From 060c686c1923534d2899ee129cc740e0f2fa7c9f Mon Sep 17 00:00:00 2001
From: Chris Flipse <cflipse@gmail.com>
Date: Sat, 9 Jun 2018 19:53:45 -0400
Subject: [PATCH] Use cancancan to authorize user_preference_controller

---
 app/controllers/application_controller.rb      | 4 ++--
 app/controllers/user_preferences_controller.rb | 5 +++--
 app/models/ability.rb                          | 3 +++
 test/models/abilities_test.rb                  | 1 -
 4 files changed, 8 insertions(+), 5 deletions(-)

diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb
index 54d5835bb..b6a2467a4 100644
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@@ -476,8 +476,8 @@ class ApplicationController < ActionController::Base
 
   def deny_access(exception)
     if current_user
-      raise "Access denied on #{exception.action} #{exception.subject.inspect}"
-      # ...
+      set_locale
+      report_error t("oauth.permissions.missing"), :forbidden
     else
       require_user
     end
diff --git a/app/controllers/user_preferences_controller.rb b/app/controllers/user_preferences_controller.rb
index 0aa2e8d52..915c847de 100644
--- a/app/controllers/user_preferences_controller.rb
+++ b/app/controllers/user_preferences_controller.rb
@@ -2,8 +2,9 @@
 class UserPreferencesController < ApplicationController
   skip_before_action :verify_authenticity_token
   before_action :authorize
-  before_action :require_allow_read_prefs, :only => [:read_one, :read]
-  before_action :require_allow_write_prefs, :except => [:read_one, :read]
+
+  authorize_resource
+
   around_action :api_call_handle_error
 
   ##
diff --git a/app/models/ability.rb b/app/models/ability.rb
index 59b1c5ec3..6a61eeff3 100644
--- a/app/models/ability.rb
+++ b/app/models/ability.rb
@@ -14,6 +14,9 @@ class Ability
 
       can [:create, :edit, :comment, :subscribe, :unsubscribe], DiaryEntry
 
+      can [:read, :read_one], UserPreference if has_capability?(token, :allow_read_prefs)
+      can [:update, :update_one, :delete_one], UserPreference if has_capability?(token, :allow_write_prefs)
+
       if user.administrator?
         can [:hide, :hidecomment], [DiaryEntry, DiaryComment]
       end
diff --git a/test/models/abilities_test.rb b/test/models/abilities_test.rb
index 6472ad2e3..bc8e24781 100644
--- a/test/models/abilities_test.rb
+++ b/test/models/abilities_test.rb
@@ -16,7 +16,6 @@ class AbilityTest < ActiveSupport::TestCase
     end
   end
 
-
   test "Diary permissions for a normal user" do
     ability = Ability.new(create(:user), [])
 
-- 
2.43.2