Refactor users_controller to use CanCanCan for authorisation

[rails.git] / app / abilities / capability.rb

diff --git a/app/abilities/capability.rb b/app/abilities/capability.rb
index 2a5c927748bbdb969b6d37e376a099374085bed4..6aa1c418ca8f0ffbc624b3b38158ba9fc7f5792e 100644 (file)
--- a/app/abilities/capability.rb
+++ b/app/abilities/capability.rb
@@ -4,8 +4,17 @@ class Capability
   include CanCan::Ability
 
   def initialize(token)
+    can :create, ChangesetComment if capability?(token, :allow_write_api)
+    can [:create, :comment, :close, :reopen], Note if capability?(token, :allow_write_notes)
+    can [:api_details], User if capability?(token, :allow_read_prefs)
+    can [:api_gpx_files], User if capability?(token, :allow_read_gpx)
     can [:read, :read_one], UserPreference if capability?(token, :allow_read_prefs)
     can [:update, :update_one, :delete_one], UserPreference if capability?(token, :allow_write_prefs)
+
+    if token&.user&.moderator?
+      can [:destroy, :restore], ChangesetComment if capability?(token, :allow_write_api)
+      can :destroy, Note if capability?(token, :allow_write_notes)
+    end
   end
 
   private