The signature of scope/4 has user as the second argument and the description states:

Filter a query down to user-accessible items.

What about cases where we need to filter a query on a resource other than the current user, like a current account, for example?

I suppose we can pass in the account in place of the user:

  def scope(query, account) do
    from invitation in query,
      where: invitation.account_id == ^account.id
  end

  def list_invitations(%Account{} = account) do
    Invitation
    |> Bodyguard.scope(account)
    |> Repo.all()
  end

I haven't really tested this and it brings some additional mental overhead. I'm not sure if the scope of scope/4 (no pun intended) includes this use case. Thoughts?

Yeesh, sorry I am getting back to this over a year later.

I'm not 100% on your intentions here… Bodyguard doesn't really know what you mean by "user", i.e. it can be whatever model or data structure you want. It's just a placeholder for "actor who we want to authorize actions against".

In fact you could even pattern-match on it, so you could accept %Account{} structs in some cases, and %User{} structs in others, depending on what you need to authorize. Or you could make a higher-level struct that encapsulates one or both of those structs.

In practice I wish I hadn't even put scope/4 in there at all. It really doesn't add anything to the lib overall.