Update capabilities check to actually reflect the existing logic

The OAuth capabilities are essentially user permissions that have been
granted to the app.  If the user authenticates through a non-oauth
method, they are assumed to have granted all capabilities to the app

diff --git a/app/models/ability.rb b/app/models/ability.rb
index 6a61eeff30b75e16690133fddfad0de51e364866..8fc15ded5b5e006d242d994b39255b3e079de615 100644 (file)
--- a/app/models/ability.rb
+++ b/app/models/ability.rb
@@ -49,7 +49,9 @@ class Ability
     # https://github.com/CanCanCommunity/cancancan/wiki/Defining-Abilities
   end
 
+  # If a user provides no tokens, they've authenticated via a non-oauth method
+  # and permission to access to all capabilities is assumed.
   def has_capability?(token, cap)
-    token && token.read_attribute(cap)
+    token.nil? || token.read_attribute(cap)
   end
 end

diff --git a/test/models/abilities_test.rb b/test/models/abilities_test.rb
index 4976b0925e30ef2169f38f4b027dfe72c30b010e..de9f9ba9bab1fe883eb4196c4c7bb8075c264c5a 100644 (file)
--- a/test/models/abilities_test.rb
+++ b/test/models/abilities_test.rb
@@ -47,6 +47,14 @@ class UserAbilityTest < AbilityTest
 
   test "user preferences" do
     user = create(:user)
+
+    # a user with no tokens
+    ability = Ability.new create(:user), nil
+    [:read, :read_one, :update, :update_one, :delete_one].each do |act|
+      assert ability.can? act, UserPreference
+    end
+
+    # A user with empty tokens
     ability = Ability.new create(:user), tokens
 
     [:read, :read_one, :update, :update_one, :delete_one].each do |act|