From 414c4b2c36bc78ece037e30bf8139b129abcd280 Mon Sep 17 00:00:00 2001 From: Andy Allan Date: Wed, 9 Jan 2019 11:40:54 +0100 Subject: [PATCH] Use CanCanCan for traces controller --- app/abilities/ability.rb | 2 ++ app/abilities/capability.rb | 2 ++ app/controllers/traces_controller.rb | 7 ++++--- 3 files changed, 8 insertions(+), 3 deletions(-) diff --git a/app/abilities/ability.rb b/app/abilities/ability.rb index 1fcf6cbee..51cc02925 100644 --- a/app/abilities/ability.rb +++ b/app/abilities/ability.rb @@ -11,6 +11,7 @@ class Ability :search_geonames, :search_osm_nominatim_reverse, :search_geonames_reverse], :geocoder can [:index, :create, :comment, :feed, :show, :search, :mine], Note can [:index, :show], Redaction + can [:index, :show, :data, :georss, :picture, :icon], Trace can [:terms, :api_users, :login, :logout, :new, :create, :save, :confirm, :confirm_resend, :confirm_email, :lost_password, :reset_password, :show, :api_read, :auth_success, :auth_failure], User can [:index, :show, :blocks_on, :blocks_by], UserBlock @@ -19,6 +20,7 @@ class Ability can [:create, :edit, :comment, :subscribe, :unsubscribe], DiaryEntry can [:close, :reopen], Note can [:new, :create], Report + can [:mine, :new, :create, :edit, :update, :delete, :api_create, :api_read, :api_update, :api_delete, :api_data], Trace can [:account, :go_public, :make_friend, :remove_friend, :api_details, :api_gpx_files], User can [:read, :read_one, :update, :update_one, :delete_one], UserPreference diff --git a/app/abilities/capability.rb b/app/abilities/capability.rb index ae30a0ebd..b6cad3115 100644 --- a/app/abilities/capability.rb +++ b/app/abilities/capability.rb @@ -5,6 +5,8 @@ class Capability def initialize(token) can [:create, :comment, :close, :reopen], Note if capability?(token, :allow_write_notes) + can [:api_read, :api_data], Trace if capability?(token, :allow_read_gpx) + can [:api_create, :api_update, :api_delete], Trace if capability?(token, :allow_write_gpx) can [:api_details], User if capability?(token, :allow_read_prefs) can [:api_gpx_files], User if capability?(token, :allow_read_gpx) can [:read, :read_one], UserPreference if capability?(token, :allow_read_prefs) diff --git a/app/controllers/traces_controller.rb b/app/controllers/traces_controller.rb index b78ae2959..253bc4160 100644 --- a/app/controllers/traces_controller.rb +++ b/app/controllers/traces_controller.rb @@ -4,14 +4,15 @@ class TracesController < ApplicationController skip_before_action :verify_authenticity_token, :only => [:api_create, :api_read, :api_update, :api_delete, :api_data] before_action :authorize_web before_action :set_locale - before_action :require_user, :only => [:mine, :new, :create, :edit, :delete] before_action :authorize, :only => [:api_create, :api_read, :api_update, :api_delete, :api_data] + before_action :api_deny_access_handler, :only => [:api_create, :api_read, :api_update, :api_delete, :api_data] + + authorize_resource + before_action :check_database_readable, :except => [:api_read, :api_data] before_action :check_database_writable, :only => [:new, :create, :edit, :delete, :api_create, :api_update, :api_delete] before_action :check_api_readable, :only => [:api_read, :api_data] before_action :check_api_writable, :only => [:api_create, :api_update, :api_delete] - before_action :require_allow_read_gpx, :only => [:api_read, :api_data] - before_action :require_allow_write_gpx, :only => [:api_create, :api_update, :api_delete] before_action :offline_warning, :only => [:mine, :show] before_action :offline_redirect, :only => [:new, :create, :edit, :delete, :data, :api_create, :api_delete, :api_data] around_action :api_call_handle_error, :only => [:api_create, :api_read, :api_update, :api_delete, :api_data] -- 2.43.2