From 464c7f863e8413f67b22999fd1c629969731c309 Mon Sep 17 00:00:00 2001 From: Chris Flipse Date: Sun, 10 Jun 2018 13:06:10 -0400 Subject: [PATCH] Update capabilities check to actually reflect the existing logic The OAuth capabilities are essentially user permissions that have been granted to the app. If the user authenticates through a non-oauth method, they are assumed to have granted all capabilities to the app --- app/models/ability.rb | 4 +++- test/models/abilities_test.rb | 8 ++++++++ 2 files changed, 11 insertions(+), 1 deletion(-) diff --git a/app/models/ability.rb b/app/models/ability.rb index 6a61eeff3..8fc15ded5 100644 --- a/app/models/ability.rb +++ b/app/models/ability.rb @@ -49,7 +49,9 @@ class Ability # https://github.com/CanCanCommunity/cancancan/wiki/Defining-Abilities end + # If a user provides no tokens, they've authenticated via a non-oauth method + # and permission to access to all capabilities is assumed. def has_capability?(token, cap) - token && token.read_attribute(cap) + token.nil? || token.read_attribute(cap) end end diff --git a/test/models/abilities_test.rb b/test/models/abilities_test.rb index 4976b0925..de9f9ba9b 100644 --- a/test/models/abilities_test.rb +++ b/test/models/abilities_test.rb @@ -47,6 +47,14 @@ class UserAbilityTest < AbilityTest test "user preferences" do user = create(:user) + + # a user with no tokens + ability = Ability.new create(:user), nil + [:read, :read_one, :update, :update_one, :delete_one].each do |act| + assert ability.can? act, UserPreference + end + + # A user with empty tokens ability = Ability.new create(:user), tokens [:read, :read_one, :update, :update_one, :delete_one].each do |act| -- 2.39.5