My application uses Devise for authentication, CanCanCan for authorization, and RailsAdmin for admin. Currently there are users who are considered "admins" and they can access anything in the application, and there are a couple other types of users who are basically flavors of admins with slightly fewer privileges, all defined in the Ability.rb file.
However, now I need to implement company-level permissions for users. Right now admins have access to any company in the application. Going forward, I need to add the ability for an owner of a company to add/invite a user to their company and give them certain permissions. That user can also potentially belong to other companies in the application with different permissions.
Is this something CanCanCan "can" do? Or is this a job for Pundit? Something else entirely?
All of the tutorials and documentation I see online for CCC and Pundit involve application-wide permissions. But I need more granular control.
For example, my application has hundreds of companies. Each company has a user who is an "owner" and they login each day to look at their earnings information. That owner/user wants to invite Joe Smith to the application so they can also look at the data and make changes. But they don't want Joe Smith to be able to see certain types of data. So we restrict Joe Smith's access to certain data for that company.
This is separate entirely from what I currently use CanCanCan for, which is to set access rights for admins so an admin user can see ANY company's information and make changes globally.
I am curious to know if anyone has encountered this issue before and what they may have used to solve it. I greatly appreciate any advice/wisdom!
