Rework capabilities to avoid assumptions about missing tokens

[rails.git] / app / models / capability.rb

diff --git a/app/models/capability.rb b/app/models/capability.rb
index 17468750331de66846a696472c8436f3dd740bad..72c5545cb4ec5a9b04d5e0c4b5d453765fa754cc 100644 (file)
--- a/app/models/capability.rb
+++ b/app/models/capability.rb
@@ -5,15 +5,14 @@ class Capability
 
   def initialize(user, token)
     if user
-      can [:read, :read_one], UserPreference if has_capability?(token, :allow_read_prefs)
-      can [:update, :update_one, :delete_one], UserPreference if has_capability?(token, :allow_write_prefs)
-
+      can [:read, :read_one], UserPreference if capability?(token, :allow_read_prefs)
+      can [:update, :update_one, :delete_one], UserPreference if capability?(token, :allow_write_prefs)
     end
   end
 
-  # If a user provides no tokens, they've authenticated via a non-oauth method
-  # and permission to access to all capabilities is assumed.
-  def has_capability?(token, cap)
-    token.nil? || token.read_attribute(cap)
+  private
+
+  def capability?(token, cap)
+    token&.read_attribute(cap)
   end
 end