3 posts tagged with "authorization"

One of the toughest parts of building an MVP isn't coming up with the idea, it's getting something functional out the door without drowning in boilerplate code. Every hour spent writing controllers, setting up authentication, and plugging in authorization logic is an hour not spent validating the actual product. Rhino exists to cut that overhead. It's an abstraction layer on top of Ruby on Rails designed specifically to help you move fast, handle the boring parts, and still leave room for custom logic when you need it.

Rhino provides robust core authorization and authentication through its policy system. While the default CrudPolicy and role-based policies (AdminPolicy, EditorPolicy, ViewerPolicy) handle most scenarios, some applications require fine-grained, permission-based authorization where individual actions are explicitly granted or denied based on a permissions table.

This guide will explore how to extend Rhino's authorization system with custom permissions while leveraging the existing policy architecture.

In the first part of this series, we introduced Rhino's Model-Driven Development (MDD) approach and explored how its dynamic routing system generates API endpoints directly from your models. This architecture allows for rapid development, but it requires an equally robust system to secure those endpoints. This post will dissect that next layer, breaking down how Rhino handles authentication (verifying a user's identity) and authorization (determining what that user can do).

At the core of Rhino's security model are established and trusted Ruby gems: devise_token_auth for token-based authentication and pundit for fine-grained authorization. When the optional rhino_organizations module is installed for multi-tenancy, the rolify gem is introduced to enable sophisticated role-based access control (RBAC). We will explore how these components are seamlessly integrated within Rhino's default CrudController and CrudPolicy to provide a secure-by-default foundation for all your API resources, allowing you to build with confidence from the start.