Module: CurrentScope::Guard

Extended by:
ActiveSupport::Concern
Includes:
MutationGuard
Defined in:
lib/current_scope/guard.rb

Overview

The enforcement point. Include after Context to gate every action behind its own permission: the current controller#action IS the permission key, so new controllers are gated (fail-closed) the moment they exist.

Member actions that need record-level decisions (scoped roles, SoD) declare a private current_scope_record method returning the record. Three rules for the hook:

- it runs for EVERY gated action, collection actions included — return
nil when there is no record
- it runs BEFORE the controller's own before_actions, so it must load
the record itself (memoize so set_* callbacks reuse it)
- key off request.path_parameters, NEVER params: a query-string ?id=
must not let a scoped role on one record unlock a collection action

  def current_scope_record
    set_report if request.path_parameters[:id]
  end

Skip the gate for public endpoints with skip_before_action :current_scope_check!. MutationGuard (included here) adds the read-only-while-impersonating gate as its OWN before_action, so it runs first and survives that skip.