Add RBAC, convert existing roles

Adds full Role-Based Access Control mechanisms and converts the existing shift coordinator role.

The following roles will be created:

• shift_coordinator: Can manage session assignments and scheduling
• events_admin: Can manage conferences and all sub-resources

Based on the following permissions:

manage_assignments = Permission.create!(name: 'manage_assignments', description: 'Can create and delete assignments')
manage_conferences = Permission.create!(name: 'manage_conferences', description: 'Can create, edit, and delete conferences')
manage_sessions = Permission.create!(name: 'manage_sessions', description: 'Can create, edit, and delete sessions')
manage_speakers = Permission.create!(name: 'manage_speakers', description: 'Can create, edit, and delete speakers')
manage_stages = Permission.create!(name: 'manage_stages', description: 'Can create, edit, and delete stages')

shift_coordinator_role.permissions << manage_assignments

events_admin_role.permissions << manage_conferences
events_admin_role.permissions << manage_sessions
events_admin_role.permissions << manage_speakers
events_admin_role.permissions << manage_stages

app/controllers/application_controller.rb

@@ -6,13 +6,28 @@ class ApplicationController < ActionController::Base
   def configure_permitted_parameters
     devise_parameter_sanitizer.permit(:sign_up, keys: [ :invitation_token ])
     devise_parameter_sanitizer.permit(:account_update) do |u|
-      u.permit(:name, :email, :password, :password_confirmation, :avatar_color, :darkmode, :languages_from, :languages_to, :telegram_username, :current_password)
+      u.permit(:name, :email, :password, :password_confirmation, :avatar_color, :darkmode, :languages_from,
+               :languages_to, :telegram_username, :current_password)
     end
   end
 
   def authorize_shiftcoordinator
-    unless current_user.shiftcoordinator?
-      render plain: "Forbidden", status: :forbidden
-    end
+    authorize_role("shift_coordinator")
+  end
+
+  def redirect_back_with_error(message)
+    redirect_back(fallback_location: root_path, alert: message)
+  end
+
+  def authorize_role(role_name)
+    return if current_user&.has_role?(role_name)
+
+    render plain: "Forbidden", status: :forbidden
+  end
+
+  def authorize_permission(permission_name)
+    return if current_user&.has_permission?(permission_name)
+
+    render plain: "Forbidden", status: :forbidden
   end
 end