how can i authorize all controllers and actions

[mices]

My app is in house inventory management system for cd's, dvd's, vhs, cassettes, etc... Right now there's no users, only an admin, me, who has unrestricted access when logged in Now I need to hire someone to look at images of CD's and cassettes in foreign languages (CJK) and type them into the edit form so I wanna configure that a user who has role :admin can have unrestricted access and a user who has role :editor will be able to edit the assigned records that need updating

[Burgestrand]

As usual there are many ways of doing things. What I'm suggesting here is just one suggestion of many good approaches. My most important advice is to start simple, and be prepared to change your approach as you learn more.

Roles are a great starting point. They might not be the right approach forever.

That said, a simple string column role on your user model is good enough. Make it non-null and make sure to restrict allowed values to only be admin or editor. I would advise you to expose these roles as constants so you can refer to them in the policies.

ApplicationPolicy by default disallows access. No access by default is good to prevent against future accidents, but might be cumbersome in your case if admin means all access. You should take care to write your policies so that it's difficult to accidentally grant permission to users who shouldn't have it, and so that any future changes to your roles don't risk granting incorrect permissions.

Now, assuming an admin has permissions to do anything, and that'll remain true forever(tm), and that any deviation from that would give permission to an editor then you can restructure your ApplicationPolicy around that.

class ApplicationPolicy
  def index? = admin?
  def show? = admin?
  def create? = admin?
  def update? = admin?
  def destroy? = admin?

  private

  def admin? = user.role == User::ADMIN_ROLE
  def editor? = user.role == User::EDITOR_ROLE
  def editor_or_higher? = admin? || editor?
end

What you then need to do is adjust the individual policies to grant permission to editor where they should be granted access. Your description makes it sound like being an admin? or editor? is good enough for access, and if then do just that:

def edit? = editor_or_higher?

Now, it's not uncommon that different roles also comes with additional restrictions. Perhaps editors must be the owner of the record they're trying to edit, but an admin always has access. Easiest approach is to add that:

def edit?
  case user.role
    in User::ADMIN_ROLE then true
    in User::EDITOR_ROLE then record.owned_by?(user)
  end
end

This quickly becomes cumbersome, as you need to remember the admin-case. You might want to only address the editor case:

def edit? = when_editor { record.owned_by?(user) }

private

def when_editor
  case user.role
    in User::ADMIN_ROLE then true
    in User::EDITOR_ROLE then yield
  end
end

I hope this helps pointing you in a direction.