Open-Source-Access-Control-.../app/models/ability.rb

class Ability
  include CanCan::Ability

  def initialize(user)
    can :read, Mac # Anonymous can read mac
    can :scan, Mac # Need anonymous so CRON can scan
    can :read, Resource
    can :read, ResourceCategory

    if !user.nil?

      # By default, users can only see their own stuff
      can :read, Card, :user_id => user.id
      can :read, Certification
      can :read_details, Mac
      can [:update], Mac, :user_id => nil
      can [:create,:update], Mac, :user_id => user.id
      can [:create,:update,:destroy], Resource, :user_id => user.id
      can :read, Payment, :user_id => user.id
      can :read, UserCertification, :user_id => user.id
      can :read, User, :id => user.id #TODO: why can users update themselves? Maybe because Devise doesn't check users/edit?
      can :compose_email, User
      can :send_email, User

      if user.card_access_enabled
        can :access_doors_remotely, :door_access
        can :authorize, Card # used for interlock card/certification auth
      end

      # Instructors can manage certs and see users
      if user.instructor? 
        can :manage, Certification
        can [:create,:read], User, :hidden => [nil,false]
        can [:create,:read], UserCertification
        can [:update,:destroy], UserCertification, :created_by => user.id
      end
      # Users can see others' stuff if they've been oriented
      unless user.orientation.blank?
        can [:read,:new_member_report,:activity], User, :hidden => [nil,false]
        can :read, UserCertification
        can [:create,:update], Resource, :user_id => [nil,user.id]
        can [:create,:update,:destroy], ResourceCategory
      end 

      # Accountants can manage payments
      if user.accountant?
        can :manage, Payment
        can :manage, Ipn
        can :manage, PaypalCsv
      end

      # Admins can manage all
      if user.admin?
        can :manage, :all
      end

      # Prevent most destruction for now
      #cannot :destroy, User
      #cannot :destroy, Card
      cannot :destroy, Certification
      cannot :destroy, Mac
      cannot :destroy, MacLog
      #cannot :destroy, UserCertification
      cannot :destroy, DoorLog
      # no exception for destroying payments
    end 
    # Define abilities for the passed in user here. For example:
    #
    #   user ||= User.new # guest user (not logged in)
    #   if user.admin?
    #     can :manage, :all
    #   else
    #     can :read, :all
    #   end
    #
    # The first argument to `can` is the action you are giving the user permission to do.
    # If you pass :manage it will apply to every action. Other common actions here are
    # :read, :create, :update and :destroy.
    #
    # The second argument is the resource the user can perform the action on. If you pass
    # :all it will apply to every resource. Otherwise pass a Ruby class of the resource.
    #
    # The third argument is an optional hash of conditions to further filter the objects.
    # For example, here the user can only update published articles.
    #
    #   can :update, Article, :published => true
    #
    # See the wiki for details: https://github.com/ryanb/cancan/wiki/Defining-Abilities
  end
end
Added cancan 2012-09-02 11:37:34 +00:00			`class Ability`
			`include CanCan::Ability`

			`def initialize(user)`
Updating settings & fixing auth of objects through other objects cancan bug? 2013-09-29 02:31:28 +00:00			`can :read, Mac # Anonymous can read mac`
			`can :scan, Mac # Need anonymous so CRON can scan`
Mooooore resources 2014-02-09 12:01:52 +00:00			`can :read, Resource`
Adding resource category edit abilities 2014-02-14 07:02:11 +00:00			`can :read, ResourceCategory`
Finished mac filtering, display, permissions, etc 2013-02-01 10:37:30 +00:00
Got abilities working on index; next need to separate users from members from cards. 2012-09-16 01:41:55 +00:00			`if !user.nil?`
Updated permissions for deletion and styling for hidden items 2013-01-26 01:21:42 +00:00
Fine tuned abilities and updated how membership is tracked 2013-01-25 13:01:02 +00:00			`# By default, users can only see their own stuff`
			`can :read, Card, :user_id => user.id`
			`can :read, Certification`
Updating settings & fixing auth of objects through other objects cancan bug? 2013-09-29 02:31:28 +00:00			`can :read_details, Mac`
Finished mac filtering, display, permissions, etc 2013-02-01 10:37:30 +00:00			`can [:update], Mac, :user_id => nil`
			`can [:create,:update], Mac, :user_id => user.id`
Allowing people to view/edit 2014-02-09 12:13:35 +00:00			`can [:create,:update,:destroy], Resource, :user_id => user.id`
Updating payment and front page status alerts to work properly 2013-10-11 03:58:19 +00:00			`can :read, Payment, :user_id => user.id`
Fine tuned abilities and updated how membership is tracked 2013-01-25 13:01:02 +00:00			`can :read, UserCertification, :user_id => user.id`
Allowing users to see member activity 2014-01-24 00:50:00 +00:00			`can :read, User, :id => user.id #TODO: why can users update themselves? Maybe because Devise doesn't check users/edit?`
Fixing user-emailing abilities 2013-12-13 10:34:52 +00:00			`can :compose_email, User`
			`can :send_email, User`
Fine tuned abilities and updated how membership is tracked 2013-01-25 13:01:02 +00:00
Adding direct door access commands and interface 2013-12-02 09:03:40 +00:00			`if user.card_access_enabled`
			`can :access_doors_remotely, :door_access`
Adding interlock authentication 2014-02-23 12:55:00 +00:00			`can :authorize, Card # used for interlock card/certification auth`
Adding direct door access commands and interface 2013-12-02 09:03:40 +00:00			`end`

