It would be great if we could just do:

  def create(conn, %{"post" => post_params}) do
    with :ok <- permit(conn, Posts, :create_post), # <-- note conn, not user
      {:ok, post} <- Posts.create_post(current_user, post_params)
    do
      render(conn, "show.json", post: post)
    end
  end

…and automatically pull in conn.assigns[:current_user] for the user param (key configurable via config)

Not sure if it should be permit(conn, Posts, :create_post) (more plug-like) or permit(Posts, :create_post, conn) (matches signature of Bodyguard.permit/4)