Add an authorization plugin

[sonalkr132]

Historically, ownership was the only authorization check in our code. All profile-related checks were handled with current_user. With the introduction of api_key, ownership_call and ownership_requests, we have authorization checks like following sitting awkwardly in the controller (sometimes even model).

# app/controllers/ownership_calls_controller.rb#L4
before_action :render_forbidden, unless: :owner?, only: %i[create close]

# app/controllers/ownership_requests_controller.rb
 render_forbidden && return unless current_user.can_request_ownership?(@rubygem)
 
 # app/controllers/api/v1/owners_controller.rb
 return render_api_key_forbidden unless @api_key.can_add_owner?
 
 app/models/ownership_request.rb#L24
 can_close?(user) && update(status: :closed)

It would be nicer if we moved all these checks out of the controller and let an authorization plugin like cancancan or pundit handle it.

Is your feature request related to a problem?

code health

Describe the solution you'd like

Add cancancan or pundit

[simi]

Pundit is added now. Would it make sense to migrate those mentioned checks to Pundit @segiddins? It seems it is used used for Avo only currently.

[segiddins]

Yes, i think using pundit in more places makes sense!