X-Git-Url: https://git.openstreetmap.org./rails.git/blobdiff_plain/2d358c9df2752669b591678acfd804745527f09a..12920987f560a074381d4c8bae2c756db16647d8:/app/abilities/api_ability.rb

diff --git a/app/abilities/api_ability.rb b/app/abilities/api_ability.rb
index 0eae46f82..a0340c5cd 100644
--- a/app/abilities/api_ability.rb
+++ b/app/abilities/api_ability.rb
@@ -3,48 +3,45 @@
 class ApiAbility
   include CanCan::Ability
 
-  def initialize(user)
-    can :show, :capability
-    can :index, :map
-    can :show, :permission
-    can :show, :version
+  def initialize(user, scopes)
+    can :read, [:version, :capability, :permission, :map]
 
     if Settings.status != "database_offline"
-      can [:show, :download, :query], Changeset
-      can [:index, :create, :feed, :show, :search], Note
-      can :index, Tracepoint
-      can [:index, :show], User
-      can [:index, :show], Node
-      can [:index, :show, :full, :ways_for_node], Way
-      can [:index, :show, :full, :relations_for_node, :relations_for_way, :relations_for_relation], Relation
-      can [:history, :version], OldNode
-      can [:history, :version], OldWay
-      can [:history, :version], OldRelation
-      can [:show], UserBlock
+      can [:read, :feed, :search], Note
+      can :create, Note unless user
+
+      can [:read, :download], Changeset
+      can :read, Tracepoint
+      can :read, User
+      can :read, [Node, Way, Relation, OldNode, OldWay, OldRelation]
+      can :read, UserBlock
 
       if user&.active?
-        can [:comment, :close, :reopen], Note
-        can [:create, :show, :update, :destroy, :data], Trace
-        can [:details, :gpx_files], User
-        can [:index, :show, :update, :update_all, :destroy], UserPreference
+        can [:create, :comment, :close, :reopen], Note if scopes.include?("write_notes")
+        can [:create, :destroy], NoteSubscription if scopes.include?("write_notes")
+
+        can :read, Trace if scopes.include?("read_gpx")
+        can [:create, :update, :destroy], Trace if scopes.include?("write_gpx")
+
+        can :details, User if scopes.include?("read_prefs")
+        can :read, UserPreference if scopes.include?("read_prefs")
+        can [:update, :update_all, :destroy], UserPreference if scopes.include?("write_prefs")
+
+        can [:read, :update, :destroy], Message if scopes.include?("consume_messages")
+        can :create, Message if scopes.include?("send_messages")
 
         if user.terms_agreed?
-          can [:create, :update, :upload, :close, :subscribe, :unsubscribe], Changeset
-          can :create, ChangesetComment
-          can [:create, :update, :delete], Node
-          can [:create, :update, :delete], Way
-          can [:create, :update, :delete], Relation
+          can [:create, :update, :upload, :close, :subscribe, :unsubscribe], Changeset if scopes.include?("write_map")
+          can :create, ChangesetComment if scopes.include?("write_changeset_comments")
+          can [:create, :update, :destroy], [Node, Way, Relation] if scopes.include?("write_map")
         end
 
         if user.moderator?
-          can [:destroy, :restore], ChangesetComment
-          can :destroy, Note
+          can [:destroy, :restore], ChangesetComment if scopes.include?("write_changeset_comments")
+
+          can :destroy, Note if scopes.include?("write_notes")
 
-          if user.terms_agreed?
-            can :redact, OldNode
-            can :redact, OldWay
-            can :redact, OldRelation
-          end
+          can :redact, [OldNode, OldWay, OldRelation] if user&.terms_agreed? && scopes.include?("write_redactions")
         end
       end
     end