nativeapptemplate · dadachi · Mar 14, 2026 · Mar 14, 2026 · Mar 14, 2026
diff --git a/app/controllers/api/v1/shopkeeper/account/passwords_controller.rb b/app/controllers/api/v1/shopkeeper/account/passwords_controller.rb
@@ -1,7 +1,7 @@
 class Api::V1::Shopkeeper::Account::PasswordsController < Api::V1::Shopkeeper::BaseController
-  skip_after_action :verify_authorized
-
   def update
+    authorize :password
+
     if current_shopkeeper.update_with_password(password_params)
       render json: {status: 200}, status: :ok
     else

diff --git a/app/controllers/api/v1/shopkeeper/accounts/accounts_invitations_controller.rb b/app/controllers/api/v1/shopkeeper/accounts/accounts_invitations_controller.rb
@@ -1,21 +1,25 @@
 class Api::V1::Shopkeeper::Accounts::AccountsInvitationsController < Api::V1::Shopkeeper::BaseController
   before_action :set_account
-  before_action :require_account_admin, except: %i[index show]
   before_action :set_accounts_invitation, only: %i[show update destroy resend]
-  skip_after_action :verify_authorized
 
   def index
+    authorize AccountsInvitation
+
     @accounts_invitations = @account.accounts_invitations.order(name: :asc)
     render json: AccountsInvitationSerializer.new(@accounts_invitations).serializable_hash
   end
 
   def show
+    authorize @accounts_invitation
+
     options = {}
     options[:include] = [:account, :invited_by]
     render json: AccountsInvitationSerializer.new(@accounts_invitation, options).serializable_hash
   end
 
   def create
+    authorize AccountsInvitation
+
     accounts_invitation = @account.accounts_invitations.build(invitation_params_create)
 
     if accounts_invitation.save_and_send_invite
@@ -26,6 +30,8 @@ def create
   end
 
   def update
+    authorize @accounts_invitation
+
     if @accounts_invitation.update(invitation_params_update)
       render json: AccountsInvitationSerializer.new(@accounts_invitation).serializable_hash
     else
@@ -34,17 +40,25 @@ def update
   end
 
   def destroy
+    authorize @accounts_invitation
+
     @accounts_invitation.destroy
     render json: {status: 200}, status: :ok
   end
 
   def resend
+    authorize @accounts_invitation
+
     @accounts_invitation.resend_invite
     render json: {status: 200}, status: :ok
   end
 
   private
 
+  def pundit_user
+    @account.accounts_shopkeepers.find_by!(shopkeeper: current_shopkeeper)
+  end
+
   def set_account
     @account = current_shopkeeper.accounts.find(params[:account_id])
   end
@@ -65,11 +79,4 @@ def invitation_params_update
       .require(:accounts_invitation)
       .permit(:name, AccountsShopkeeper::ROLES)
   end
-
-  def require_account_admin
-    accounts_shopkeeper = @account.accounts_shopkeepers.find_by(shopkeeper: current_shopkeeper)
-    return if accounts_shopkeeper&.admin?
-
-    render json: {code: 401, error_message: I18n.t("api.shopkeeper.accounts.admin_required")}, status: :unauthorized
-  end
 end
diff --git a/app/controllers/api/v1/shopkeeper/accounts_controller.rb b/app/controllers/api/v1/shopkeeper/accounts_controller.rb
@@ -1,12 +1,11 @@
 class Api::V1::Shopkeeper::AccountsController < Api::V1::Shopkeeper::BaseController
   before_action :set_account, only: %i[show update destroy]
-  before_action :require_account_admin, only: %i[update]
-  before_action :require_account_owner, only: %i[destroy]
   before_action :prevent_personal_account_deletion, only: %i[destroy]
-  skip_after_action :verify_authorized
 
   # GET /accounts
   def index
+    authorize Account
+
     accounts = current_shopkeeper.accounts.sorted
     options = {
       params: {current_shopkeeper: current_shopkeeper}
@@ -24,6 +23,8 @@ def index
 
   # GET /accounts/1
   def show
+    authorize @account
+
     options = {
       include: [:accounts_shopkeepers, :accounts_invitations],
       params: {current_shopkeeper: current_shopkeeper}
@@ -33,6 +34,8 @@ def show
 
   # POST /accounts
   def create
+    authorize Account
+
     account = Account.new(account_params.merge(owner: current_shopkeeper))
     account.accounts_shopkeepers.new(shopkeeper: current_shopkeeper, admin: true)
 
