All CRUD actions in my controller are done on resources that belong to current_user, i.e. an authenticated user. E.g.
@post = current_user.posts.create(title: "My title")
@posts = current_user.posts.where(archived: false)
When I have authorization in place I can redirect and log requests that are not authorized, but besides that - are there any security benefits to implement an authorization system (e.g. pundit, cancancan etc)?
In a simplistic case like this, no.
If you wish to log unauthorized access, that can easily be accomplished by adding overriding a method or two and adding Rails.logger.warn 'got the bad guy!'.
However, consider the following:
Your user base is requesting editing a post at the same time.
They also want to set what actions someone can perform on a post.
They also want to setup teams that have many groups that have many projects that have many posts.
Based of what team, group, project you belong to, means you can edit the post.
If someone belongs to the Corporate team and belongs to the Chairmen group, they can perform any action, regardless.
At that point, the only solution is a permission system like cancancan or pundit, and for dynamic permissions, even going as far as making the permissions a DB table, looping through them all and generating the rules around permissions.
