This means that you define what the user can do, which results in clean, readable policies regardless of application complexity. You don't have to worry about juggling cans and cannots in a very convoluted way!
Based on the README, my understanding is that access to controller actions should raise an error if not specified in access_policy.rb. That doesn't seem to be the case in my example. I am setting current_user when User has not logged in yet and assigning a role = 'locked'.
Based on access_policy.rb, a user with a role of 'locked' should only be able to read from one specific action, however, in my example the user is allowed to perform any action, it appears that the application_policy is not being applied to this new user, not sure why.
Yes, I am specifying authorize! in each controller action.
class AccessPolicy
include AccessGranted::Policy
def configure
role :superhero do
can :manage, Company
can :index, Company
can :manage, Event
end
role :admin do
can :manage, User
can :manage, App
can :manage, Event
end
role :member do
can :index, App
can :index, User
can :index, Event
end
role :locked do
can :read, @page
end
end
end
Based on the README, my understanding is that access to controller actions should raise an error if not specified in access_policy.rb. That doesn't seem to be the case in my example. I am setting current_user when User has not logged in yet and assigning a role = 'locked'.
Based on access_policy.rb, a user with a role of 'locked' should only be able to read from one specific action, however, in my example the user is allowed to perform any action, it appears that the application_policy is not being applied to this new user, not sure why.
Yes, I am specifying authorize! in each controller action.
application_controller.rb
user.rb
access_policy.rb