rabarber 4.1.4 → 5.0.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 5152a05ff663a5216b2fc2f546bf3b111f3e78a4c44c0088e72f2f73ac89464f
-  data.tar.gz: f6f24ff379055cfd5f4f7e93377a548289fd8f7b30b2f06053fd958f6ab8e5a3
+  metadata.gz: 1de40ccff8f5d39718c2c908913c5a67149eeada18598a37b51ec53e900200cc
+  data.tar.gz: d9a02594d2c2215499cd2609d57f3fa14e796d9b3df6d0176b5fa1b510cf2d72
 SHA512:
-  metadata.gz: e31e2c7fa58d42096203d1f8027acea031a720fafe21fd44b179a8c2e66818686ebd55abf2ec0d3229c93fc7e04b514a68fa20feebef25b7e11048caac4e58e7
-  data.tar.gz: 6b7143de48cc95ead0caf5256c9e3d28a54a515f4ea50cf33fc87271d5d13071782fad1926dda698e7842047f7bbed4a2cfe8254be3390af0ab1fde2608a9b30
+  metadata.gz: e7862b8b5793a4c3076b2e9c34eec91df58b79b629273b7e2fc9a6c97b74d3a42b7ac53bd85bad8ee270549c13a6d8e5d747ea6fe3472b2d72f067aafc247028
+  data.tar.gz: a9f1cbf65045fde78aeac07e6217caca037dc1f85e97065e26a07f1c52bfce46deb4e60513617df6572a0883e792dacbf70a18c0f19d14f31e97171420903cc9

data/CHANGELOG.md

@@ -1,3 +1,32 @@
+## v5.0.0
+
+### Breaking:
+
+- Dropped support for Ruby 3.1
+- Dropped support for Rails 7.0
+- Removed the `must_have_roles` configuration option and its associated behavior
+- Completely removed Audit Trail feature
+- Introduced a new `user_model_name` configuration option
+- Added `with_authorization` method for more granular authorization control
+- `Rabarber::Role.rename` and `Rabarber::Role.remove` now require the role to exist
+
+To upgrade to v5.0.0, please refer to the [migration guide](https://github.com/brownboxdev/rabarber/discussions/77)
+
+### Features:
+
+- Added migration helpers to assist with context renaming and removal
+
+### Bugs:
+
+- Fixed an error that occurred when Rabarber was used with eager loading disabled
+- Fixed an issue where authorization rules weren’t cleared on code reload when eager loading was disabled
+
+### Misc:
+
+- Optimized various parts of the code and database queries for improved performance
+- Streamlined the authorization process by requiring the user to be authenticated before access is verified
+- Rabarber now skips roles with missing instance context and prunes them automatically; missing class context still raises errors
+
 ## v4.1.4
 
 ### Misc:
@@ -86,7 +115,7 @@
 
 - Changed Rabarber roles table structure
 
-To upgrade to v3.0.0, please refer to the [migration guide](https://github.com/enjaku4/rabarber/discussions/58)
+To upgrade to v3.0.0, please refer to the [migration guide](https://github.com/brownboxdev/rabarber/discussions/58)
 
 ### Features:
 
@@ -110,7 +139,7 @@ To upgrade to v3.0.0, please refer to the [migration guide](https://github.com/e
 - Replaced `when_unauthorized` configuration option with an overridable controller method
 - Renamed `Rabarber::Role.assignees_for` method to `Rabarber::Role.assignees`
 
-To upgrade to v2.0.0, please refer to the [migration guide](https://github.com/enjaku4/rabarber/discussions/52)
+To upgrade to v2.0.0, please refer to the [migration guide](https://github.com/brownboxdev/rabarber/discussions/52)
 
 ### Features:
 
@@ -132,7 +161,7 @@ To upgrade to v2.0.0, please refer to the [migration guide](https://github.com/e
 
 - Add 'Audit trail' feature: Logging of role assignments, revocations, and unauthorized access attempts
 - Add `audit_trail_enabled` configuration option, allowing to enable or disable the audit trail
-- Deprecate `when_actions_missing` and `when_roles_missing` configuration options (see [the discussion](https://github.com/enjaku4/rabarber/discussions/48))
+- Deprecate `when_actions_missing` and `when_roles_missing` configuration options
 
