Add cancancan and the first ability definitions for site_controller

Gemfile

@@ -54,6 +54,7 @@ gem "rails-i18n", "~> 4.0.0"
 gem "record_tag_helper"
 gem "rinku", ">= 1.2.2", :require => "rails_rinku"
 gem "validates_email_format_of", ">= 1.5.1"
+gem "cancancan"
 
 # Native OSM extensions
 gem "quad_tile", "~> 1.0.1"

Gemfile.lock

@@ -59,6 +59,7 @@ GEM
     binding_of_caller (0.8.0)
       debug_inspector (>= 0.0.1)
     builder (3.2.3)
+    cancancan (2.1.3)
     canonical-rails (0.2.3)
       rails (>= 4.1, < 5.3)
     capybara (2.18.0)
@@ -369,6 +370,7 @@ DEPENDENCIES
   better_errors
   bigdecimal (~> 1.1.0)
   binding_of_caller
+  cancancan
   canonical-rails
   capybara (~> 2.13)
   coffee-rails (~> 4.2)

app/controllers/application_controller.rb

@@ -1,5 +1,6 @@
 class ApplicationController < ActionController::Base
   include SessionPersistence
+  check_authorization
 
   protect_from_forgery :with => :exception
 
@@ -467,6 +468,11 @@ class ApplicationController < ActionController::Base
     raise
   end
 
+  rescue_from CanCan::AccessDenied do |exception|
+    raise "Access denied on #{exception.action} #{exception.subject.inspect}"
+    # ...
+  end
+
   private
 
   # extract authorisation credentials from headers, returns user = nil if none

app/controllers/site_controller.rb

@@ -6,10 +6,11 @@ class SiteController < ApplicationController
   before_action :set_locale
   before_action :redirect_browse_params, :only => :index
   before_action :redirect_map_params, :only => [:index, :edit, :export]
-  before_action :require_user, :only => [:welcome]
   before_action :require_oauth, :only => [:index]
   before_action :update_totp, :only => [:index]
 
+  authorize_resource :class => false
+
   def index
     session[:location] ||= OSM.ip_location(request.env["REMOTE_ADDR"]) unless STATUS == :database_readonly || STATUS == :database_offline
   end

app/controllers/user_controller.rb

@@ -1,6 +1,8 @@
 class UserController < ApplicationController
   layout "site", :except => [:api_details]
 
+  skip_authorization_check :only => [:login, :logout]
+
   skip_before_action :verify_authenticity_token, :only => [:api_read, :api_details, :api_gpx_files, :auth_success]
   before_action :disable_terms_redirect, :only => [:terms, :save, :logout, :api_details]
   before_action :authorize, :only => [:api_details, :api_gpx_files]

app/models/ability.rb

@@ -0,0 +1,37 @@
+class Ability
+  include CanCan::Ability
+
+  def initialize(user)
+    can :index, :site
+
+    if user
+      can :welcome, :site
+    end
+    # Define abilities for the passed in user here. For example:
+    #
+    #   user ||= User.new # guest user (not logged in)
+    #   if user.admin?
+    #     can :manage, :all
+    #   else
+    #     can :read, :all
+    #   end
+    #
+    # The first argument to `can` is the action you are giving the user
+    # permission to do.
+    # If you pass :manage it will apply to every action. Other common actions
+    # here are :read, :create, :update and :destroy.
+    #
+    # The second argument is the resource the user can perform the action on.
+    # If you pass :all it will apply to every resource. Otherwise pass a Ruby
+    # class of the resource.
+    #
+    # The third argument is an optional hash of conditions to further filter the
+    # objects.
+    # For example, here the user can only update published articles.
+    #
+    #   can :update, Article, :published => true
+    #
+    # See the wiki for details:
+    # https://github.com/CanCanCommunity/cancancan/wiki/Defining-Abilities
+  end
+end