Module: Spree::Api::V3::Admin::RoleGrantGuard

Extended by:

ActiveSupport::Concern

Included in:

AdminUsersController, InvitationsController

Defined in:

app/controllers/concerns/spree/api/v3/admin/role_grant_guard.rb

Overview

Shared guard for staff role grants (admin_users#update and invitations#create). A grant is rejected when, in order:

1. (opt-in) the caller can't `:create` a Spree::RoleUser — i.e. lacks
   the RoleManagement permission set;
2. it includes the literal `admin` role and the caller does not hold
   it on the current store;
3. it includes any role whose permission sets exceed the caller's own
   (catches SuperUser-equivalent custom roles the name check misses).

API-key principals hold no roles, so they can grant only roles that activate no permission sets.