@@ -49,6 +52,8 @@ def create
 
   # PATCH/PUT /accounts/1
   def update
+    authorize @account
+
     if @account.update(account_params)
       options = {
         params: {current_shopkeeper: current_shopkeeper}
@@ -61,6 +66,8 @@ def update
 
   # DELETE /accounts/1
   def destroy
+    authorize @account
+
     ActsAsTenant.without_tenant do
       @account.destroy
     end
@@ -80,22 +87,17 @@ def account_params
     params.require(:account).permit(:name)
   end
 
+  def pundit_user
+    if @account
+      @account.accounts_shopkeepers.find_by!(shopkeeper: current_shopkeeper)
+    else
+      super
+    end
+  end
+
   def prevent_personal_account_deletion
     return unless @account.personal?
 
     render json: {code: 422, error_message: I18n.t("api.shopkeeper.accounts.personal.cannot_delete")}, status: :unprocessable_entity
   end
-
-  def require_account_admin
-    accounts_shopkeeper = @account.accounts_shopkeepers.find_by(shopkeeper: current_shopkeeper)
-    return if accounts_shopkeeper&.admin?
-
-    render json: {code: 401, error_message: I18n.t("api.shopkeeper.accounts.admin_required")}, status: :unauthorized
-  end
-
-  def require_account_owner
-    return if @account.owner?(current_shopkeeper)
-
-    render json: {code: 401, error_message: I18n.t("api.shopkeeper.accounts.owner_required")}, status: :unauthorized
-  end
 end
diff --git a/app/controllers/api/v1/shopkeeper/accounts_invitations_controller.rb b/app/controllers/api/v1/shopkeeper/accounts_invitations_controller.rb
@@ -1,8 +1,9 @@
 class Api::V1::Shopkeeper::AccountsInvitationsController < Api::V1::Shopkeeper::BaseController
   before_action :set_accounts_invitation
-  skip_after_action :verify_authorized
 
   def show
+    authorize @accounts_invitation, :show_by_token?
+
     if @accounts_invitation.expired?
       render json: {code: 410, error_message: I18n.t("api.shopkeeper.accounts_invitations.expired")}, status: :gone
       return
@@ -14,6 +15,8 @@ def show
   end
 
   def update
+    authorize @accounts_invitation, :accept?
+
     if @accounts_invitation.expired?
       render json: {code: 410, error_message: I18n.t("api.shopkeeper.accounts_invitations.expired")}, status: :gone
       return
@@ -28,6 +31,8 @@ def update
   end
 
   def destroy
+    authorize @accounts_invitation, :reject?
+
     @accounts_invitation.reject!
     render json: {status: 200}, status: :ok
   end

diff --git a/app/controllers/api/v1/shopkeeper/accounts_shopkeepers_controller.rb b/app/controllers/api/v1/shopkeeper/accounts_shopkeepers_controller.rb
@@ -2,11 +2,11 @@ class Api::V1::Shopkeeper::AccountsShopkeepersController < Api::V1::Shopkeeper::
   before_action :set_account
   before_action :require_non_personal_account!, only: %i[show update destroy]
   before_action :set_accounts_shopkeeper, only: %i[show update destroy]
-  before_action :require_account_admin, except: %i[index show]
   before_action :safeguard_account_owner_deletion!, only: %i[destroy]
-  skip_after_action :verify_authorized
 
   def index
+    authorize AccountsShopkeeper
+
     if @account.personal?
       render json: AccountsShopkeeperSerializer.new([]).serializable_hash and return
     end
@@ -19,13 +19,17 @@ def index
   end
 
   def show
+    authorize @accounts_shopkeeper
+
     options = {}
     options[:include] = [:account, :shopkeeper]
 
     render json: AccountsShopkeeperSerializer.new(@accounts_shopkeeper, options).serializable_hash
   end
 
   def update
+    authorize @accounts_shopkeeper
+
     if @accounts_shopkeeper.update(accounts_shopkeeper_params)
       options = {}
       options[:include] = [:account, :shopkeeper]
@@ -37,12 +41,18 @@ def update
   end
 
   def destroy
+    authorize @accounts_shopkeeper
+
     @accounts_shopkeeper.destroy
     render json: {status: 200}, status: :ok
   end
 
   private
 
+  def pundit_user
+    @account.accounts_shopkeepers.find_by!(shopkeeper: current_shopkeeper)
+  end
+
   def set_account
     @account = current_shopkeeper.accounts.find(params[:account_id])
   end
@@ -68,11 +78,4 @@ def safeguard_account_owner_deletion!
 
