X-Git-Url: https://git.openstreetmap.org./rails.git/blobdiff_plain/d8a2794c2c0be24cf78945cdbf4af57c4468499c..16bdcac6d7a91250bd29b3fbbcc6f1d92531b2d0:/app/abilities/api_ability.rb diff --git a/app/abilities/api_ability.rb b/app/abilities/api_ability.rb index 96ed9b080..3fe180eeb 100644 --- a/app/abilities/api_ability.rb +++ b/app/abilities/api_ability.rb @@ -3,40 +3,52 @@ class ApiAbility include CanCan::Ability - def initialize(user) - can :show, :capability - can :index, :map - can :show, :permission - can :show, :version + def initialize(token) + can :read, [:version, :capability, :permission, :map] if Settings.status != "database_offline" - can [:index, :show, :download], Changeset - can [:index, :create, :feed, :show, :search], Note - can :index, Tracepoint - can [:index, :show], User - can [:index, :show], Node - can [:index, :show, :full, :ways_for_node], Way - can [:index, :show, :full, :relations_for_node, :relations_for_way, :relations_for_relation], Relation - can [:history, :show], [OldNode, OldWay, OldRelation] - can [:show], UserBlock + user = User.find(token.resource_owner_id) if token + + can [:read, :feed, :search], Note + can :create, Note unless token + + can [:read, :download], Changeset + can :read, Tracepoint + can :read, User + can :read, Node + can [:read, :full, :ways_for_node], Way + can [:read, :full, :relations_for_node, :relations_for_way, :relations_for_relation], Relation + can [:history, :read], [OldNode, OldWay, OldRelation] + can :read, UserBlock if user&.active? - can [:comment, :close, :reopen], Note - can [:create, :show, :update, :destroy, :data], Trace - can [:details, :gpx_files], User - can [:index, :show, :update, :update_all, :destroy], UserPreference + can [:create, :comment, :close, :reopen], Note if scope?(token, :write_notes) + can [:create, :destroy], NoteSubscription if scope?(token, :write_notes) + + can :read, Trace if scope?(token, :read_gpx) + can [:create, :update, :destroy], Trace if scope?(token, :write_gpx) + + can :details, User if scope?(token, :read_prefs) + can :gpx_files, User if scope?(token, :read_gpx) + + can :read, UserPreference if scope?(token, :read_prefs) + can [:update, :update_all, :destroy], UserPreference if scope?(token, :write_prefs) + + can [:read, :update, :destroy], Message if scope?(token, :consume_messages) + can :create, Message if scope?(token, :send_messages) if user.terms_agreed? - can [:create, :update, :upload, :close, :subscribe, :unsubscribe], Changeset - can :create, ChangesetComment - can [:create, :update, :delete], [Node, Way, Relation] + can [:create, :update, :upload, :close, :subscribe, :unsubscribe], Changeset if scope?(token, :write_api) + can :create, ChangesetComment if scope?(token, :write_api) + can [:create, :update, :delete], [Node, Way, Relation] if scope?(token, :write_api) end if user.moderator? - can [:destroy, :restore], ChangesetComment - can :destroy, Note + can [:destroy, :restore], ChangesetComment if scope?(token, :write_api) + + can :destroy, Note if scope?(token, :write_notes) - can :redact, [OldNode, OldWay, OldRelation] if user.terms_agreed? + can :redact, [OldNode, OldWay, OldRelation] if user&.terms_agreed? && scope?(token, :write_redactions) end end end @@ -68,4 +80,10 @@ class ApiAbility # See the wiki for details: # https://github.com/CanCanCommunity/cancancan/wiki/Defining-Abilities end + + private + + def scope?(token, scope) + token&.includes_scope?(scope) + end end