Here is what I have learned/deduced:
Guardianis indeed the thing that encapsulates “What is the user allowed to do?” (AGuardianinstance has-aUserinstance, too.)- Thus, the proper place for a permissions predicate is simply as a method on
Guardian(lib/guardian.rb).- If the method is a “Can the user do Z to an Xxxx object?” then it probably belongs in one of the
XxxxGuardianmixin files (lib/guardian/...). - Otherwise, it goes into the base
Guardiandefinition.
- If the method is a “Can the user do Z to an Xxxx object?” then it probably belongs in one of the
ApplicationControllermanages aguardianattribute reflecting the current request/client, and provides it to serializers as theirscope, so the currentGuardianis available when needed (except when it isn’t[1])- There are places where a ready-made
Guardianis not available, typically in a backend task run by the system, but if you have a handle on an “acting user” (e.g., the recipient user, when generating an email notification), you can create a appropriate guardian on the fly:Guardian.new(the_user).