X-Git-Url: https://git.openstreetmap.org./rails.git/blobdiff_plain/dbbbd62ef1982e905ceb23f1278e9b4bfdb49d5b..57d4b3d8ce7ac4b0daabc7ec1815b6e46e7ceae0:/app/abilities/api_capability.rb diff --git a/app/abilities/api_capability.rb b/app/abilities/api_capability.rb index 9f59b1f24..95d7ab9ab 100644 --- a/app/abilities/api_capability.rb +++ b/app/abilities/api_capability.rb @@ -5,29 +5,37 @@ class ApiCapability def initialize(token) if Settings.status != "database_offline" - can [:create, :comment, :close, :reopen], Note if capability?(token, :allow_write_notes) - can [:api_read, :api_data], Trace if capability?(token, :allow_read_gpx) - can [:api_create, :api_update, :api_delete], Trace if capability?(token, :allow_write_gpx) - can [:api_details], User if capability?(token, :allow_read_prefs) - can [:api_gpx_files], User if capability?(token, :allow_read_gpx) - can [:read, :read_one], UserPreference if capability?(token, :allow_read_prefs) - can [:update, :update_one, :delete_one], UserPreference if capability?(token, :allow_write_prefs) + user = if token.respond_to?(:resource_owner_id) + User.find(token.resource_owner_id) + elsif token.respond_to?(:user) + token.user + end - if token&.user&.terms_agreed? - can [:create, :update, :upload, :close, :subscribe, :unsubscribe, :expand_bbox], Changeset if capability?(token, :allow_write_api) - can :create, ChangesetComment if capability?(token, :allow_write_api) - can [:create, :update, :delete], Node if capability?(token, :allow_write_api) - can [:create, :update, :delete], Way if capability?(token, :allow_write_api) - can [:create, :update, :delete], Relation if capability?(token, :allow_write_api) - end + if user&.active? + can [:create, :comment, :close, :reopen], Note if scope?(token, :write_notes) + can [:show, :data], Trace if scope?(token, :read_gpx) + can [:create, :update, :destroy], Trace if scope?(token, :write_gpx) + can [:details], User if scope?(token, :read_prefs) + can [:gpx_files], User if scope?(token, :read_gpx) + can [:index, :show], UserPreference if scope?(token, :read_prefs) + can [:update, :update_all, :destroy], UserPreference if scope?(token, :write_prefs) + + if user.terms_agreed? + can [:create, :update, :upload, :close, :subscribe, :unsubscribe], Changeset if scope?(token, :write_api) + can :create, ChangesetComment if scope?(token, :write_api) + can [:create, :update, :delete], Node if scope?(token, :write_api) + can [:create, :update, :delete], Way if scope?(token, :write_api) + can [:create, :update, :delete], Relation if scope?(token, :write_api) + end - if token&.user&.moderator? - can [:destroy, :restore], ChangesetComment if capability?(token, :allow_write_api) - can :destroy, Note if capability?(token, :allow_write_notes) - if token&.user&.terms_agreed? - can :redact, OldNode if capability?(token, :allow_write_api) - can :redact, OldWay if capability?(token, :allow_write_api) - can :redact, OldRelation if capability?(token, :allow_write_api) + if user.moderator? + can [:destroy, :restore], ChangesetComment if scope?(token, :write_api) + can :destroy, Note if scope?(token, :write_notes) + if user&.terms_agreed? + can :redact, OldNode if scope?(token, :write_api) || scope?(token, :write_redactions) + can :redact, OldWay if scope?(token, :write_api) || scope?(token, :write_redactions) + can :redact, OldRelation if scope?(token, :write_api) || scope?(token, :write_redactions) + end end end end @@ -35,7 +43,7 @@ class ApiCapability private - def capability?(token, cap) - token&.read_attribute(cap) + def scope?(token, scope) + token&.includes_scope?(scope) end end