 ## v1.3.1
 

data/README.md

@@ -1,15 +1,15 @@
 # Rabarber: Simplified Authorization for Rails
 
 [![Gem Version](https://badge.fury.io/rb/rabarber.svg)](http://badge.fury.io/rb/rabarber)
-[![Github Actions badge](https://github.com/enjaku4/rabarber/actions/workflows/ci.yml/badge.svg)](https://github.com/enjaku4/rabarber/actions/workflows/ci.yml)
+[![Github Actions badge](https://github.com/brownboxdev/rabarber/actions/workflows/ci.yml/badge.svg)](https://github.com/brownboxdev/rabarber/actions/workflows/ci.yml)
 
-Rabarber is a role-based authorization library for Ruby on Rails. It provides a set of tools for managing user roles and defining authorization rules, supports multi-tenancy and comes with audit logging for enhanced security.
+Rabarber is a role-based authorization library for Ruby on Rails. It provides a set of tools for managing user roles and defining authorization rules, with support for multi-tenancy and fine-grained access control.
 
 ---
 
 **Example of Usage**:
 
-Consider a CRM system where users with different roles have distinct access levels. For instance, the role `accountant` can interact with invoices but cannot access marketing information, while the role `marketer` has access to marketing-related data. Such authorization rules can be easily defined with Rabarber.
+Consider a CRM system where users with different roles have distinct access levels. For instance, the role `accountant` can interact with invoices but cannot access marketing information, while the role `marketer` has access to marketing-related data. You can define such authorization rules easily with Rabarber.
 
 ---
 
@@ -29,6 +29,7 @@ class TicketsController < ApplicationController
   end
 end
 ```
+
 This means that `admin` users can access everything in `TicketsController`, while `manager` role can access only `index` action.
 
 ## Table of Contents
@@ -36,26 +37,27 @@ This means that `admin` users can access everything in `TicketsController`, whil
 **Gem usage:**
   - [Installation](#installation)
   - [Configuration](#configuration)
-  - [Roles](#roles)
+  - [Role Assignments](#role-assignments)
+  - [Role Management](#role-management)
   - [Authorization Rules](#authorization-rules)
   - [Dynamic Authorization Rules](#dynamic-authorization-rules)
   - [Context / Multi-tenancy](#context--multi-tenancy)
   - [When Unauthorized](#when-unauthorized)
   - [Skip Authorization](#skip-authorization)
   - [View Helpers](#view-helpers)
-  - [Audit Trail](#audit-trail)
 
 **Community Resources:**
   - [Problems?](#problems)
   - [Contributing](#contributing)
   - [Code of Conduct](#code-of-conduct)
+  - [Old Versions](#old-versions)
 
 **Legal:**
   - [License](#license)
 
 ## Installation
 
-Add the Rabarber gem to your Gemfile:
+Add Rabarber to your Gemfile:
 
 ```rb
 gem "rabarber"
@@ -67,19 +69,19 @@ Install the gem:
 bundle install
 ```
 
-Next, generate a migration to create tables for storing roles in the database. Make sure to specify the table name of the model representing users in your application as an argument. For instance, if the table name is `users`, run:
+Generate a migration to create tables for storing roles. Run the generator with the table name used by the model that represents users in your application. For example, if the table is `users`, run:
 
 ```shell
 rails g rabarber:roles users
 ```
 
-Rabarber supports UUIDs as primary keys. If your application uses UUIDs, add `--uuid` option to the generator:
+Rabarber supports UUIDs as primary keys. If your application uses UUIDs, add `--uuid` option:
 
 ```shell
 rails g rabarber:roles users --uuid
 ```
 
-Finally, run the migration to apply the changes to the database:
+Finally, run the migration:
 
 ```shell
 rails db:migrate
@@ -87,34 +89,23 @@ rails db:migrate
 
 ## Configuration
 
-If specific customization is required, Rabarber can be configured by using `.configure` method in an initializer:
+If customization is required, Rabarber can be configured using `.configure` method in an initializer:
 
 ```rb
 Rabarber.configure do |config|
-  config.audit_trail_enabled = true
   config.cache_enabled = true
   config.current_user_method = :current_user
-  config.must_have_roles = false
+  config.user_model_name = "User"
 end
 ```
 
