explaingit

varvet/pundit

8,501RubyAudience · developerComplexity · 2/5LicenseSetup · easy

TLDR

Pundit is a Ruby library that adds user permission checks to Rails apps using simple policy classes, one per content type, instead of scattering authorization logic throughout the codebase.

Mindmap

mindmap
  root((Pundit))
    What it does
      Permission checks
      Role-based access
      Record filtering
    Core concepts
      Policy classes
      Scope classes
      authorize method
    Integration
      Rails controllers
      View helpers
      RSpec testing
    Audience
      Rails developers
      Web app teams
Click or tap to explore — scroll the page freely

Code map

Detail Auto

An interactive map of this repo's files and how they connect — its source is parsed live in your browser. Click Visualize to build it.

filefunction / class

Things people build with this

USE CASE 1

Add role-based access control to a Rails app so admins can delete posts but regular users can only edit their own content.

USE CASE 2

Restrict which database records a user can see in list views using Pundit scope classes.

USE CASE 3

Show or hide edit and delete buttons in views based on the current user's permissions.

Tech stack

RubyRails

Getting it running

Difficulty · easy Time to first run · 30min

Requires an existing Rails app with authentication already set up, Pundit handles authorization only, not login.

MIT license, use, modify, and distribute freely in any project including commercial ones.

In plain English

Pundit is a Ruby library that helps web applications decide who is allowed to do what. In most applications, different users have different permissions: an admin might be able to delete posts, while a regular user can only edit their own content. Pundit gives developers a structured way to write those rules as plain Ruby classes, instead of scattering permission checks throughout the codebase. The core idea is a "policy" class. For each type of content in your app, like a blog post or a user profile, you create a matching policy class that contains the permission rules. A PostPolicy class might say: a user can update this post only if they are an admin, or if the post has not been published yet. These policy classes are ordinary Ruby code, which makes them easy to read, test, and maintain independently. When a user tries to do something in the application, like edit a post, the developer calls a single authorize method in the controller. Pundit automatically finds the right policy class and checks whether the current user is allowed to perform that action. If the check fails, Pundit raises an error. If it passes, the application continues normally. Pundit also handles "scopes," which are for listing records. A scope rule answers the question: given a particular user, which items from the database should they see? An admin might see all posts, while a regular visitor only sees published ones. The scope class follows the same pattern as a policy: a plain Ruby class with a resolve method that returns the filtered set. The library integrates with Rails and works alongside standard Rails conventions. It includes a generator command that scaffolds a base policy file with sensible defaults. Views can also check policy rules to conditionally show or hide edit and delete buttons. Pundit stays intentionally minimal: no database schema, no configuration file, no UI. All permission logic lives in your own policy classes.

Copy-paste prompts

Prompt 1
Using Pundit in my Rails app, write a PostPolicy class where admins can do anything, authors can edit and delete their own posts, and guests can only read.
Prompt 2
Show me how to use Pundit scopes so a regular user only sees published posts but an admin sees all posts in the database.
Prompt 3
How do I call authorize in a Rails controller action with Pundit and handle the NotAuthorizedError when a user is denied?
Prompt 4
Write an RSpec test for a Pundit PostPolicy that verifies an admin can update any post but a regular user cannot update someone else's post.
Prompt 5
Walk me through adding Pundit to an existing Rails app: install, application policy setup, and wiring up the first controller.
Open on GitHub → Explain another repo

← varvet on gitmyhub — every repo by this author, as a profile.

Verify against the repo before relying on details.