     render json: {code: 401, error_message: I18n.t("unauthorized")}, status: :unauthorized
   end
-
-  def require_account_admin
-    accounts_shopkeeper = @account.accounts_shopkeepers.find_by(shopkeeper: current_shopkeeper)
-    return if accounts_shopkeeper&.admin?
-
-    render json: {code: 401, error_message: I18n.t("api.shopkeeper.accounts.admin_required")}, status: :unauthorized
-  end
 end
diff --git a/app/controllers/api/v1/shopkeeper/me_controller.rb b/app/controllers/api/v1/shopkeeper/me_controller.rb
@@ -1,14 +1,17 @@
 class Api::V1::Shopkeeper::MeController < Api::V1::Shopkeeper::BaseController
   before_action :set_shopkeeper, only: %i[update_confirmed_privacy_version update_confirmed_terms_version]
-  skip_after_action :verify_authorized
 
   def update_confirmed_privacy_version
+    authorize :me
+
     @shopkeeper.confirmed_privacy_version = PrivacyVersion.current_version
     @shopkeeper.save!(validate: false)
     render json: {status: 200}, status: :ok
   end
 
   def update_confirmed_terms_version
+    authorize :me
+
     @shopkeeper.confirmed_terms_version = TermsVersion.current_version
     @shopkeeper.save!(validate: false)
     render json: {status: 200}, status: :ok

diff --git a/app/policies/api/shopkeeper/account_policy.rb b/app/policies/api/shopkeeper/account_policy.rb
@@ -0,0 +1,23 @@
+class Api::Shopkeeper::AccountPolicy < Api::Shopkeeper::BasePolicy
+  include Api::Shopkeeper::Concerns::Authorization
+
+  def index?
+    true
+  end
+
+  def show?
+    true
+  end
+
+  def create?
+    true
+  end
+
+  def update?
+    admin?
+  end
+
+  def destroy?
+    owner?
+  end
+end
diff --git a/app/policies/api/shopkeeper/accounts_invitation_policy.rb b/app/policies/api/shopkeeper/accounts_invitation_policy.rb
@@ -0,0 +1,40 @@
+class Api::Shopkeeper::AccountsInvitationPolicy < Api::Shopkeeper::BasePolicy
+  include Api::Shopkeeper::Concerns::Authorization
+
+  def index?
+    true
+  end
+
+  def show?
+    true
+  end
+
+  def create?
+    admin?
+  end
+
+  def update?
+    admin?
+  end
+
+  def destroy?
+    admin?
+  end
+
+  def resend?
+    admin?
+  end
+
+  # Token-based actions (any authenticated shopkeeper with the token)
+  def show_by_token?
+    true
+  end
+
+  def accept?
+    true
+  end
+
+  def reject?
+    true
+  end
+end
diff --git a/app/policies/api/shopkeeper/accounts_shopkeeper_policy.rb b/app/policies/api/shopkeeper/accounts_shopkeeper_policy.rb
@@ -0,0 +1,19 @@
+class Api::Shopkeeper::AccountsShopkeeperPolicy < Api::Shopkeeper::BasePolicy
+  include Api::Shopkeeper::Concerns::Authorization
+
+  def index?
+    true
+  end
+
+  def show?
+    true
+  end
+
+  def update?
+    admin?
+  end
+
+  def destroy?
+    admin?
+  end
+end
diff --git a/app/policies/api/shopkeeper/me_policy.rb b/app/policies/api/shopkeeper/me_policy.rb
@@ -0,0 +1,9 @@
+class Api::Shopkeeper::MePolicy < Api::Shopkeeper::BasePolicy
+  def update_confirmed_privacy_version?
+    true
+  end
+
+  def update_confirmed_terms_version?
+    true
+  end
+end
diff --git a/app/policies/api/shopkeeper/password_policy.rb b/app/policies/api/shopkeeper/password_policy.rb
@@ -0,0 +1,5 @@
+class Api::Shopkeeper::PasswordPolicy < Api::Shopkeeper::BasePolicy
+  def update?
+    true
+  end
+end
diff --git a/render.yaml b/render.yaml
@@ -8,7 +8,7 @@ services:
     name: nativeapptemplateapi
     plan: standard
     previews:
-      plan: starter
+      plan: standard
     env: ruby
     region: singapore # the region must be consistent across all services for the internal keys to be read
     buildCommand: "./bin/render-build.sh"