<p>In theory, this is a fair exemplar of what the controllers will change to, and subsequent controllers can be adapted following this pattern.</p>
<p>For some of the controllers, there will be more work to do, <em>depending</em> on how you want to adjust to this reality:  CanCanCan will not tell you <em>why</em> you have failed authorization, only that you have.  It's inherent in the default-deny style.  Currently before filters are taking away access to something, and they can report <em>why</em> they are taking away the access.  Default-deny can't do that, because instead of taking away access for a reason, you never had it in the first place.</p>
<p><code>DiaryEntriesController</code> addresses this by overriding the <code>deny_access</code> handler and essentially replicating the knowledge that <code>hide</code> and <code>hidecomment</code> <em>require</em> an adminstrator role.  Something simliar would have to be done for missing capabilies, checking against the <code>granted_capabilities</code> helper to attempt to produce a nicer denial message.  Note that this is only necessary if you want to provide <em>specific reasons</em> for access refusal.</p>

<p style="font-size:small;-webkit-text-size-adjust:none;color:#666;">—<br />You are receiving this because you are subscribed to this thread.<br />Reply to this email directly, <a href="https://github.com/openstreetmap/openstreetmap-website/pull/1904#issuecomment-397917654">view it on GitHub</a>, or <a href="https://github.com/notifications/unsubscribe-auth/ABWnLQHdm1Ha89DlNx-lyO9NyxuhJ-Ijks5t9vb3gaJpZM4Uq7L9">mute the thread</a>.<img src="https://github.com/notifications/beacon/ABWnLeBEzl3VkmEH9-OENbzyFKkupHe_ks5t9vb3gaJpZM4Uq7L9.gif" height="1" width="1" alt="" /></p>
<script type="application/ld+json">{"@context":"http://schema.org","@type":"EmailMessage","potentialAction":{"@type":"ViewAction","target":"https://github.com/openstreetmap/openstreetmap-website/pull/1904#issuecomment-397917654","url":"https://github.com/openstreetmap/openstreetmap-website/pull/1904#issuecomment-397917654","name":"View Pull Request"},"description":"View this Pull Request on GitHub","publisher":{"@type":"Organization","name":"GitHub","url":"https://github.com"}}</script>
<script type="application/json" data-scope="inboxmarkup">{"api_version":"1.0","publisher":{"api_key":"05dde50f1d1a384dd78767c55493e4bb","name":"GitHub"},"entity":{"external_key":"github/openstreetmap/openstreetmap-website","title":"openstreetmap/openstreetmap-website","subtitle":"GitHub repository","main_image_url":"https://assets-cdn.github.com/images/email/message_cards/header.png","avatar_image_url":"https://assets-cdn.github.com/images/email/message_cards/avatar.png","action":{"name":"Open in GitHub","url":"https://github.com/openstreetmap/openstreetmap-website"}},"updates":{"snippets":[{"icon":"PERSON","message":"@cflipse in #1904: In theory, this is a fair exemplar of what the controllers will change to, and subsequent controllers can be adapted following this pattern.\r\n\r\nFor some of the controllers, there will be more work to do, _depending_ on how you want to adjust to this reality:  CanCanCan will not tell you _why_ you have failed authorization, only that you have.  It's inherent in the default-deny style.  Currently before filters are taking away access to something, and they can report _why_ they are taking away the access.  Default-deny can't do that, because instead of taking away access for a reason, you never had it in the first place.\r\n\r\n`DiaryEntriesController` addresses this by overriding the `deny_access` handler and essentially replicating the knowledge that `hide` and `hidecomment` _require_ an adminstrator role.  Something simliar would have to be done for missing capabilies, checking against the `granted_capabilities` helper to attempt to produce a nicer denial message.  Note that this is only necessary if you want to provide _specific reasons_ for access refusal.  "}],"action":{"name":"View Pull Request","url":"https://github.com/openstreetmap/openstreetmap-website/pull/1904#issuecomment-397917654"}}}</script>
<script type="application/ld+json">{
"@type": "MessageCard",
"@context": "http://schema.org/extensions",
"hideOriginalBody": "false",
"originator": "AF6C5A86-E920-430C-9C59-A73278B5EFEB",
"title": "Re: [openstreetmap/openstreetmap-website] Initial cut at authorization patterns (#1904)",
"sections": [
{
"text": "",
"activityTitle": "**Chris Flipse**",
"activityImage": "https://assets-cdn.github.com/images/email/message_cards/avatar.png",
"activitySubtitle": "@cflipse",
"facts": [

]
}
],
"potentialAction": [
{
"name": "Add a comment",
"@type": "ActionCard",
"inputs": [
{
"isMultiLine": true,
"@type": "TextInput",
"id": "IssueComment",
"isRequired": false
}
],
"actions": [
{
"name": "Comment",
"@type": "HttpPOST",
"target": "https://api.github.com",
"body": "{\n\"commandName\": \"IssueComment\",\n\"repositoryFullName\": \"openstreetmap/openstreetmap-website\",\n\"issueId\": 1904,\n\"IssueComment\": \"{{IssueComment.value}}\"\n}"
}
]
},
{
"name": "Close pull request",
"@type": "HttpPOST",
"target": "https://api.github.com",
"body": "{\n\"commandName\": \"PullRequestClose\",\n\"repositoryFullName\": \"openstreetmap/openstreetmap-website\",\n\"pullRequestId\": 1904\n}"
},
{
"targets": [
{
"os": "default",
"uri": "https://github.com/openstreetmap/openstreetmap-website/pull/1904#issuecomment-397917654"
}
],
"@type": "OpenUri",
"name": "View on GitHub"
},
{
"name": "Unsubscribe",
"@type": "HttpPOST",
"target": "https://api.github.com",
"body": "{\n\"commandName\": \"MuteNotification\",\n\"threadId\": 346796797\n}"
}
],
"themeColor": "26292E"
}</script>