Here is what I have learned/deduced:
- Guardianis indeed the thing that encapsulates “What is the user allowed to do?” (A- Guardianinstance has-a- Userinstance, too.)
- Thus, the proper place for a permissions predicate is simply as a method on Guardian(lib/guardian.rb).- If the method is a “Can the user do Z to an Xxxx object?” then it probably belongs in one of the XxxxGuardianmixin files (lib/guardian/...).
- Otherwise, it goes into the base Guardiandefinition.
 
- If the method is a “Can the user do Z to an Xxxx object?” then it probably belongs in one of the 
- ApplicationControllermanages a- guardianattribute reflecting the current request/client, and provides it to serializers as their- scope, so the current- Guardianis available when needed (except when it isn’t[1])
- There are places where a ready-made Guardianis not available, typically in a backend task run by the system, but if you have a handle on an “acting user” (e.g., the recipient user, when generating an email notification), you can create a appropriate guardian on the fly:Guardian.new(the_user).