Raising an exception if an action isn't explicitly authorized

application_controller.rb

class ApplicationController < ActionController::Base
  # ...
  include AuthorizationSystem
  after_filter :validate_authorization_checked
end

authorization_system.rb

module AuthorizationSystem
  NotAuthorized = Class.new(StandardError)
  AuthorizationNotChecked = Class.new(StandardError)
  
protected

  def authorize!
    @authorization_checked = true
    raise NotAuthorized unless yield
  end
  
  def validate_authorization_checked
    return if @authorization_checked
    raise AuthorizationNotChecked
  end
end

messages_controller.rb

class MessagesController < ApplicationController
  # ...

  def show
    @account = Account.find(params[:account_id])
    @message = @account.messages.find(params[:id])
    authorize! { current_user.can_view?(@message) }
  end
end