From 0888f43d7b5a5e23874ff1a291049b90481d1273 Mon Sep 17 00:00:00 2001 From: Andy Allan Date: Wed, 24 Oct 2018 16:48:54 +0200 Subject: [PATCH] Check the oauth token and then use the capabilities directly --- app/controllers/application_controller.rb | 11 ++++++----- app/models/capability.rb | 8 +++----- test/models/capability_test.rb | 10 ++++------ 3 files changed, 13 insertions(+), 16 deletions(-) diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb index 690bdf5ca..20fcc5f47 100644 --- a/app/controllers/application_controller.rb +++ b/app/controllers/application_controller.rb @@ -469,11 +469,12 @@ class ApplicationController < ActionController::Base end def current_ability - Ability.new(current_user).merge(granted_capability) - end - - def granted_capability - Capability.new(current_user, current_token) + # Add in capabilities from the oauth token if it exists and is a valid access token + if Authenticator.new(self, [:token]).allow? + Ability.new(current_user).merge(Capability.new(current_token)) + else + Ability.new(current_user) + end end def deny_access(_exception) diff --git a/app/models/capability.rb b/app/models/capability.rb index 72c5545cb..2a5c92774 100644 --- a/app/models/capability.rb +++ b/app/models/capability.rb @@ -3,11 +3,9 @@ class Capability include CanCan::Ability - def initialize(user, token) - if user - can [:read, :read_one], UserPreference if capability?(token, :allow_read_prefs) - can [:update, :update_one, :delete_one], UserPreference if capability?(token, :allow_write_prefs) - end + def initialize(token) + can [:read, :read_one], UserPreference if capability?(token, :allow_read_prefs) + can [:update, :update_one, :delete_one], UserPreference if capability?(token, :allow_write_prefs) end private diff --git a/test/models/capability_test.rb b/test/models/capability_test.rb index d08d182c2..a25c67043 100644 --- a/test/models/capability_test.rb +++ b/test/models/capability_test.rb @@ -14,22 +14,20 @@ end class UserCapabilityTest < CapabilityTest test "user preferences" do - user = create(:user) - # a user with no tokens - capability = Capability.new create(:user), nil + capability = Capability.new nil [:read, :read_one, :update, :update_one, :delete_one].each do |act| assert capability.cannot? act, UserPreference end # A user with empty tokens - capability = Capability.new create(:user), tokens + capability = Capability.new tokens [:read, :read_one, :update, :update_one, :delete_one].each do |act| assert capability.cannot? act, UserPreference end - capability = Capability.new user, tokens(:allow_read_prefs) + capability = Capability.new tokens(:allow_read_prefs) [:update, :update_one, :delete_one].each do |act| assert capability.cannot? act, UserPreference @@ -39,7 +37,7 @@ class UserCapabilityTest < CapabilityTest assert capability.can? act, UserPreference end - capability = Capability.new user, tokens(:allow_write_prefs) + capability = Capability.new tokens(:allow_write_prefs) [:read, :read_one].each do |act| assert capability.cannot? act, UserPreference end -- 2.39.5