-- `audit_trail_enabled` determines whether the audit trail functionality is enabled. The audit trail is enabled by default.
 - `cache_enabled` determines whether roles are cached to avoid unnecessary database queries. Roles are cached by default. If you need to clear the cache, use `Rabarber::Cache.clear` method.
-- `current_user_method` represents the method that returns the currently authenticated user. The default value is `:current_user`.
-- `must_have_roles` determines whether a user with no roles can access endpoints permitted to everyone. The default value is `false` (allowing users without roles to access such endpoints).
-
-## Roles
+- `current_user_method` defines the method used to access the currently authenticated user. Default is `:current_user`.
+- `user_model_name` sets the name of the model representing the user in your application. Default is `"User"`.
 
-Include `Rabarber::HasRoles` module in your model representing users in your application:
-
-```rb
-class User < ApplicationRecord
-  include Rabarber::HasRoles
-  # ...
-end
-```
+## Role Assignments
 
-This adds the following methods:
+Rabarber automatically augments your user model (defined via `user_model_name` configuration) with role-related methods.
 
 **`#assign_roles(*roles, context: nil, create_new: true)`**
 
@@ -123,10 +114,13 @@ To assign roles, use:
 ```rb
 user.assign_roles(:accountant, :marketer)
 ```
-By default, it will automatically create any roles that don't exist. If you want to assign only existing roles and prevent the creation of new ones, use the method with `create_new: false` argument:
+
+By default, it will automatically create any roles that don't exist. To assign only existing roles and prevent automatic creation, pass `create_new: false`:
+
 ```rb
 user.assign_roles(:accountant, :marketer, create_new: false)
 ```
+
 The method returns an array of roles assigned to the user.
 
 **`#revoke_roles(*roles, context: nil)`**
@@ -136,7 +130,8 @@ To revoke roles, use:
 ```rb
 user.revoke_roles(:accountant, :marketer)
 ```
-If the user doesn't have the role you want to revoke, it will be ignored.
+
+Roles the user doesn’t have are ignored.
 
 The method returns an array of roles assigned to the user.
 
@@ -148,7 +143,7 @@ To check whether the user has a role, use:
 user.has_role?(:accountant, :marketer)
 ```
 
-It returns `true` if the user has at least one role and `false` otherwise.
+It returns `true` if the user has at least one of the given roles.
 
 **`#roles(context: nil)`**
 
@@ -166,9 +161,17 @@ To get all roles assigned to the user, grouped by context, use:
 user.all_roles
 ```
 
----
+**`.assignees(role_name, context: nil)`**
 
-To manipulate roles directly, you can use `Rabarber::Role` methods:
+To get all the users to whom the role is assigned, use:
+
+```rb
+Rabarber::Role.assignees(:admin)
+```
+
+## Role Management
+
+To manipulate roles directly, you can use the following methods:
 
 **`.add(role_name, context: nil)`**
 
@@ -187,9 +190,11 @@ To rename a role, use:
 ```rb
 Rabarber::Role.rename(:admin, :administrator)
 ```
-The first argument is the old name, and the second argument is the new name. This will rename the role and return `true`. If the role with a new name already exists, it will return `false`.
 
-The method won't rename the role and will return `false` if it is assigned to any user. To force the rename, use the method with `force: true` argument:
+The old role must exist. If it doesn’t, an error is raised. If a role with the new name already exists, the method returns `false` and the rename fails.
+
+The rename also fails if the role is assigned to any user. To force it, use:
+
 ```rb
 Rabarber::Role.rename(:admin, :administrator, force: true)
 ```
@@ -202,9 +207,10 @@ To remove a role, use:
 Rabarber::Role.remove(:admin)
 ```
 
-This will remove the role and return `true`. If the role doesn't exist, it will return `false`.
+The old role must exist. If it doesn’t, an error is raised. The method returns `true` if successful.
+
+If the role is assigned to any user, removal will fail. To force it, use:
 
-The method won't remove the role and will return `false` if it is assigned to any user. To force the removal, use the method with `force: true` argument:
 ```rb
 Rabarber::Role.remove(:admin, force: true)
 ```
@@ -219,31 +225,35 @@ Rabarber::Role.names
 
 **`.all_names`**
 
-If you need list all roles available in your application, grouped by context, use:
+If you need to list all roles available in your application, grouped by context, use:
 
