Permit - an authorization library for Phoenix, LiveView and Ecto

Hello!
We’ve released Permit - a new open-source project at Curiosum aiming to make it easier to manage permission-based access control in Elixir applications, supporting Ecto, Phoenix and LiveView. Permit exposes a mostly plain-Elixir, DSL-free syntax to reduce developer confusion and avoid a steep learning curve.

Through Permit.Ecto, Permit is the first authorization library for Elixir to automatically convert authorization conditions to Ecto queries, as well as being the first to integrate seamlessly with Phoenix LiveView with Permit.Phoenix .

If you’re interested in securing your controllers and making resource loading and authorization easier, or you used to like cancancan popular with Rails developers, you might find Permit especially useful (it is very far from being a clone of anything, though). See README for usage examples.

Permit consists of three packages:

• permit v0.1.3 — Documentation - provides the basic syntax for authorization conditions in the app’s business domain
• permit_ecto v0.1.1 — Documentation - provides the means to automatically convert authorization conditions to Ecto queries
• permit_phoenix v0.1.0 — Documentation - plugs Permit and Permit.Ecto into Phoenix controllers and LiveView to automatically preload and authorize records and construct Ecto queries based on authorization conditions and current execution context.

Links:

• Introduction article: Authorize access to your Phoenix app with Permit | Curiosum
• Repositories:
  • GitHub - curiosum-dev/permit: An uniform authorization library for Elixir. Supports Plug and Phoenix LiveView, aims for much more.
  • GitHub - curiosum-dev/permit_ecto
  • GitHub - curiosum-dev/permit_phoenix: Phoenix, Plug and LiveView integrations for the Permit authorization library.
• Elixir Meetup presentations: https://www.youtube.com/watch?v=hvUBR_4T76E, https://www.youtube.com/watch?v=qNl3fKpzQFY

Feel free to contribute and enjoy the usage!

This looks like a really great library for those outside of the Ash ecosystem. Congratulations!

Not quite; Ash has had it’s SAT solving policy authorizer which automatically constrains read and write queries to PostgreSQL (as well as any other supported DataLayer) for several years now.

I’ve seen a similar feature in the LetMe library by @woylie , named “scoped queries”

Very neat never the less!

We’ve taken a look at this some time ago, and it looks to me that scoped queries still require you to define Ecto queries manually - this is good from a specific standpoint, but the approach here is that most conditions should be convertible automatically.

Thank you for pointing us to this, James.

This escaped our attention somehow, and looks to be tightly coupled with Ash altogether, but we’ll update the documentation and other descriptions to take it into account.

Thank you for contributing!

Would you mind to also write few words how it compares to Janus ?

I think you have a copypasta in your README, there are 2 functions called show/2

I wrote Janus

On the surface, it looks like Permit and Janus are very similar! They both prefer plain Elixir and a single source of truth – the same authz rules are used for individual resources as well as scoped Ecto queries.

Permit seems much more feature-complete (Phoenix/LiveView integration) and has corporate backing, which makes it very attractive! I need to look at Permit more carefully, but I’d love to see if there’s anything novel in Janus that could be ported to Permit and potentially retire Janus if they’re as similar as I think they are.