David Kimura PRO said almost 9 years ago on Complex Strong Parameters :

They are very similar. However, not every application needs pundit. Sometimes a simple role based authorization is sufficient. While I love using a number of gems, it is sometimes better to roll your own solution as it will be something that you can better maintain. Regardless, this episode is meant to show the extraction of strong parameters and allow them to do something a bit more complex. I'll be covering pundit in depth in a future episode.

Personally, I try not to rely on before_actions for security. In some instances, it makes sense. In your example, I would have something similar in an admin namespace. However, I would still build out the proper authorizations in the admin namespace as it would allow for easier expansion down the road. For example, if I have two roles, admin and user, but later want to add a maintainer with certain access within the admin namespace, the framework is already created for the admin and would need to be expanded for a maintainer role.

Overall, I still prefer the extraction of the strong parameters as I have displayed as it allows for the code to be better compartmentalized. However, when compared to Pundit's strong params approach, it is most likely a matter of preference.


Login to Comment