From 60ecfde65c0da38a62fba10a775f359eceba6fb5 Mon Sep 17 00:00:00 2001
From: Andy Allan <git@gravitystorm.co.uk>
Date: Wed, 23 Oct 2019 10:52:12 +0200
Subject: [PATCH] Convert various administator? tests to use cancancan
 permissions checks

---
 app/controllers/diary_entries_controller.rb |  6 +--
 app/views/layouts/_header.html.erb          |  2 +-
 app/views/users/show.html.erb               | 46 +++++++++++----------
 3 files changed, 29 insertions(+), 25 deletions(-)

diff --git a/app/controllers/diary_entries_controller.rb b/app/controllers/diary_entries_controller.rb
index ba2a2976e..5f53e81b6 100644
--- a/app/controllers/diary_entries_controller.rb
+++ b/app/controllers/diary_entries_controller.rb
@@ -158,7 +158,7 @@ class DiaryEntriesController < ApplicationController
     @page = (params[:page] || 1).to_i
     @page_size = 20
 
-    @entries = @entries.visible unless current_user&.administrator?
+    @entries = @entries.visible unless can? :unhide, DiaryEntry
     @entries = @entries.order("created_at DESC")
     @entries = @entries.offset((@page - 1) * @page_size)
     @entries = @entries.limit(@page_size)
@@ -203,7 +203,7 @@ class DiaryEntriesController < ApplicationController
     @entry = @user.diary_entries.visible.where(:id => params[:id]).first
     if @entry
       @title = t "diary_entries.show.title", :user => params[:display_name], :title => @entry.title
-      @comments = current_user&.administrator? ? @entry.comments : @entry.visible_comments
+      @comments = can?(:unhidecomment, DiaryEntry) ? @entry.comments : @entry.visible_comments
     else
       @title = t "diary_entries.no_such_entry.title", :id => params[:id]
       render :action => "no_such_entry", :status => :not_found
@@ -237,7 +237,7 @@ class DiaryEntriesController < ApplicationController
   def comments
     conditions = { :user_id => @user }
 
-    conditions[:visible] = true unless current_user&.administrator?
+    conditions[:visible] = true unless can? :unhidecomment, DiaryEntry
 
     @comment_pages, @comments = paginate(:diary_comments,
                                          :conditions => conditions,
diff --git a/app/views/layouts/_header.html.erb b/app/views/layouts/_header.html.erb
index 725000a13..c95cc4a75 100644
--- a/app/views/layouts/_header.html.erb
+++ b/app/views/layouts/_header.html.erb
@@ -40,7 +40,7 @@
   </nav>
   <nav class='secondary'>
     <ul>
-      <% if current_user and ( current_user.administrator? or current_user.moderator? ) %>
+      <% if can? :index, Issue %>
         <li class="compact-hide <%= current_page_class(issues_path) %>">
           <%= link_to issues_path(:status => "open") do %>
             <%= t("layouts.issues") %>
diff --git a/app/views/users/show.html.erb b/app/views/users/show.html.erb
index aee000a97..51dcb4f92 100644
--- a/app/views/users/show.html.erb
+++ b/app/views/users/show.html.erb
@@ -111,34 +111,38 @@
 
       <% end %>
 
-      <% if current_user and current_user.administrator? %>
+      <% if can?(:set_status, User) || can?(:delete, User) %>
 
         <ul class='secondary-actions clearfix'>
-          <% if ["active", "confirmed"].include? @user.status %>
-            <li>
-              <%= link_to t(".deactivate_user"), set_status_user_path(:status => "pending", :display_name => @user.display_name), :data => { :confirm => t(".confirm") } %>
-            </li>
-          <% elsif ["pending"].include? @user.status %>
-            <li>
-              <%= link_to t(".activate_user"), set_status_user_path(:status => "active", :display_name => @user.display_name), :data => { :confirm => t(".confirm") } %>
-            </li>
-          <% end %>
+          <% if can? :set_status, User %>
+            <% if ["active", "confirmed"].include? @user.status %>
+              <li>
+                <%= link_to t(".deactivate_user"), set_status_user_path(:status => "pending", :display_name => @user.display_name), :data => { :confirm => t(".confirm") } %>
+              </li>
+            <% elsif ["pending"].include? @user.status %>
+              <li>
+                <%= link_to t(".activate_user"), set_status_user_path(:status => "active", :display_name => @user.display_name), :data => { :confirm => t(".confirm") } %>
+              </li>
+            <% end %>
 
-          <% if ["active", "suspended"].include? @user.status %>
-            <li>
-              <%= link_to t(".confirm_user"), set_status_user_path(:status => "confirmed", :display_name => @user.display_name), :data => { :confirm => t(".confirm") } %>
-            </li>
+            <% if ["active", "suspended"].include? @user.status %>
+              <li>
+                <%= link_to t(".confirm_user"), set_status_user_path(:status => "confirmed", :display_name => @user.display_name), :data => { :confirm => t(".confirm") } %>
+              </li>
+            <% end %>
+              <li>
+                <% if ["pending", "active", "confirmed", "suspended"].include? @user.status %>
+                  <%= link_to t(".hide_user"), set_status_user_path(:status => "deleted", :display_name => @user.display_name), :data => { :confirm => t(".confirm") } %>
+              <% else %>
+                <%= link_to t(".unhide_user"), set_status_user_path(:status => "active", :display_name => @user.display_name), :data => { :confirm => t(".confirm") } %>
+              </li>
+            <% end %>
           <% end %>
+          <% if can? :delete, User %>
             <li>
-              <% if ["pending", "active", "confirmed", "suspended"].include? @user.status %>
-                <%= link_to t(".hide_user"), set_status_user_path(:status => "deleted", :display_name => @user.display_name), :data => { :confirm => t(".confirm") } %>
-            <% else %>
-              <%= link_to t(".unhide_user"), set_status_user_path(:status => "active", :display_name => @user.display_name), :data => { :confirm => t(".confirm") } %>
+              <%= link_to t(".delete_user"), delete_user_path(:display_name => @user.display_name), :data => { :confirm => t(".confirm") } %>
             </li>
           <% end %>
-          <li>
-            <%= link_to t(".delete_user"), delete_user_path(:display_name => @user.display_name), :data => { :confirm => t(".confirm") } %>
-          </li>
         </ul>
 
         <% end %>
-- 
2.43.2