From: Andy Allan <git@gravitystorm.co.uk>
Date: Wed, 9 Jan 2019 11:22:39 +0000 (+0100)
Subject: Use CanCanCan for changesets controller
X-Git-Tag: live~2719^2
X-Git-Url: https://git.openstreetmap.org/rails.git/commitdiff_plain/1774109311a1dc859bfec26ef54853b3078577e5?hp=fac3f0ef2435ff1f4393c81cc9cf4113ff6a5bdb

Use CanCanCan for changesets controller

The expand_bbox method now needs require_write_api capability on tokens.
---

diff --git a/app/abilities/ability.rb b/app/abilities/ability.rb
index 1fcf6cbee..6dbeb0b64 100644
--- a/app/abilities/ability.rb
+++ b/app/abilities/ability.rb
@@ -4,6 +4,7 @@ class Ability
   include CanCan::Ability
 
   def initialize(user)
+    can [:index, :feed, :read, :download, :query], Changeset
     can :index, ChangesetComment
     can [:index, :permalink, :edit, :help, :fixthemap, :offline, :export, :about, :preview, :copyright, :key, :id], :site
     can [:index, :rss, :show, :comments], DiaryEntry
@@ -22,7 +23,8 @@ class Ability
       can [:account, :go_public, :make_friend, :remove_friend, :api_details, :api_gpx_files], User
       can [:read, :read_one, :update, :update_one, :delete_one], UserPreference
 
-      if user.terms_agreed? || !REQUIRE_TERMS_AGREED # rubocop:disable Style/IfUnlessModifier
+      if user.terms_agreed? || !REQUIRE_TERMS_AGREED
+        can [:create, :update, :upload, :close, :subscribe, :unsubscribe, :expand_bbox], Changeset
         can :create, ChangesetComment
       end
 
diff --git a/app/abilities/capability.rb b/app/abilities/capability.rb
index ae30a0ebd..fdc53891a 100644
--- a/app/abilities/capability.rb
+++ b/app/abilities/capability.rb
@@ -11,6 +11,7 @@ class Capability
     can [:update, :update_one, :delete_one], UserPreference if capability?(token, :allow_write_prefs)
 
     if token&.user&.terms_agreed? || !REQUIRE_TERMS_AGREED
+      can [:create, :update, :upload, :close, :subscribe, :unsubscribe, :expand_bbox], Changeset if capability?(token, :allow_write_api)
       can :create, ChangesetComment if capability?(token, :allow_write_api)
     end
 
diff --git a/app/controllers/changesets_controller.rb b/app/controllers/changesets_controller.rb
index e4fd593d7..97ff85f02 100644
--- a/app/controllers/changesets_controller.rb
+++ b/app/controllers/changesets_controller.rb
@@ -8,7 +8,10 @@ class ChangesetsController < ApplicationController
   before_action :authorize_web, :only => [:index, :feed]
   before_action :set_locale, :only => [:index, :feed]
   before_action :authorize, :only => [:create, :update, :upload, :close, :subscribe, :unsubscribe]
-  before_action :require_allow_write_api, :only => [:create, :update, :upload, :close, :subscribe, :unsubscribe]
+  before_action :api_deny_access_handler, :only => [:create, :update, :upload, :close, :subscribe, :unsubscribe, :expand_bbox]
+
+  authorize_resource
+
   before_action :require_public_data, :only => [:create, :update, :upload, :close, :subscribe, :unsubscribe]
   before_action :check_api_writable, :only => [:create, :update, :upload, :subscribe, :unsubscribe]
   before_action :check_api_readable, :except => [:create, :update, :upload, :download, :query, :index, :feed, :subscribe, :unsubscribe]