The OAuth capabilities are essentially user permissions that have been
granted to the app. If the user authenticates through a non-oauth
method, they are assumed to have granted all capabilities to the app
# https://github.com/CanCanCommunity/cancancan/wiki/Defining-Abilities
end
# https://github.com/CanCanCommunity/cancancan/wiki/Defining-Abilities
end
+ # If a user provides no tokens, they've authenticated via a non-oauth method
+ # and permission to access to all capabilities is assumed.
def has_capability?(token, cap)
def has_capability?(token, cap)
- token && token.read_attribute(cap)
+ token.nil? || token.read_attribute(cap)
test "user preferences" do
user = create(:user)
test "user preferences" do
user = create(:user)
+
+ # a user with no tokens
+ ability = Ability.new create(:user), nil
+ [:read, :read_one, :update, :update_one, :delete_one].each do |act|
+ assert ability.can? act, UserPreference
+ end
+
+ # A user with empty tokens
ability = Ability.new create(:user), tokens
[:read, :read_one, :update, :update_one, :delete_one].each do |act|
ability = Ability.new create(:user), tokens
[:read, :read_one, :update, :update_one, :delete_one].each do |act|