X-Git-Url: https://git.openstreetmap.org./rails.git/blobdiff_plain/ad2e50fcfb7aab6cb6bbf5518920e4091be5b9a4..fadbee0af0fe633d3ebd7e338cc180d73b93c832:/app/controllers/api_controller.rb

diff --git a/app/controllers/api_controller.rb b/app/controllers/api_controller.rb
index 17c98fe8b..5faa39165 100644
--- a/app/controllers/api_controller.rb
+++ b/app/controllers/api_controller.rb
@@ -49,9 +49,9 @@ class ApiController < ApplicationController
     end
   end
 
-  def authorize(errormessage = "Couldn't authenticate you")
+  def authorize(errormessage: "Couldn't authenticate you", skip_terms: false)
     # make the current_user object from any auth sources we have
-    setup_user_auth
+    setup_user_auth(:skip_terms => skip_terms)
 
     # handle authenticate pass/fail
     unless current_user
@@ -65,9 +65,9 @@ class ApiController < ApplicationController
   def current_ability
     # Use capabilities from the oauth token if it exists and is a valid access token
     if doorkeeper_token&.accessible?
-      ApiAbility.new(nil).merge(ApiCapability.new(doorkeeper_token))
+      ApiAbility.new(doorkeeper_token)
     else
-      ApiAbility.new(current_user)
+      ApiAbility.new(nil)
     end
   end
 
@@ -92,7 +92,7 @@ class ApiController < ApplicationController
   # sets up the current_user for use by other methods. this is mostly called
   # from the authorize method, but can be called elsewhere if authorisation
   # is optional.
-  def setup_user_auth
+  def setup_user_auth(skip_terms: false)
     logger.info " setup_user_auth"
     # try and setup using OAuth
     self.current_user = User.find(doorkeeper_token.resource_owner_id) if doorkeeper_token&.accessible?
@@ -113,7 +113,7 @@ class ApiController < ApplicationController
       # if the user hasn't seen the contributor terms then don't
       # allow editing - they have to go to the web site and see
       # (but can decline) the CTs to continue.
-      if !current_user.terms_seen && flash[:skip_terms].nil?
+      if !current_user.terms_seen && !skip_terms
         set_locale
         report_error t("application.setup_user_auth.need_to_see_terms"), :forbidden
       end
@@ -170,4 +170,10 @@ class ApiController < ApplicationController
 
     raise OSM::APIRateLimitExceeded if new_changes > max_changes
   end
+
+  def scope_enabled?(scope)
+    doorkeeper_token&.includes_scope?(scope)
+  end
+
+  helper_method :scope_enabled?
 end