From: Chris Flipse Date: Sat, 9 Jun 2018 23:53:45 +0000 (-0400) Subject: Use cancancan to authorize user_preference_controller X-Git-Tag: live~3397^2~15^2~5 X-Git-Url: https://git.openstreetmap.org./rails.git/commitdiff_plain/060c686c1923534d2899ee129cc740e0f2fa7c9f Use cancancan to authorize user_preference_controller --- diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb index 54d5835bb..b6a2467a4 100644 --- a/app/controllers/application_controller.rb +++ b/app/controllers/application_controller.rb @@ -476,8 +476,8 @@ class ApplicationController < ActionController::Base def deny_access(exception) if current_user - raise "Access denied on #{exception.action} #{exception.subject.inspect}" - # ... + set_locale + report_error t("oauth.permissions.missing"), :forbidden else require_user end diff --git a/app/controllers/user_preferences_controller.rb b/app/controllers/user_preferences_controller.rb index 0aa2e8d52..915c847de 100644 --- a/app/controllers/user_preferences_controller.rb +++ b/app/controllers/user_preferences_controller.rb @@ -2,8 +2,9 @@ class UserPreferencesController < ApplicationController skip_before_action :verify_authenticity_token before_action :authorize - before_action :require_allow_read_prefs, :only => [:read_one, :read] - before_action :require_allow_write_prefs, :except => [:read_one, :read] + + authorize_resource + around_action :api_call_handle_error ## diff --git a/app/models/ability.rb b/app/models/ability.rb index 59b1c5ec3..6a61eeff3 100644 --- a/app/models/ability.rb +++ b/app/models/ability.rb @@ -14,6 +14,9 @@ class Ability can [:create, :edit, :comment, :subscribe, :unsubscribe], DiaryEntry + can [:read, :read_one], UserPreference if has_capability?(token, :allow_read_prefs) + can [:update, :update_one, :delete_one], UserPreference if has_capability?(token, :allow_write_prefs) + if user.administrator? can [:hide, :hidecomment], [DiaryEntry, DiaryComment] end diff --git a/test/models/abilities_test.rb b/test/models/abilities_test.rb index 6472ad2e3..bc8e24781 100644 --- a/test/models/abilities_test.rb +++ b/test/models/abilities_test.rb @@ -16,7 +16,6 @@ class AbilityTest < ActiveSupport::TestCase end end - test "Diary permissions for a normal user" do ability = Ability.new(create(:user), [])