91fc65a2e3
These are asking fundamentally different questions; Abilities are asking the application if the user has a role that allows the user to take a certain action Capabilities are asking if the user has granted the application to perform a certain type of action CanCanCan makes no distinction, however, so the `granted_capabilities` method is provided as a point that can be checked in rescue methods, so that one can _attempt_ to continue to provide the more informative error messages around permission refusals
19 lines
559 B
Ruby
19 lines
559 B
Ruby
# frozen_string_literal: true
|
|
|
|
class Capability
|
|
include CanCan::Ability
|
|
|
|
def initialize(user, token)
|
|
if user
|
|
can [:read, :read_one], UserPreference if has_capability?(token, :allow_read_prefs)
|
|
can [:update, :update_one, :delete_one], UserPreference if has_capability?(token, :allow_write_prefs)
|
|
|
|
end
|
|
end
|
|
|
|
# If a user provides no tokens, they've authenticated via a non-oauth method
|
|
# and permission to access to all capabilities is assumed.
|
|
def has_capability?(token, cap)
|
|
token.nil? || token.read_attribute(cap)
|
|
end
|
|
end
|