← Graph

Pundit

tool 6 connections

Most popular Rails authorization gem. Provides Plain-Old-Ruby policy classes paired with resources, where each instance method is a permission check; used from controllers and views. Scales better than CanCan but, per Yatish Mehta's wroclove.rb 2025 talk, struggles as apps grow: refactoring is risky because there is no automated way to find upstream/downstream permission dependencies; performance suffers from intermediate object loading and N+1 queries; permission results cannot be cached between requests because logic is a black box; and there is no way to audit why a user was or was not allowed, nor to perform reverse lookups (which users can act on a resource). Meedan adopted Pundit when they first built Check with GraphQL, because graphql-ruby did not yet offer authorization at the API layer.

category
library
takeaway Declare gem runtime dependencies in the gemspec
about
Pundit tool
Pundit is used as the example runtime dependency.
question Authorization strategies in GraphQL
about
Pundit tool
Pundit is cited as the authorization gem Meedan uses.
talk No 'Pundit' Intended
about
Pundit tool
Surveyed as the most popular Rails authorization gem and its limitations at scale.
takeaway Start with Pundit, add granity for FGA, adopt authorization-as-a-service at distributed scale
about
Pundit tool
Recommends starting with Pundit.
question Defining scopes with relationship-based access control
about
Pundit tool
Compares ReBAC to Pundit's scopes feature.
project Check
uses
Pundit tool
Authorization enforced below GraphQL because graphql-ruby didn't offer it at the API layer when Check adopted GraphQL.

Provenance

Created in
How To Package A Rails Engine — Generation To Automation ... 2026-04-17 21:46
Last updated in
No 'Pundit' Intended — Rails Authorization by Yatish Mehta 2026-04-18 07:44
Total updates
2 extractions
Read by
10 extractions