In response to some ideas from a friend, I’ve hacked up Consent, a
plugin that provides pre-filtering of incoming requests using a
It lets you specify rules that tell your app whether to accept an
incoming request, redirect or render a 403. If the request is
rejected, it never hits your controllers; Consent factors all your
access control logic into a single file that acts as an intermediary
between your routes and your controllers.
I’ve only been working on it a couple of afternoons but it’s
reasonably tested and documented to the point where it might be useful
to others and open to feedback. Let me know if you try it out, and if
any of it seems in need of improvement.