Insecure disabling of callback detected.

Description

When using except/unless for disabling a callback, there is a high chance of skipping important access control logic by accident.

Remediations

✅ Prefer enumerating all of the actions using only:

skip_before_action :access_control, only: %i[public_action1 public_action2]

Associated CWE

OWASP Top 10