My problem with CanCan is that when you begin to have more complicated access logic ability.rb becomes a giant mess.

It's already a file where you just throw in all of your authorization logic anyways so it always feels a bit unruly once you get beyond basics.

I agree. The first app we wrote using CanCan, the `ability.rb` file (and the dozen files we factored out of that) grew to be... significant.

I love the idea of Pundit because it decouples all that as much as seems practical. I'm about to find out if theory informs practice or not...

This gem's function is so integral to an application I don't understand how it's not part of Rails.

that's exactly what i was thinking...