Authorize actions on GeocoderController with CanCanCan Ability

[rails.git] / app / models / ability.rb

diff --git a/app/models/ability.rb b/app/models/ability.rb
index 6a61eeff30b75e16690133fddfad0de51e364866..d33430fb4fbc285148d216863f7e242c2c955a9e 100644 (file)
--- a/app/models/ability.rb
+++ b/app/models/ability.rb
@@ -9,6 +9,9 @@ class Ability
 
     can [:list, :rss, :view, :comments], DiaryEntry
 
+    can [:search, :search_latlon, :search_ca_postcode, :search_osm_nominatim,
+         :search_geonames, :search_osm_nominatim_reverse, :search_geonames_reverse], :geocoder
+
     if user
       can :weclome, :site
 
@@ -49,7 +52,9 @@ class Ability
     # https://github.com/CanCanCommunity/cancancan/wiki/Defining-Abilities
   end
 
+  # If a user provides no tokens, they've authenticated via a non-oauth method
+  # and permission to access to all capabilities is assumed.
   def has_capability?(token, cap)
-    token && token.read_attribute(cap)
+    token.nil? || token.read_attribute(cap)
   end
 end