? = user.administrator?
+
+    def show? = user.administrator?
+
+    def create? = user.administrator?
+
+    def update? = user.administrator?
+
+    def destroy? = user.administrator?
+  end
+end
+```
+
+If you want to use batch actions, ensure that `destroy_all?` method is defined
+in your policy class. You can use this [template
+policy](https://github.com/activeadmin/activeadmin/blob/master/spec/support/templates/policies/action_policy/application_policy.rb)
+in your application.
+
+In addition, there are [example policies](https://github.com/activeadmin/activeadmin/tree/master/spec/support/templates/policies/action_policy/active_admin)
+for restricting access to ActiveAdmin's pages and comments.
diff --git a/features/authorization_action_policy.feature b/features/authorization_action_policy.feature
@@ -0,0 +1,47 @@
+@authorization
+Feature: Authorizing Access using ActionPolicy
+
+  Background:
+    Given I am logged in
+    And 1 post exists
+    And a configuration of:
+    """
+    require 'action_policy'
+
+    ActiveAdmin.application.namespace(:admin).authorization_adapter = ActiveAdmin::ActionPolicyAdapter
+    ActiveAdmin.application.namespace(:admin).action_policy_namespace = :action_policy
+
+    ActiveAdmin.register Post do
+    end
+
+    ActiveAdmin.register_page "No Access" do
+    end
+    """
+    And I am on the index page for posts
+
+  Scenario: Attempt to access a resource I am not authorized to see
+    When I go to the last post's edit page
+    Then I should see "You are not authorized to perform this action"
+
+  Scenario: Viewing the default action items
+    When I follow "View"
+    Then I should not see an action item link to "Edit"
+
+  Scenario: Attempting to visit a Page without authorization
+    When I go to the admin no access page
+    Then I should see "You are not authorized to perform this action"
+
+  Scenario: Viewing a page with authorization
+    When I go to the admin dashboard page
+    Then I should see "Dashboard"
+
+  Scenario: Comment policy allows access to my own comments only
+    Given 5 comments added by admin with an email "commenter@example.com"
+    And 3 comments added by admin with an email "admin@example.com"
+    When I am on the dashboard
+    Then I should see a menu item for "Comments"
+    When I go to the index page for comments
+    Then I should see 3 Comments in the table
+    When I go to the last post's show page
+    Then I should see 3 comments
+    And I should be able to add a comment 
diff --git a/gemfiles/rails_70/Gemfile b/gemfiles/rails_70/Gemfile
@@ -6,6 +6,7 @@ group :development, :test do
 
   gem "cancancan"
   gem "pundit"
+  gem "action_policy"
 
   gem "draper"
   gem "devise"

diff --git a/gemfiles/rails_70/Gemfile.lock b/gemfiles/rails_70/Gemfile.lock
@@ -14,6 +14,8 @@ PATH
 GEM
   remote: https://rubygems.org/
   specs:
+    action_policy (0.7.4)
+      ruby-next-core (>= 1.0)
     actioncable (7.0.8.7)
       actionpack (= 7.0.8.7)
       activesupport (= 7.0.8.7)
@@ -236,7 +238,6 @@ GEM
     matrix (0.4.2)
     method_source (1.1.0)
     mini_mime (1.1.5)
-    mini_portile2 (2.8.8)
     minitest (5.25.5)
     multi_test (1.1.0)
     net-imap (0.5.7)
@@ -249,9 +250,6 @@ GEM
     net-smtp (0.5.1)
       net-protocol
     nio4r (2.7.4)
-    nokogiri (1.18.8)
-      mini_portile2 (~> 2.8.2)
-      racc (~> 1.4)
     nokogiri (1.18.8-arm64-darwin)
       racc (~> 1.4)
     nokogiri (1.18.8-x86_64-linux-gnu)
@@ -333,6 +331,7 @@ GEM
       rspec-mocks (~> 3.13)
       rspec-support (~> 3.13)
     rspec-support (3.13.2)
+    ruby-next-core (1.1.1)
     ruby-progressbar (1.13.0)
     ruby2_keywords (0.0.5)
     simplecov (0.22.0)
@@ -352,8 +351,6 @@ GEM
       actionpack (>= 6.1)
       activesupport (>= 6.1)
       sprockets (>= 3.0.0)
-    sqlite3 (1.7.3)
-      mini_portile2 (~> 2.8.0)
     sqlite3 (1.7.3-arm64-darwin)
     sqlite3 (1.7.3-x86_64-linux)
     sys-uname (1.3.1)
@@ -380,10 +377,10 @@ GEM
 
