]> git.openstreetmap.org Git - rails.git/commitdiff
projects / rails.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: ac7c45b)
Use cancancan to authorize user_preference_controller
authorChris Flipse <cflipse@gmail.com>
Sat, 9 Jun 2018 23:53:45 +0000 (19:53 -0400)
committerChris Flipse <cflipse@gmail.com>
Sun, 17 Jun 2018 17:57:06 +0000 (13:57 -0400)
app/controllers/application_controller.rb patch | blob | history
app/controllers/user_preferences_controller.rb patch | blob | history
app/models/ability.rb patch | blob | history
test/models/abilities_test.rb patch | blob | history

diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb
index 54d5835bbc5868c87d5f1ffb10a2c4157a0dd651..b6a2467a4149d01bbfebe932d128f0331ed2c393 100644 (file)
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@@ -476,8 +476,8 @@ class ApplicationController < ActionController::Base
 
   def deny_access(exception)
     if current_user
 
   def deny_access(exception)
     if current_user
-      raise "Access denied on #{exception.action} #{exception.subject.inspect}"
-      # ...
+      set_locale
+      report_error t("oauth.permissions.missing"), :forbidden
     else
       require_user
     end
     else
       require_user
     end
diff --git a/app/controllers/user_preferences_controller.rb b/app/controllers/user_preferences_controller.rb
index 0aa2e8d523240c5f1eb3add8f6c978204bcab86f..915c847de4f221fc8a45662efa712d1ab79a5b3a 100644 (file)
--- a/app/controllers/user_preferences_controller.rb
+++ b/app/controllers/user_preferences_controller.rb
@@ -2,8 +2,9 @@
 class UserPreferencesController < ApplicationController
   skip_before_action :verify_authenticity_token
   before_action :authorize
 class UserPreferencesController < ApplicationController
   skip_before_action :verify_authenticity_token
   before_action :authorize
-  before_action :require_allow_read_prefs, :only => [:read_one, :read]
-  before_action :require_allow_write_prefs, :except => [:read_one, :read]
+
+  authorize_resource
+
   around_action :api_call_handle_error
 
   ##
   around_action :api_call_handle_error
 
   ##
diff --git a/app/models/ability.rb b/app/models/ability.rb
index 59b1c5ec3e68ebda8edc6e1bddd68d13bfec82a6..6a61eeff30b75e16690133fddfad0de51e364866 100644 (file)
--- a/app/models/ability.rb
+++ b/app/models/ability.rb
@@ -14,6 +14,9 @@ class Ability
 
       can [:create, :edit, :comment, :subscribe, :unsubscribe], DiaryEntry
 
 
       can [:create, :edit, :comment, :subscribe, :unsubscribe], DiaryEntry
 
+      can [:read, :read_one], UserPreference if has_capability?(token, :allow_read_prefs)
+      can [:update, :update_one, :delete_one], UserPreference if has_capability?(token, :allow_write_prefs)
+
       if user.administrator?
         can [:hide, :hidecomment], [DiaryEntry, DiaryComment]
       end
       if user.administrator?
         can [:hide, :hidecomment], [DiaryEntry, DiaryComment]
       end
diff --git a/test/models/abilities_test.rb b/test/models/abilities_test.rb
index 6472ad2e3dbaa8e4479e43f896f44a7c0d04f8b6..bc8e24781ffa75a50281db6328e4f02c92851118 100644 (file)
--- a/test/models/abilities_test.rb
+++ b/test/models/abilities_test.rb
@@ -16,7 +16,6 @@ class AbilityTest < ActiveSupport::TestCase
     end
   end
 
     end
   end
 
-
   test "Diary permissions for a normal user" do
     ability = Ability.new(create(:user), [])
 
   test "Diary permissions for a normal user" do
     ability = Ability.new(create(:user), [])
 
The OpenStreetMap web site