Jared Beck

Hi Scott, thanks for the contribution. Before we review this, can you please remind me of some of the security considerations re: putting plaintext secrets in HTTP headers? My dim...

Thanks for the review, Tieg. > is this a breaking change if it's enabled by default? Downstream users should already be aware that url-params can authenticate, if they have the...

Hi Paul, I'm glad to hear you're moving from SHA-512 to SCrypt. Good choice. > If the only change is rehashing the password, password_changed? should return false. I agree. `password_changed?`...

Good catch. There are at least two that I see: - increase_failed_login_count - reset_failed_login_count

First, I'm pretty sure you're not supposed to override `accessible_by`. Second, you are using the "hash of conditions" syntax for `can`, when I think you should be using [the block...

Can you try the most recent version to see if your issue has been resolved? This issue is tagged 2.0, so you'll want to use the master branch. This is...

I'm not sure I see a security issue. It sounds more like a performance issue. Are you using `load_and_authorize_resource`? To load a resource requires a database query. You could remove...

The 40x status codes are defined in [RFC 2616, Section 10](http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html#sec10.4). It's your choice which status to use in your response. When you catch `CanCan::AccessDenied` you should respond with 403...

I can't reproduce this. Please include the `cancan` line from your `Gemfile`. Does `CanCan::ControllerResource#load_collection` run? You can open the cancan source (find it with `bundle show`) and use `pry` or...

I agree with your analysis; I don't immediately see a way to load a collection before the `#new` action, using `load_and_authorize_resource` or `load_resource`. Unfortunately, cancan's highest priorities now are to...