 ```rb
 Rabarber::Role.all_names
 ```
 
-**`.assignees(role_name, context: nil)`**
-
-To get all the users to whom the role is assigned, use:
-
-```rb
-Rabarber::Role.assignees(:admin)
-```
-
 ## Authorization Rules
 
-Include `Rabarber::Authorization` module into the controller that needs authorization rules to be applied. Typically, it is `ApplicationController`, but it can be any controller of your choice.
+Include `Rabarber::Authorization` module in the controller where you want to define authorization rules. Typically, it is `ApplicationController`, but it can be any controller of your choice. Then use `.with_authorization(options = {})` method, which accepts the same options as Rails’ `before_action`, allowing you to perform authorization checks selectively.
 
 ```rb
 class ApplicationController < ActionController::Base
   include Rabarber::Authorization
+
+  with_authorization
+
+  # ...
+end
+
+class InvoicesController < ApplicationController
+  with_authorization only: [:update, :destroy]
+
   # ...
 end
 ```
-This adds `.grant_access(action: nil, roles: nil, context: nil, if: nil, unless: nil)` method which allows you to define the authorization rules.
+
+You must ensure the user is authenticated before authorization checks are performed.
+
+To define authorization rules, use `.grant_access(action: nil, roles: nil, context: nil, if: nil, unless: nil)` method.
 
 The most basic usage of the method is as follows:
 
@@ -264,6 +274,7 @@ module Crm
   end
 end
 ```
+
 This grants access to `index` action for users with `accountant` or `admin` role, and access to `destroy` action for `admin` users only.
 
 You can also define controller-wide rules (without `action` argument):
@@ -293,9 +304,10 @@ module Crm
   end
 end
 ```
-This means that `admin` and `manager` have access to all the actions inside `Crm::BaseController` and its children, while `accountant` role has access only to the actions in `Crm::InvoicesController` and its possible children. Users with `marketer` role can only see the dashboard in this example.
 
-Roles can also be omitted:
+In this example, `admin` and `manager` have access to all actions in `Crm::BaseController` and its descendants, while `accountant` role has access only to the actions in `Crm::InvoicesController`. Users with `marketer` role can only see the dashboard.
+
+You can also omit roles to allow unrestricted access:
 
 ```rb
 class OrdersController < ApplicationController
@@ -311,11 +323,10 @@ class InvoicesController < ApplicationController
 end
 ```
 
-This allows everyone to access `OrdersController` and its children and also `index` action in `InvoicesController`.
+This allows everyone to access `OrdersController` and its descendants as well as `index` action in `InvoicesController`.
 
-If you've set `must_have_roles` setting to `true`, then only the users with at least one role can gain access. This setting can be useful if your requirements are such that users without roles are not allowed to access anything.
+Rules defined in descendant classes don't override ancestor rules but rather add to them:
 
-Also keep in mind that rules defined in child classes don't override parent rules but rather add to them:
 ```rb
 module Crm
   class BaseController < ApplicationController
@@ -331,9 +342,11 @@ module Crm
   end
 end
 ```
+
 This means that `Crm::InvoicesController` is still accessible to `admin` but is also accessible to `accountant`.
 
-This applies as well to multiple rules defined for the same controller or action:
+This also applies when defining multiple rules for the same controller or action:
+
 ```rb
 module Crm
   class OrdersController < ApplicationController
@@ -348,11 +361,12 @@ module Crm
   end
 end
 ```
+
 This will add rules for `manager` and `admin` roles for all actions in `Crm::OrdersController`, and for `client` and `accountant` roles for the `show` action.
 
 ## Dynamic Authorization Rules
 
-For more complex cases, Rabarber provides dynamic rules:
+For more complex scenarios, Rabarber supports dynamic authorization rules:
 
