Module: Panda::Core::AdminAuthorization

Extended by:
ActiveSupport::Concern
Included in:
Panda::Core::Admin::BaseController
Defined in:
app/controllers/concerns/panda/core/admin_authorization.rb

Overview

Automatic permission enforcement for admin controllers.

Reads from PermissionRegistry to determine which permission is required for the current controller action, then delegates to authorize! (from Authorizable) to check the configured authorization_policy.

This concern is included in Panda::Core::Admin::BaseController so all admin controllers automatically get permission enforcement. No per-controller configuration is needed — just register permissions in the registry.

Admin users (+user.admin?+) bypass all checks via Panda::Core::Authorizable#authorize!.

Behavior for unmapped controllers/actions

  • Controller not in registry → access allowed (open by default)
  • Action not in registry → access allowed
  • Action mapped → authorize!(permission_key) is called

Example

# Register permissions (in an engine or initializer):
Panda::Core::PermissionRegistry.register(
"Panda::CMS::Admin::PagesController",
index: :edit_content, destroy: :delete_content
)

# Enforcement happens automatically via before_action