Fine tuned abilities and updated how membership is tracked 2013-01-25 13:01:02 +00:00			`# Instructors can manage certs and see users`
Adding certifications; messed up adding certification_users so not staging those 2013-01-25 10:12:25 +00:00			`if user.instructor?`
			`can :manage, Certification`
Lots of styling; avatars, payment methods, and more. 2013-01-26 09:21:41 +00:00			`can [:create,:read], User, :hidden => [nil,false]`
Instructors can delete their own certs; hidden users are hidden in drop-downs; admins can see last user login; prepping for postgres 2013-05-03 07:16:02 +00:00			`can [:create,:read], UserCertification`
			`can [:update,:destroy], UserCertification, :created_by => user.id`
Adding certifications; messed up adding certification_users so not staging those 2013-01-25 10:12:25 +00:00			`end`
Fine tuned abilities and updated how membership is tracked 2013-01-25 13:01:02 +00:00			`# Users can see others' stuff if they've been oriented`
			`unless user.orientation.blank?`
Allowing users to see member activity 2014-01-24 00:50:00 +00:00			`can [:read,:new_member_report,:activity], User, :hidden => [nil,false]`
Fine tuned abilities and updated how membership is tracked 2013-01-25 13:01:02 +00:00			`can :read, UserCertification`
Adding resource category edit abilities 2014-02-14 07:02:11 +00:00			`can [:create,:update], Resource, :user_id => [nil,user.id]`
			`can [:create,:update,:destroy], ResourceCategory`
Fine tuned abilities and updated how membership is tracked 2013-01-25 13:01:02 +00:00			`end`
Updated permissions for deletion and styling for hidden items 2013-01-26 01:21:42 +00:00
Finalized payments and CSVs and inactivity 2013-08-28 15:19:01 +00:00			`# Accountants can manage payments`
Adding payments 2013-02-12 08:58:17 +00:00			`if user.accountant?`
			`can :manage, Payment`
Finalized payments and CSVs and inactivity 2013-08-28 15:19:01 +00:00			`can :manage, Ipn`
			`can :manage, PaypalCsv`
Adding payments 2013-02-12 08:58:17 +00:00			`end`

Allowed admins to see hidden users, added "no orientation" message to main page and hid new people from non-oriented people 2013-02-09 09:51:35 +00:00			`# Admins can manage all`
			`if user.admin?`
			`can :manage, :all`
			`end`

Finishing contracts, changing from s3.yml to .env 2014-03-03 02:06:39 +00:00			`# Prevent most destruction for now`
Usability tweaks, creating merges, fixing issues 2013-05-24 06:25:09 +00:00			`#cannot :destroy, User`
			`#cannot :destroy, Card`
Updated permissions for deletion and styling for hidden items 2013-01-26 01:21:42 +00:00			`cannot :destroy, Certification`
Finished mac filtering, display, permissions, etc 2013-02-01 10:37:30 +00:00			`cannot :destroy, Mac`
			`cannot :destroy, MacLog`
Instructors can delete their own certs; hidden users are hidden in drop-downs; admins can see last user login; prepping for postgres 2013-05-03 07:16:02 +00:00			`#cannot :destroy, UserCertification`
Updated permissions for deletion and styling for hidden items 2013-01-26 01:21:42 +00:00			`cannot :destroy, DoorLog`
Adding payments 2013-02-12 08:58:17 +00:00			`# no exception for destroying payments`
Got abilities working on index; next need to separate users from members from cards. 2012-09-16 01:41:55 +00:00			`end`
Added cancan 2012-09-02 11:37:34 +00:00			`# Define abilities for the passed in user here. For example:`
			`#`
			`# user \|\|= User.new # guest user (not logged in)`
			`# if user.admin?`
			`# can :manage, :all`
			`# else`
			`# can :read, :all`
			`# end`
			`#`
			# The first argument to `can` is the action you are giving the user permission to do.
			`# If you pass :manage it will apply to every action. Other common actions here are`
			`# :read, :create, :update and :destroy.`
			`#`
			`# The second argument is the resource the user can perform the action on. If you pass`
			`# :all it will apply to every resource. Otherwise pass a Ruby class of the resource.`
			`#`
			`# The third argument is an optional hash of conditions to further filter the objects.`
			`# For example, here the user can only update published articles.`
			`#`
			`# can :update, Article, :published => true`
			`#`
			`# See the wiki for details: https://github.com/ryanb/cancan/wiki/Defining-Abilities`
			`end`
			`end`