 ```rb
 module Crm
@@ -394,9 +408,11 @@ module Crm
   end
 end
 ```
-You can pass a dynamic rule as `if` or `unless` argument. It can be a symbol, in which case the method with that name will be called, or alternatively it can be a proc that will be executed within the context of the controller instance at request time.
+
+You can pass a dynamic rule as `if` or `unless` argument. You can pass a symbol (method name) or a proc. Symbols refer to instance methods, and procs are evaluated in the controller at request time.
 
 You can use only dynamic rules without specifying roles if that suits your needs:
+
 ```rb
 class InvoicesController < ApplicationController
   grant_access action: :index, if: -> { current_user.company == Company.find(params[:company_id]) }
@@ -405,7 +421,9 @@ class InvoicesController < ApplicationController
   end
 end
 ```
-This basically allows you to use Rabarber as a policy-based authorization library by calling your own custom policy within a dynamic rule:
+
+This allows you to use Rabarber as a policy-based authorization library by calling your own custom policy within a dynamic rule:
+
 ```rb
 class InvoicesController < ApplicationController
   grant_access action: :index, if: -> { InvoicesPolicy.new(current_user).can_access?(:index) }
@@ -417,9 +435,9 @@ end
 
 ## Context / Multi-tenancy
 
-Rabarber supports multi-tenancy by providing a context feature. This allows you to define and authorize roles and rules within a specific context.
+Rabarber supports multi-tenancy through its context feature. This allows you to define and authorize roles and rules within a specific context.
 
-Every Rabarber method can accept a context as an additional keyword argument. By default, the context is set to `nil`, meaning the roles are global. Thus, all examples from other sections of this README are valid for global roles. Apart from being global, the context can be an instance of ActiveRecord model or a class.
+Every Rabarber method can accept a context as an additional keyword argument. By default, the context is set to `nil`, meaning the roles are global. Thus, all examples from other sections of this README are valid for global roles. Besides being global, context can also be an instance of an `ActiveRecord` model or a class.
 
 E.g., consider a model named `Project`, where each project has its owner and regular members. Roles can be defined like this:
 
@@ -428,7 +446,7 @@ user.assign_roles(:owner, context: project)
 another_user.assign_roles(:member, context: project)
 ```
 
-Then the roles can be verified:
+You can then check roles like this:
 
 ```rb
 user.has_role?(:owner, context: project)
@@ -441,7 +459,7 @@ A role can also be added using a class as a context, e.g., for project admins wh
 user.assign_roles(:admin, context: Project)
 ```
 
-And then it can also be verified:
+And to check it:
 
 ```rb
 user.has_role?(:admin, context: Project)
@@ -471,7 +489,7 @@ class ProjectsController < ApplicationController
 end
 ```
 
-It's important to note that role names are not unique globally but are unique within the scope of their context. E.g., `user.assign_roles(:admin, context: Project)` and `user.assign_roles(:admin)` assign different roles to the user. The same as `Rabarber::Role.add(:admin, context: Project)` and `Rabarber::Role.add(:admin)` create different roles.
+Role names are scoped by context, i.e. `admin` in a project is different from a global `admin`, or from an `admin` in another project.
 
 If you want to see all the roles assigned to a user within a specific context, you can use:
 
@@ -485,16 +503,29 @@ Or if you want to get all the roles available in a specific context, you can use
 Rabarber::Role.names(context: Project)
 ```
 
+If a context object (e.g., a project) is deleted, any roles tied to it automatically become irrelevant and are no longer returned by role queries. Rabarber treats them as orphaned and ignores them.
+
+However, if a context class is renamed (e.g., `Project` becomes `Campaign`), an exception will be raised the next time Rabarber attempts to load roles for that class. This is to ensure you explicitly handle the migration, either by migrating existing roles to the new context or by cleaning up old data.
+
+To help with such scenarios, Rabarber provides two helper methods that can be called in migrations:
+
+- `migrate_authorization_context!(old_context, new_context)` - renames a context
+- `delete_authorization_context!(context)` – removes roles tied to a deleted context
+
+These are irreversible data migrations.
+
 ## When Unauthorized
 
-By default, in the event of an unauthorized attempt, Rabarber redirects the user back if the request format is HTML (with fallback to the root path), and returns a 401 (Unauthorized) status code otherwise.
+By default, Rabarber redirects back on unauthorized access if the request format is HTML (falling back to the root path), and returns a 401 Unauthorized for other formats.
 
