use token in ability checks

app/controllers/application_controller.rb

@@ -473,6 +473,10 @@ class ApplicationController < ActionController::Base
     # ...
   end
 
+  def current_ability
+    @current_ability ||= Ability.new(current_user, current_token)
+  end
+
   private
 
   # extract authorisation credentials from headers, returns user = nil if none

app/models/ability.rb

@@ -1,7 +1,9 @@
+# frozen_string_literal: true
+
 class Ability
   include CanCan::Ability
 
-  def initialize(user)
+  def initialize(user, token)
     can :index, :site
     can [:permalink, :edit, :help, :fixthemap, :offline, :export, :about, :preview, :copyright, :key, :id, :welcome], :site
 
@@ -35,4 +37,8 @@ class Ability
     # See the wiki for details:
     # https://github.com/CanCanCommunity/cancancan/wiki/Defining-Abilities
   end
+
+  def has_capability?(token, cap)
+    token && token.read_attribute(cap)
+  end
 end

test/models/abilities_test.rb

@@ -0,0 +1,7 @@
+# frozen_string_literal: true
+
+require "test_helper"
+
+class AbilityTest < ActiveSupport::TestCase
+
+end