Use cancancan to authorize user_preference_controller

author Chris Flipse <cflipse@gmail.com>

Sat, 9 Jun 2018 23:53:45 +0000 (19:53 -0400)

committer Chris Flipse <cflipse@gmail.com>

Sun, 17 Jun 2018 17:57:06 +0000 (13:57 -0400)
author Chris Flipse <cflipse@gmail.com>
Sat, 9 Jun 2018 23:53:45 +0000 (19:53 -0400)
committer Chris Flipse <cflipse@gmail.com>
Sun, 17 Jun 2018 17:57:06 +0000 (13:57 -0400)
diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb

index 54d5835bbc5868c87d5f1ffb10a2c4157a0dd651..b6a2467a4149d01bbfebe932d128f0331ed2c393 100644 (file)
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@@ -476,8 +476,8 @@ class ApplicationController < ActionController::Base
  
    def deny_access(exception)
      if current_user
-      raise "Access denied on #{exception.action} #{exception.subject.inspect}"
-      # ...
+      set_locale
+      report_error t("oauth.permissions.missing"), :forbidden
      else
        require_user
      end
diff --git a/app/controllers/user_preferences_controller.rb b/app/controllers/user_preferences_controller.rb

index 0aa2e8d523240c5f1eb3add8f6c978204bcab86f..915c847de4f221fc8a45662efa712d1ab79a5b3a 100644 (file)
--- a/app/controllers/user_preferences_controller.rb
+++ b/app/controllers/user_preferences_controller.rb
@@ -2,8 +2,9 @@
  class UserPreferencesController < ApplicationController
    skip_before_action :verify_authenticity_token
    before_action :authorize
-  before_action :require_allow_read_prefs, :only => [:read_one, :read]
-  before_action :require_allow_write_prefs, :except => [:read_one, :read]
+
+  authorize_resource
+
    around_action :api_call_handle_error
  
    ##
diff --git a/app/models/ability.rb b/app/models/ability.rb

index 59b1c5ec3e68ebda8edc6e1bddd68d13bfec82a6..6a61eeff30b75e16690133fddfad0de51e364866 100644 (file)
--- a/app/models/ability.rb
+++ b/app/models/ability.rb
@@ -14,6 +14,9 @@ class Ability
  
        can [:create, :edit, :comment, :subscribe, :unsubscribe], DiaryEntry
  
+      can [:read, :read_one], UserPreference if has_capability?(token, :allow_read_prefs)
+      can [:update, :update_one, :delete_one], UserPreference if has_capability?(token, :allow_write_prefs)
+
        if user.administrator?
          can [:hide, :hidecomment], [DiaryEntry, DiaryComment]
        end
diff --git a/test/models/abilities_test.rb b/test/models/abilities_test.rb

index 6472ad2e3dbaa8e4479e43f896f44a7c0d04f8b6..bc8e24781ffa75a50281db6328e4f02c92851118 100644 (file)
--- a/test/models/abilities_test.rb
+++ b/test/models/abilities_test.rb
@@ -16,7 +16,6 @@ class AbilityTest < ActiveSupport::TestCase
      end
    end
  
-
    test "Diary permissions for a normal user" do
      ability = Ability.new(create(:user), [])
author	Chris Flipse <cflipse@gmail.com>
	Sat, 9 Jun 2018 23:53:45 +0000 (19:53 -0400)
committer	Chris Flipse <cflipse@gmail.com>
	Sun, 17 Jun 2018 17:57:06 +0000 (13:57 -0400)
app/controllers/application_controller.rb		patch \| blob \| history
app/controllers/user_preferences_controller.rb		patch \| blob \| history
app/models/ability.rb		patch \| blob \| history
test/models/abilities_test.rb		patch \| blob \| history