module Authorization extend ActiveSupport::Concern included do before_action :ensure_can_access_account, if: -> { Current.account.present? && authenticated? } before_action :ensure_only_staff_can_access_non_production_remote_environments, if: :authenticated? end class_methods do def allow_unauthorized_access(**options) skip_before_action :ensure_can_access_account, **options end def require_access_without_a_user(**options) skip_before_action :ensure_can_access_account, **options before_action :redirect_existing_user, **options end end private def ensure_admin head :forbidden unless Current.user.admin? end def ensure_staff head :forbidden unless Current.identity.staff? end def ensure_can_access_account redirect_to session_menu_url(script_name: nil) if Current.user.blank? || !Current.user.active? end def ensure_only_staff_can_access_non_production_remote_environments head :forbidden unless Rails.env.local? || Rails.env.production? || Current.identity.staff? end def redirect_existing_user redirect_to root_path if Current.user end end