@@ -67,6 +67,16 @@ A Rails 8 API backend that syncs college course schedules to Google Calendar wit
6767- Audit logging with Audits1984 and Console1984
6868- Admin access via Google OAuth + access_level enum (user/admin/super_admin/owner)
6969
70+ ** Authorization System (Pundit)**
71+ - Role-based access control via User ` access_level ` : user/admin/super_admin/owner
72+ - ** user** (0): Can manage their own resources only
73+ - ** admin** (1): VIEW all resources for support, manage public data (courses/faculty), NO destructive actions
74+ - ** super_admin** (2): View AND modify all resources, perform destructive actions, access feature flags. ** Cannot delete owners**
75+ - ** owner** (3): Full access including managing other admins
76+ - Three policy categories: User-Owned (users manage their own), Public-Read (everyone reads, admins manage), Admin-Only (admins view only)
77+ - All controllers use ` authorize @resource ` to check permissions via policies in ` app/policies/ `
78+ - See ` docs/authorization.md ` for complete documentation
79+
7080### Domain Models
7181
7282** User & Authentication**
@@ -119,10 +129,11 @@ A Rails 8 API backend that syncs college course schedules to Google Calendar wit
1191292 . ** Always annotate after route changes** : Run ` bundle exec annotaterb routes ` after modifying routes
1201303 . ** Prefer background jobs** : Use ActiveJob for blocking operations (Google Calendar API calls, web scraping, etc.)
1211314 . ** Full test coverage required** : Write RSpec tests for all new code
122- 5 . ** Respect user edits** : The calendar sync intelligently detects and preserves user modifications in Google Calendar
123- 6 . ** Template validation** : Calendar preference templates are validated; invalid syntax is rejected
124- 7 . ** OAuth token encryption** : All sensitive tokens are encrypted with Lockbox
125- 8 . ** Multi-email support** : Design features to support users with multiple connected Google accounts
132+ 5 . ** Use Pundit authorization** : All controller actions must use ` authorize @resource ` to check permissions
133+ 6 . ** Respect user edits** : The calendar sync intelligently detects and preserves user modifications in Google Calendar
134+ 7 . ** Template validation** : Calendar preference templates are validated; invalid syntax is rejected
135+ 8 . ** OAuth token encryption** : All sensitive tokens are encrypted with Lockbox
136+ 9 . ** Multi-email support** : Design features to support users with multiple connected Google accounts
126137
127138## Common Development Workflows
128139
@@ -145,8 +156,17 @@ A Rails 8 API backend that syncs college course schedules to Google Calendar wit
1451563 . Add validation tests
1461574 . Update preview endpoint tests
147158
159+ ### Adding Authorization to Controllers
160+ 1 . Add ` authorize @resource ` after finding/creating records
161+ 2 . Use ` policy_scope(Model) ` to filter collections by user permissions
162+ 3 . Create corresponding policy in ` app/policies/ ` if it doesn't exist
163+ 4 . Write RSpec tests in ` spec/policies/ ` to verify permissions
164+ 5 . See ` docs/authorization.md ` for policy patterns
165+
148166### Running Tests for Specific Features
167+ - Authorization policies: ` bundle exec rspec spec/policies/ `
149168- Calendar preferences: ` bundle exec rspec spec/models/calendar_preference_spec.rb `
150169- Template rendering: ` bundle exec rspec spec/services/calendar_template_renderer_spec.rb `
151170- Preference resolution: ` bundle exec rspec spec/services/preference_resolver_spec.rb `
152171- Google Calendar sync: ` bundle exec rspec spec/services/google_calendar_service_spec.rb `
172+ - always make and follow pundit policies
0 commit comments