From: Andy Allan <git@gravitystorm.co.uk>
Date: Wed, 24 Oct 2018 14:48:54 +0000 (+0200)
Subject: Check the oauth token and then use the capabilities directly
X-Git-Tag: live~2819^2~5
X-Git-Url: https://git.openstreetmap.org/rails.git/commitdiff_plain/0888f43d7b5a5e23874ff1a291049b90481d1273?hp=--cc

Check the oauth token and then use the capabilities directly
---

0888f43d7b5a5e23874ff1a291049b90481d1273
diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb
index 690bdf5ca..20fcc5f47 100644
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@@ -469,11 +469,12 @@ class ApplicationController < ActionController::Base
   end
 
   def current_ability
-    Ability.new(current_user).merge(granted_capability)
-  end
-
-  def granted_capability
-    Capability.new(current_user, current_token)
+    # Add in capabilities from the oauth token if it exists and is a valid access token
+    if Authenticator.new(self, [:token]).allow?
+      Ability.new(current_user).merge(Capability.new(current_token))
+    else
+      Ability.new(current_user)
+    end
   end
 
   def deny_access(_exception)
diff --git a/app/models/capability.rb b/app/models/capability.rb
index 72c5545cb..2a5c92774 100644
--- a/app/models/capability.rb
+++ b/app/models/capability.rb
@@ -3,11 +3,9 @@
 class Capability
   include CanCan::Ability
 
-  def initialize(user, token)
-    if user
-      can [:read, :read_one], UserPreference if capability?(token, :allow_read_prefs)
-      can [:update, :update_one, :delete_one], UserPreference if capability?(token, :allow_write_prefs)
-    end
+  def initialize(token)
+    can [:read, :read_one], UserPreference if capability?(token, :allow_read_prefs)
+    can [:update, :update_one, :delete_one], UserPreference if capability?(token, :allow_write_prefs)
   end
 
   private
diff --git a/test/models/capability_test.rb b/test/models/capability_test.rb
index d08d182c2..a25c67043 100644
--- a/test/models/capability_test.rb
+++ b/test/models/capability_test.rb
@@ -14,22 +14,20 @@ end
 
 class UserCapabilityTest < CapabilityTest
   test "user preferences" do
-    user = create(:user)
-
     # a user with no tokens
-    capability = Capability.new create(:user), nil
+    capability = Capability.new nil
     [:read, :read_one, :update, :update_one, :delete_one].each do |act|
       assert capability.cannot? act, UserPreference
     end
 
     # A user with empty tokens
-    capability = Capability.new create(:user), tokens
+    capability = Capability.new tokens
 
     [:read, :read_one, :update, :update_one, :delete_one].each do |act|
       assert capability.cannot? act, UserPreference
     end
 
-    capability = Capability.new user, tokens(:allow_read_prefs)
+    capability = Capability.new tokens(:allow_read_prefs)
 
     [:update, :update_one, :delete_one].each do |act|
       assert capability.cannot? act, UserPreference
@@ -39,7 +37,7 @@ class UserCapabilityTest < CapabilityTest
       assert capability.can? act, UserPreference
     end
 
-    capability = Capability.new user, tokens(:allow_write_prefs)
+    capability = Capability.new tokens(:allow_write_prefs)
     [:read, :read_one].each do |act|
       assert capability.cannot? act, UserPreference
     end