Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.Sign up
Move to CanCanCan for authorization #2023
I've taken #1904, brought it up to date, and resolved a couple of things that I'd noticed and added a few more refactorings, including the first use of the
At this point, do we want to merge what we have already and then refactor the rest of the controllers in subsequent PRs, or should we wait until we're ready with a comprehensive PR that covers all controllers?
I assume (given your question) that this can be used as is and the existing technology continues to work for unconverted methods?
If that is the case then I have no objection in principle to merging this and then proceeding with further refactoring separately.
I've pushed a few more changes, in particular a slight reworking of the token handling which I think makes the behaviour more obvious.
I also tried to convert another couple of controllers, but realised that there's a few edge cases in each case which deserve their own PR, so I don't think I'll expand the scope of this any further yet!
So that turns out to be quite a complicated question ;-)
Secondly if it is an access token and
So in principle there is no security issue so long as we check the token is an access token but on the other hand if
I think so, and long term it should mean we can get rid of
Fully achieving that will require also handling basic auth when setting up abilities. Plus we'll have to figure out what to do with the user blocks check...