Add Authorization using Pundit

[srb-]

• Adds Auth policy via the pundit gem
• Creates a sample policy for aircraft creation
• Permissions stored in a context field on the User object
• Modified the Aircraft show view to have policy-dependent behavior
• Modified the User views to have a virtual attribute wing_admin so we can easily toggle users in and out of admin to check permissions
  • used a constant for the permission - obviously if we did real RBAC we'd make some sort of dynamic list

Testing:

• manual, and added unit tests

[srb-]

I'm wondering if Pundit is even needed, as now that I can browse the the app's source, it doesn't look like policies are ever applied directly to noticed classes? But I could be wrong.

[pJeyakumar]

@srb- it would be useful to have a toggle in the /users/:id/edit page to allow us to grant the user the necessary permissions in the policy (e.g. "app:dispatch:wing_admin").

• instead of having to manually update the User record in rails console to grant the user with the permission (if we were trying to test on localhost)

[srb-]

@srb- it would be useful to have a toggle in the /users/:id/edit page to allow us to grant the user the necessary permissions in the policy (e.g. "app:dispatch:wing_admin").

• instead of having to manually update the User record in rails console to grant the user with the permission (if we were trying to test on localhost)

Good suggestion. I added an 'admin' virtual attribute in the User views... I didn't bother adding it to the Devise views - happy to do so if people think it'd be helpful.