Update capabilities check to actually reflect the existing logic

[rails.git] / app / models / ability.rb

diff --git a/app/models/ability.rb b/app/models/ability.rb
index 59b1c5ec3e68ebda8edc6e1bddd68d13bfec82a6..8fc15ded5b5e006d242d994b39255b3e079de615 100644 (file)
--- a/app/models/ability.rb
+++ b/app/models/ability.rb
@@ -14,6 +14,9 @@ class Ability
 
       can [:create, :edit, :comment, :subscribe, :unsubscribe], DiaryEntry
 
+      can [:read, :read_one], UserPreference if has_capability?(token, :allow_read_prefs)
+      can [:update, :update_one, :delete_one], UserPreference if has_capability?(token, :allow_write_prefs)
+
       if user.administrator?
         can [:hide, :hidecomment], [DiaryEntry, DiaryComment]
       end
@@ -46,7 +49,9 @@ class Ability
     # https://github.com/CanCanCommunity/cancancan/wiki/Defining-Abilities
   end
 
+  # If a user provides no tokens, they've authenticated via a non-oauth method
+  # and permission to access to all capabilities is assumed.
   def has_capability?(token, cap)
-    token && token.read_attribute(cap)
+    token.nil? || token.read_attribute(cap)
   end
 end