 PLATFORMS
   arm64-darwin
-  ruby
   x86_64-linux
 
 DEPENDENCIES
+  action_policy
   activeadmin!
   cancancan
   capybara

diff --git a/gemfiles/rails_71/Gemfile b/gemfiles/rails_71/Gemfile
@@ -6,6 +6,7 @@ group :development, :test do
 
   gem "cancancan"
   gem "pundit"
+  gem "action_policy"
 
   gem "draper"
   gem "devise"

diff --git a/gemfiles/rails_71/Gemfile.lock b/gemfiles/rails_71/Gemfile.lock
@@ -14,6 +14,8 @@ PATH
 GEM
   remote: https://rubygems.org/
   specs:
+    action_policy (0.7.4)
+      ruby-next-core (>= 1.0)
     actioncable (7.1.5.1)
       actionpack (= 7.1.5.1)
       activesupport (= 7.1.5.1)
@@ -254,7 +256,6 @@ GEM
     marcel (1.0.4)
     matrix (0.4.2)
     mini_mime (1.1.5)
-    mini_portile2 (2.8.8)
     minitest (5.25.5)
     multi_test (1.1.0)
     mutex_m (0.3.0)
@@ -268,9 +269,6 @@ GEM
     net-smtp (0.5.1)
       net-protocol
     nio4r (2.7.4)
-    nokogiri (1.18.8)
-      mini_portile2 (~> 2.8.2)
-      racc (~> 1.4)
     nokogiri (1.18.8-arm64-darwin)
       racc (~> 1.4)
     nokogiri (1.18.8-x86_64-linux-gnu)
@@ -366,6 +364,7 @@ GEM
       rspec-mocks (~> 3.13)
       rspec-support (~> 3.13)
     rspec-support (3.13.2)
+    ruby-next-core (1.1.1)
     ruby-progressbar (1.13.0)
     ruby2_keywords (0.0.5)
     securerandom (0.4.1)
@@ -386,8 +385,6 @@ GEM
       actionpack (>= 6.1)
       activesupport (>= 6.1)
       sprockets (>= 3.0.0)
-    sqlite3 (2.6.0)
-      mini_portile2 (~> 2.8.0)
     sqlite3 (2.6.0-arm64-darwin)
     sqlite3 (2.6.0-x86_64-linux-gnu)
     stringio (3.1.7)
@@ -415,10 +412,10 @@ GEM
 
 PLATFORMS
   arm64-darwin
-  ruby
   x86_64-linux
 
 DEPENDENCIES
+  action_policy
   activeadmin!
   cancancan
   capybara

diff --git a/gemfiles/rails_72/Gemfile b/gemfiles/rails_72/Gemfile
@@ -6,6 +6,7 @@ group :development, :test do
 
   gem "cancancan"
   gem "pundit"
+  gem "action_policy"
 
   gem "draper"
   gem "devise"

diff --git a/gemfiles/rails_72/Gemfile.lock b/gemfiles/rails_72/Gemfile.lock
@@ -14,6 +14,8 @@ PATH
 GEM
   remote: https://rubygems.org/
   specs:
+    action_policy (0.7.4)
+      ruby-next-core (>= 1.0)
     actioncable (7.2.2.1)
       actionpack (= 7.2.2.1)
       activesupport (= 7.2.2.1)
@@ -248,7 +250,6 @@ GEM
     marcel (1.0.4)
     matrix (0.4.2)
     mini_mime (1.1.5)
-    mini_portile2 (2.8.8)
     minitest (5.25.5)
     multi_test (1.1.0)
     net-imap (0.5.7)
@@ -261,9 +262,6 @@ GEM
     net-smtp (0.5.1)
       net-protocol
     nio4r (2.7.4)
-    nokogiri (1.18.8)
-      mini_portile2 (~> 2.8.2)
-      racc (~> 1.4)
     nokogiri (1.18.8-arm64-darwin)
       racc (~> 1.4)
     nokogiri (1.18.8-x86_64-linux-gnu)
@@ -359,6 +357,7 @@ GEM
       rspec-mocks (~> 3.13)
       rspec-support (~> 3.13)
     rspec-support (3.13.2)
+    ruby-next-core (1.1.1)
     ruby-progressbar (1.13.0)
     ruby2_keywords (0.0.5)
     securerandom (0.4.1)
@@ -379,8 +378,6 @@ GEM
       actionpack (>= 6.1)
       activesupport (>= 6.1)
       sprockets (>= 3.0.0)
-    sqlite3 (2.6.0)
-      mini_portile2 (~> 2.8.0)
     sqlite3 (2.6.0-arm64-darwin)
     sqlite3 (2.6.0-x86_64-linux-gnu)
     stringio (3.1.7)
@@ -409,10 +406,10 @@ GEM
 
 PLATFORMS
   arm64-darwin
-  ruby
   x86_64-linux
 
 DEPENDENCIES
+  action_policy
   activeadmin!
   cancancan
   capybara

diff --git a/lib/active_admin.rb b/lib/active_admin.rb
@@ -24,6 +24,7 @@ module ActiveAdmin
   autoload :Callbacks, "active_admin/callbacks"
   autoload :Component, "active_admin/component"
   autoload :CanCanAdapter, "active_admin/cancan_adapter"
+  autoload :ActionPolicyAdapter, "active_admin/action_policy_adapter"
   autoload :ControllerAction, "active_admin/controller_action"
   autoload :CSVBuilder, "active_admin/csv_builder"
   autoload :Dependency, "active_admin/dependency"