policy action(:invite_user) do
forbid_unless actor_attribute_equals(:role, :admin)
authorize_if {App.Checks.OnlyAllowedRoles, roles: [:student, :parent]}
end
And what's nice is that these policies apply for both the API and the frontend code without having to do anything extra :)
Here's a link to a codepen so you can see what it looks like without rendering it yourself: https://codepen.io/erikaja/pen/RNRVMyB