Use CanCanCan for notes authorization

2018-11-28 15:33:43 +01:00 · 2018-11-28 15:33:43 +01:00 · ea766ec57d
commit ea766ec57d
parent aaf5600342
6 changed files with 83 additions and 6 deletions
--- a/app/abilities/ability.rb
+++ b/app/abilities/ability.rb
@ -9,6 +9,7 @@ class Ability
    can [:index, :rss, :show, :comments], DiaryEntry
    can [:search, :search_latlon, :search_ca_postcode, :search_osm_nominatim,
         :search_geonames, :search_osm_nominatim_reverse, :search_geonames_reverse], :geocoder
+    can [:index, :create, :comment, :feed, :show, :search, :mine], Note
    can [:index, :show], Redaction
    can [:index, :show, :blocks_on, :blocks_by], UserBlock

@ -16,6 +17,7 @@ class Ability
      can :welcome, :site
      can :create, ChangesetComment
      can [:create, :edit, :comment, :subscribe, :unsubscribe], DiaryEntry
+      can [:close, :reopen], Note
      can [:new, :create], Report
      can [:read, :read_one, :update, :update_one, :delete_one], UserPreference

@ -23,6 +25,7 @@ class Ability
        can [:destroy, :restore], ChangesetComment
        can [:index, :show, :resolve, :ignore, :reopen], Issue
        can :create, IssueComment
+        can :destroy, Note
        can [:new, :create, :edit, :update, :destroy], Redaction
        can [:new, :edit, :create, :update, :revoke], UserBlock
      end
--- a/app/abilities/capability.rb
+++ b/app/abilities/capability.rb
@ -5,11 +5,13 @@ class Capability

  def initialize(token)
    can :create, ChangesetComment if capability?(token, :allow_write_api)
+    can [:create, :comment, :close, :reopen], Note if capability?(token, :allow_write_notes)
    can [:read, :read_one], UserPreference if capability?(token, :allow_read_prefs)
    can [:update, :update_one, :delete_one], UserPreference if capability?(token, :allow_write_prefs)

    if token&.user&.moderator?
      can [:destroy, :restore], ChangesetComment if capability?(token, :allow_write_api)
+      can :destroy, Note if capability?(token, :allow_write_notes)
    end
  end

--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@ -118,10 +118,6 @@ class ApplicationController < ActionController::Base
    require_capability(:allow_write_gpx)
  end

-  def require_allow_write_notes
-    require_capability(:allow_write_notes)
-  end
-
  ##
  # require that the user is a moderator, or fill out a helpful error message
  # and return them to the index for the controller this is wrapped from.
--- a/app/controllers/notes_controller.rb
+++ b/app/controllers/notes_controller.rb
@ -6,9 +6,11 @@ class NotesController < ApplicationController
  before_action :authorize_web, :only => [:mine]
  before_action :setup_user_auth, :only => [:create, :comment, :show]
  before_action :authorize, :only => [:close, :reopen, :destroy]
-  before_action :require_moderator, :only => [:destroy]
+  before_action :api_deny_access_handler, :except => [:mine]
+
+  authorize_resource
+
  before_action :check_api_writable, :only => [:create, :comment, :close, :reopen, :destroy]
-  before_action :require_allow_write_notes, :only => [:create, :comment, :close, :reopen, :destroy]
  before_action :set_locale
  around_action :api_call_handle_error, :api_call_timeout