+ def current_ability
+ # Add in capabilities from the oauth token if it exists and is a valid access token
+ if Authenticator.new(self, [:token]).allow?
+ Ability.new(current_user).merge(Capability.new(current_token))
+ else
+ Ability.new(current_user)
+ end
+ end
+
+ def deny_access(exception)
+ if @api_deny_access_handling
+ api_deny_access(exception)
+ else
+ web_deny_access(exception)
+ end
+ end
+
+ def web_deny_access(_exception)
+ if current_token
+ set_locale
+ report_error t("oauth.permissions.missing"), :forbidden
+ elsif current_user
+ set_locale
+ respond_to do |format|
+ format.html { redirect_to :controller => "errors", :action => "forbidden" }
+ format.any { report_error t("application.permission_denied"), :forbidden }
+ end
+ elsif request.get?
+ respond_to do |format|
+ format.html { redirect_to :controller => "users", :action => "login", :referer => request.fullpath }
+ format.any { head :forbidden }
+ end
+ else
+ head :forbidden
+ end
+ end
+
+ def api_deny_access(_exception)
+ if current_token
+ set_locale
+ report_error t("oauth.permissions.missing"), :forbidden
+ elsif current_user
+ head :forbidden
+ else
+ realm = "Web Password"
+ errormessage = "Couldn't authenticate you"
+ response.headers["WWW-Authenticate"] = "Basic realm=\"#{realm}\""
+ render :plain => errormessage, :status => :unauthorized
+ end
+ end
+
+ attr_accessor :api_access_handling
+
+ def api_deny_access_handler
+ @api_deny_access_handling = true