Use case for JS applications:
if @post = Post.find_by_id(params[:id])
authorize! :show, @post
render :status => 200, :text => '...'
render :status => 500, :text => '...'
Currently, in place of skip_authorization_check I'm having to put @_authorized = true, which is a bit of a hack, but works well.
@_authorized = true
You can define this in your ability.rb instead, usually with no change to controller code necessary:
can :create, User # everyone can sign up
can :manage, User, :id => user.id unless user.nil? # manage your own account
cannot :index, User # prevent index action on UsersController
If you don't use load_and_authorize_resource in your controller, it will check on authorize! instead. In this case, instead of skip_authorization_check in your posted code, call authorize! :index, @post instead
authorize! :index, @post
I think the point was missed. No authorization should take place unless the object is found. If the object isn't found, then it should return an error regardless if authorize! has been called.
The simplest thing here is just making skip_authorization_check both a controller class method and a private instance method.
I don't understand the use case. Why not switch find_by_id to find and allow the 404?