Check authorization as default#920
Conversation
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes using high effort and found 1 potential issue.
❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.
Want fixes drafted automatically? Bugbot Autofix can create code changes for findings. A team admin can enable Autofix in the Cursor dashboard.
Reviewed by Cursor Bugbot for commit bb6438f. Configure here.
There was a problem hiding this comment.
Pull request overview
Note
Copilot was unable to run its full agentic suite in this review.
This PR tightens authorization enforcement across ApiController by enabling CanCan’s check_authorization, adds explicit authorize! calls where needed, and introduces targeted skip_authorization_check for endpoints where CanCan is not the access boundary.
Changes:
- Enforce “fail closed” authorization by adding
check_authorizationtoApiControllerand handlingCanCan::AuthorizationNotPerformed. - Add abilities for authenticated users (UserJobs + TeacherInvitations) and update controllers to call
authorize!. - Add
skip_authorization_checkto public/utility endpoints and GraphQL execution.
Reviewed changes
Copilot reviewed 16 out of 16 changed files in this pull request and generated 5 comments.
Show a summary per file
| File | Description |
|---|---|
| spec/requests/api_controller_spec.rb | Adds coverage for actions that don’t perform CanCan authorization. |
| app/models/ability.rb | Adds authenticated abilities for reading UserJobs and reading/accepting TeacherInvitations. |
| app/controllers/graphql_controller.rb | Skips controller-level authorization enforcement for GraphQL execute. |
| app/controllers/api_controller.rb | Enables check_authorization and rescues AuthorizationNotPerformed. |
| app/controllers/api/user_jobs_controller.rb | Adds explicit authorization for index/show and refactors job lookup. |
| app/controllers/api/teacher_invitations_controller.rb | Adds CanCan authorization for invitation show/accept. |
| app/controllers/api/subscriptions_controller.rb | Skips CanCan enforcement for public subscription create endpoint. |
| app/controllers/api/projects/remixes_controller.rb | Adds explicit authorization for remix index access. |
| app/controllers/api/project_errors_controller.rb | Skips CanCan enforcement for public error intake endpoint. |
| app/controllers/api/profile_auth_check_controller.rb | Skips CanCan enforcement for token-check utility endpoint. |
| app/controllers/api/my_school_controller.rb | Adds explicit authorization when reading the user’s school. |
| app/controllers/api/lessons/batch_controller.rb | Adds authorization call for the “blank lesson_projects” path. |
| app/controllers/api/join_controller.rb | Skips CanCan enforcement for join-code flow handled elsewhere. |
| app/controllers/api/features_controller.rb | Skips CanCan enforcement for public feature discovery endpoint. |
| app/controllers/api/events_controller.rb | Skips CanCan enforcement for telemetry endpoint gated by authorize_user. |
| app/controllers/api/default_projects_controller.rb | Skips CanCan enforcement for public template endpoints. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Test coverage92.18% line coverage reported by SimpleCov. |
zetter-rpf
left a comment
There was a problem hiding this comment.
Fantastic! I feel a lot safer having this in place
Add action-scoped skip_authorization_check calls for API endpoints that are intentionally public or use a non-resource access boundary. Keep each skip limited with only: so future actions in the same controllers still need an explicit authorization decision.
Add CanCan authorization checks to API actions that read or mutate protected resources and were not already making a controller-level authorization decision. Add authenticated ability rules for user jobs and teacher invitations so those checks preserve the existing ownership and email-match boundaries.
Turn on CanCanCan check_authorization for ApiController so actions cannot silently complete without a CanCan authorization decision. Preserve existing ApiController error-handling specs with an explicit skip and add a regression spec for an unguarded action raising CanCan::AuthorizationNotPerformed.
Return a generic body when AuthorizationNotPerformed can be rendered safely, while still re-raising after a response has already been performed. Make invitation email authorization nil-safe and preserve the existing user-job 404 contract for jobs owned by another user. Add regression coverage for the generic missing-authorization response, nil invitation emails, and cross-user job lookups.
It accurately covers the new allowed and forbidden visibility cases.
b4f5bca to
cc2964e
Compare

Status
Points for consideration:
Security
check_authorizationfor API controllers so actions fail closed if they complete without an explicit CanCan authorization decision.skip_authorization_check.Performance
What's changed?
check_authorizationinApiController.skip_authorization_check only:annotations for intentionally public or non-resource API actions.CanCan::AuthorizationNotPerformed.