71b21ec473
The logic about missing tokens implying logged in users (and that all logged in users have access to any method protected by a token capability) is correct. However, I believe it is both confusing and brittle, and leaves a security-related door ajar for future foot-gun incidents. Instead, apply Abilities as normal, and keep the Capabilities involvement only for situations where a token is provided. This reduces the cognitive burden when considering Abilities in isolation.
18 lines
404 B
Ruby
18 lines
404 B
Ruby
# frozen_string_literal: true
|
|
|
|
class Capability
|
|
include CanCan::Ability
|
|
|
|
def initialize(user, token)
|
|
if user
|
|
can [:read, :read_one], UserPreference if capability?(token, :allow_read_prefs)
|
|
can [:update, :update_one, :delete_one], UserPreference if capability?(token, :allow_write_prefs)
|
|
end
|
|
end
|
|
|
|
private
|
|
|
|
def capability?(token, cap)
|
|
token&.read_attribute(cap)
|
|
end
|
|
end
|