X-Git-Url: https://git.openstreetmap.org/rails.git/blobdiff_plain/2a44ff581f4c547a3637ea52567a3398b1d8bfe0..464c7f863e8413f67b22999fd1c629969731c309:/app/models/ability.rb

diff --git a/app/models/ability.rb b/app/models/ability.rb
index 6a61eeff3..8fc15ded5 100644
--- a/app/models/ability.rb
+++ b/app/models/ability.rb
@@ -49,7 +49,9 @@ class Ability
     # https://github.com/CanCanCommunity/cancancan/wiki/Defining-Abilities
   end
 
+  # If a user provides no tokens, they've authenticated via a non-oauth method
+  # and permission to access to all capabilities is assumed.
   def has_capability?(token, cap)
-    token && token.read_attribute(cap)
+    token.nil? || token.read_attribute(cap)
   end
 end