-This behavior can be customized by overriding private `when_unauthorized` method:
+You can customize this behavior by overriding the private `when_unauthorized` method:
 
 ```rb
 class ApplicationController < ActionController::Base
   include Rabarber::Authorization
 
+  with_authorization
+
   # ...
 
   private
@@ -518,11 +549,11 @@ class TicketsController < ApplicationController
 end
 ```
 
-This method accepts the same options as `skip_before_action` method in Rails.
+This method accepts the same options as Rails’ `skip_before_action`.
 
 ## View Helpers
 
-Rabarber also provides a couple of helpers that can be used in views: `visible_to(*roles, context: nil, &block)` and `hidden_from(*roles, context: nil, &block)`. To use them, simply include `Rabarber::Helpers` in the desired helper. Usually it is `ApplicationHelper`, but it can be any helper of your choice.
+Rabarber provides two helpers for use in views: `visible_to(*roles, context: nil, &block)` and `hidden_from(*roles, context: nil, &block)`. To enable them, include `Rabarber::Helpers` in your helper module, typically `ApplicationHelper`.
 
 ```rb
 module ApplicationHelper
@@ -545,16 +576,6 @@ The usage is straightforward:
 <% end %>
 ```
 
-## Audit Trail
-
-Rabarber supports audit trail, which provides a record of user access control activity. This feature logs the following events:
-
-- Role assignments to users
-- Role revocations from users
-- Unauthorized access attempts
-
-The logs are written to the file `log/rabarber_audit.log` unless the `audit_trail_enabled` configuration option is set to `false`.
-
 ## Problems?
 
 Facing a problem or want to suggest an enhancement?
@@ -568,12 +589,19 @@ Encountered a bug?
 
 ## Contributing
 
-Before creating an issue or a pull request, please read the [contributing guidelines](https://github.com/enjaku4/rabarber/blob/main/CONTRIBUTING.md).
+Before creating an issue or a pull request, please read the [contributing guidelines](https://github.com/brownboxdev/rabarber/blob/main/CONTRIBUTING.md).
 
 ## Code of Conduct
 
-Everyone interacting in the Rabarber project is expected to follow the [code of conduct](https://github.com/enjaku4/rabarber/blob/main/CODE_OF_CONDUCT.md).
+Everyone interacting in the Rabarber project is expected to follow the [code of conduct](https://github.com/brownboxdev/rabarber/blob/main/CODE_OF_CONDUCT.md).
+
+## Old Versions
+
+Only the latest major version is supported. Older versions are obsolete and not maintained, but their READMEs are available here for reference:
+
+[v4.x.x](https://github.com/brownboxdev/rabarber/blob/9353e70281971154d5acd70693620197a132c543/README.md) | [v3.x.x](https://github.com/brownboxdev/rabarber/blob/3bb273de7e342004abc7ef07fa4d0a9a3ce3e249/README.md)
+ | [v2.x.x](https://github.com/brownboxdev/rabarber/blob/875b357ea949404ddc3645ad66eddea7ed4e2ee4/README.md) | [v1.x.x](https://github.com/brownboxdev/rabarber/blob/b81428429404e197d70317b763e7b2a21e02c296/README.md)
 
 ## License
 
-The gem is available as open source under the terms of the [MIT License](https://github.com/enjaku4/rabarber/blob/main/LICENSE.txt).
+The gem is available as open source under the terms of the [MIT License](https://github.com/brownboxdev/rabarber/blob/main/LICENSE.txt).

data/lib/rabarber/configuration.rb

@@ -6,27 +6,30 @@ module Rabarber
   class Configuration
     include Singleton
 
-    attr_reader :audit_trail_enabled, :cache_enabled, :current_user_method, :must_have_roles
+    attr_reader :cache_enabled, :current_user_method
+    attr_accessor :user_model_name
 
     def initialize
-      @audit_trail_enabled = true
       @cache_enabled = true
       @current_user_method = :current_user
-      @must_have_roles = false
+      @user_model_name = "User"
     end
 
