From: Chris Flipse <cflipse@gmail.com>
Date: Sun, 10 Jun 2018 17:06:10 +0000 (-0400)
Subject: Update capabilities check to actually reflect the existing logic
X-Git-Tag: live~2816^2~15^2~3
X-Git-Url: https://git.openstreetmap.org/rails.git/commitdiff_plain/464c7f863e8413f67b22999fd1c629969731c309

Update capabilities check to actually reflect the existing logic

The OAuth capabilities are essentially user permissions that have been
granted to the app.  If the user authenticates through a non-oauth
method, they are assumed to have granted all capabilities to the app
---

diff --git a/app/models/ability.rb b/app/models/ability.rb
index 6a61eeff3..8fc15ded5 100644
--- a/app/models/ability.rb
+++ b/app/models/ability.rb
@@ -49,7 +49,9 @@ class Ability
     # https://github.com/CanCanCommunity/cancancan/wiki/Defining-Abilities
   end
 
+  # If a user provides no tokens, they've authenticated via a non-oauth method
+  # and permission to access to all capabilities is assumed.
   def has_capability?(token, cap)
-    token && token.read_attribute(cap)
+    token.nil? || token.read_attribute(cap)
   end
 end
diff --git a/test/models/abilities_test.rb b/test/models/abilities_test.rb
index 4976b0925..de9f9ba9b 100644
--- a/test/models/abilities_test.rb
+++ b/test/models/abilities_test.rb
@@ -47,6 +47,14 @@ class UserAbilityTest < AbilityTest
 
   test "user preferences" do
     user = create(:user)
+
+    # a user with no tokens
+    ability = Ability.new create(:user), nil
+    [:read, :read_one, :update, :update_one, :delete_one].each do |act|
+      assert ability.can? act, UserPreference
+    end
+
+    # A user with empty tokens
     ability = Ability.new create(:user), tokens
 
     [:read, :read_one, :update, :update_one, :delete_one].each do |act|