nathanl
commented
11 years ago Mike,
We've discussed this before and decided not to handle this case. The reason is that authentication (who is this user?) and authorization (what can User X do?) are separate concerns, and Authority aspires to handle the latter and leave the former totally up to you (or another gem). From Authority's perspective, it doesn't make sense to ask what you can do if it doesn't know who you are.
If somebody is trying to access a resource that needs permissions and they aren't signed in, personally I would redirect them to sign in before Authority ever gets involved (eg, via an earlier before_action). Once they sign in, we can come back and decide if they're authorized.
Alternately, you can implement some kind of NullUser and define its abilities for Authority.
You can read more about this on issue 32.
An Application using Omniauth will either have the current_user method set to the user record, or nil (no one logged in)
While accessing am Authority protected resource, it will return the error
undefined_method 'can_read?' for nil:nilClass
Is there a way to say if the current_user (or the user method specified) returns nil, the methods as a default should just return false, rather than erroring ?