-    [:audit_trail_enabled, :cache_enabled, :must_have_roles].each do |method_name|
-      define_method(:"#{method_name}=") do |value|
-        instance_variable_set(:"@#{method_name}", Rabarber::Input::Types::Boolean.new(
-          value, Rabarber::ConfigurationError, "Configuration '#{method_name}' must be a Boolean"
-        ).process)
-        ActiveSupport::Deprecation.new("5.0.0", "rabarber").warn("Rabarber’s ‘must_have_roles’ configuration option is deprecated and will be removed in the next major version!") if method_name == :must_have_roles
-      end
+    def cache_enabled=(value)
+      @cache_enabled = Rabarber::Input::Types::Boolean.new(
+        value, Rabarber::ConfigurationError, "Configuration `cache_enabled` must be a Boolean"
+      ).process
     end
 
     def current_user_method=(method_name)
       @current_user_method = Rabarber::Input::Types::Symbol.new(
-        method_name, Rabarber::ConfigurationError, "Configuration 'current_user_method' must be a Symbol or a String"
+        method_name, Rabarber::ConfigurationError, "Configuration `current_user_method` must be a Symbol or a String"
+      ).process
+    end
+
+    def user_model
+      Rabarber::Input::ArModel.new(
+        @user_model_name, Rabarber::ConfigurationError, "Configuration `user_model_name` must be an ActiveRecord model name"
       ).process
     end
   end

data/lib/rabarber/controllers/concerns/authorization.rb

@@ -5,11 +5,17 @@ module Rabarber
     extend ActiveSupport::Concern
     include Rabarber::Core::Roleable
 
-    included { before_action :verify_access }
-
     class_methods do
+      def with_authorization(options = {})
+        before_action :with_authorization, **options
+      rescue ArgumentError => e
+        raise Rabarber::Error, e.message
+      end
+
       def skip_authorization(options = {})
-        skip_before_action :verify_access, **options
+        skip_before_action :with_authorization, **options
+      rescue ArgumentError => e
+        raise Rabarber::Error, e.message
       end
 
       def grant_access(action: nil, roles: nil, context: nil, if: nil, unless: nil)
@@ -26,15 +32,9 @@ module Rabarber
 
     private
 
-    def verify_access
-      Rabarber::Core::PermissionsIntegrityChecker.new(self.class).run! unless Rails.configuration.eager_load
-
+    def with_authorization
       return if Rabarber::Core::Permissions.access_granted?(roleable, action_name.to_sym, self)
 
-      Rabarber::Audit::Events::UnauthorizedAttempt.trigger(
-        roleable, path: request.path, request_method: request.request_method
-      )
-
       when_unauthorized
     end
 

data/lib/rabarber/core/integrity_checker.rb

@@ -0,0 +1,44 @@
+# frozen_string_literal: true
+
+module Rabarber
+  module Core
+    module IntegrityChecker
+      extend self
+
+      def run!
+        check_for_missing_class_context
+        prune_missing_instance_context
+      end
+
+      private
+
+      def check_for_missing_class_context
+        Rabarber::Role.where.not(context_type: nil).distinct.pluck(:context_type).each do |context_class|
+          context_class.constantize
+        rescue NameError => e
+          raise Rabarber::Error, "Context not found: class #{e.name} may have been renamed or deleted"
+        end
+      end
+
+      def prune_missing_instance_context
+        ids = Rabarber::Role.where.not(context_id: nil).includes(:context).filter_map do |role|
+          role.context
+          nil
+        rescue ActiveRecord::RecordNotFound
+          role.id
+        end
+
+        return if ids.empty?
+
+        ActiveRecord::Base.transaction do
+          ActiveRecord::Base.connection.execute(
+            ActiveRecord::Base.sanitize_sql(
+              ["DELETE FROM rabarber_roles_roleables WHERE role_id IN (?)", ids]
+            )
+          )
+          Rabarber::Role.where(id: ids).delete_all
+        end
+      end
+    end
+  end
+end

data/lib/rabarber/core/permissions.rb

@@ -32,6 +32,11 @@ module Rabarber
         def action_rules
           instance.storage[:action_rules]
         end
+
+        def reset!
+          instance.storage[:controller_rules].clear
+          instance.storage[:action_rules].clear
+        end
       end
     end
   end