Refactor for authorization sanity

app/controllers/suppliers/application_controller.rb

@@ -2,23 +2,26 @@ module Suppliers
   class ApplicationController < ::ApplicationController
     before_action :setup_employee_and_supplier!
     load_and_authorize_resource
-    attr_reader :current_supplier, :employee_settings
-    helper_method :current_supplier, :employee_settings
+    attr_reader :current_supplier
+    helper_method :current_supplier
     layout 'supplier/app'
 
     rescue_from 'RestClient::Conflict' do |e|
       #binding.pry
     end
     rescue_from CanCan::AccessDenied do |exception|
-      render json: {}, status: :forbidden
+      respond_to do |format|
+        format.html { redirect_to root_path, alert: 'Action forbidden'}
+        format.json { render json: {}, status: :forbidden }
+      end
     end
 
     def setup_employee_and_supplier!
       authenticate_employee!
       find_current_supplier!
       return unless current_supplier.present?
-      @employee_settings = current_supplier.employee_settings.for_employee( current_employee )
-      @current_ability = ::Ability.new(@employee_settings)
+      current_employee.enrich_with_settings current_supplier.settings_for(current_employee)
+      @current_ability = ::Ability.new( current_employee )
     end