I have a plugin that adds a model, server, which has a user_id field. I want only the owner of the server to be able to make a POST (or maybe it should be a PUT?–the action will do a command-line rebuild of a Discourse instance on their server`; I’m not sure which would be best practice.)
In config/routes.rb is this:
post “/upgrade/:id” => “servers#queue_upgrade”, constraints: PfaffmanagerConstraint.new
Is it recommended to have matches? in pfaffmanager_constraint.rb check the path_parameters[:action] and enforce the permission there or to do it in servers_controller.rb?
Also, I think that what I should really do is move this route under namespace :user, so perhaps after I figure that out this problem will get solved as part of that, but this almost works, and I’d like to move to having other people try this code.
I think you need a guardian method to check if a user is allowed to perform a given action. for e.g. can_upgrade_server?
Also, once you do that, you can use guardian.ensure_can_upgrade_server! method which checks the condition and raises an exception which I think is exactly what you want.