Use cancancan to authorize user_preference_controller

2018-06-09 19:53:45 -04:00 · 2018-06-09 19:53:45 -04:00 · 060c686c19
commit 060c686c19
parent ac7c45bca0
4 changed files with 8 additions and 5 deletions
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@ -476,8 +476,8 @@ class ApplicationController < ActionController::Base

  def deny_access(exception)
    if current_user
-      raise "Access denied on #{exception.action} #{exception.subject.inspect}"
-      # ...
+      set_locale
+      report_error t("oauth.permissions.missing"), :forbidden
    else
      require_user
    end
--- a/app/controllers/user_preferences_controller.rb
+++ b/app/controllers/user_preferences_controller.rb
@ -2,8 +2,9 @@
 class UserPreferencesController < ApplicationController
  skip_before_action :verify_authenticity_token
  before_action :authorize
-  before_action :require_allow_read_prefs, :only => [:read_one, :read]
-  before_action :require_allow_write_prefs, :except => [:read_one, :read]
+
+  authorize_resource
+
  around_action :api_call_handle_error

  ##
--- a/app/models/ability.rb
+++ b/app/models/ability.rb
@ -14,6 +14,9 @@ class Ability

      can [:create, :edit, :comment, :subscribe, :unsubscribe], DiaryEntry

+      can [:read, :read_one], UserPreference if has_capability?(token, :allow_read_prefs)
+      can [:update, :update_one, :delete_one], UserPreference if has_capability?(token, :allow_write_prefs)
+
      if user.administrator?
        can [:hide, :hidecomment], [DiaryEntry, DiaryComment]
      end