means ...
For the current user (i.e. current_user) and
for the @post object
throw a NotAuthorizedError
exception if PostPolicy#create? returns false
I think the "hidden" inputs to authorize come from the following sources:
current_user from Devise's current_user
@post is the self-evident argument to authorize
PostPolicy is built from the name of the class of the object @post followed by the word "Policy" (i.e. @post.class.to_s + 'Policy')
create? is built from params[:action]. That is, since we know we're in def create then params[:action] must be "create".
How close am I?
Ralph