Module: CurrentScope::Guard
Overview
The enforcement point. Include after Context to gate every action behind its own permission: the current controller#action IS the permission key, so new controllers are gated (fail-closed) the moment they exist.
Member actions that need record-level decisions (scoped roles, SoD) declare a private current_scope_record method returning the record. Three rules for the hook:
- it runs for EVERY gated action, collection actions included — return
nil when there is no record
- it runs BEFORE the controller's own before_actions, so it must load
the record itself (memoize so set_* callbacks reuse it)
- key off request.path_parameters, NEVER params: a query-string ?id=
must not let a scoped role on one record unlock a collection action
def current_scope_record
set_report if request.path_parameters[:id]
end
Skip the gate for public endpoints with skip_before_action :current_scope_check!. MutationGuard (included here) adds the read-only-while-impersonating gate as its OWN before_action, so it runs first and survives that skip.