90 lines
3.1 KiB
Ruby
Executable File
90 lines
3.1 KiB
Ruby
Executable File
class Ability
|
|
include CanCan::Ability
|
|
|
|
def initialize(user)
|
|
can :read, Mac # Anonymous can read mac
|
|
can :scan, Mac # Need anonymous so CRON can scan
|
|
can :read, Resource
|
|
can :read, ResourceCategory
|
|
|
|
if !user.nil?
|
|
|
|
# By default, users can only see their own stuff
|
|
can :read, Card, :user_id => user.id
|
|
can :read, Certification
|
|
can :read_details, Mac
|
|
can [:update], Mac, :user_id => nil
|
|
can [:create,:update], Mac, :user_id => user.id
|
|
can [:create,:update,:destroy], Resource, :user_id => user.id
|
|
can :read, Payment, :user_id => user.id
|
|
can :read, UserCertification, :user_id => user.id
|
|
can :read, User, :id => user.id #TODO: why can users update themselves? Maybe because Devise doesn't check users/edit?
|
|
can :compose_email, User
|
|
can :send_email, User
|
|
|
|
if user.card_access_enabled
|
|
can :access_doors_remotely, :door_access
|
|
end
|
|
|
|
# Instructors can manage certs and see users
|
|
if user.instructor?
|
|
can :manage, Certification
|
|
can [:create,:read], User, :hidden => [nil,false]
|
|
can [:create,:read], UserCertification
|
|
can [:update,:destroy], UserCertification, :created_by => user.id
|
|
end
|
|
# Users can see others' stuff if they've been oriented
|
|
unless user.orientation.blank?
|
|
can [:read,:new_member_report,:activity], User, :hidden => [nil,false]
|
|
can :read, UserCertification
|
|
can [:create,:update], Resource, :user_id => [nil,user.id]
|
|
can [:create,:update,:destroy], ResourceCategory
|
|
end
|
|
|
|
# Accountants can manage payments
|
|
if user.accountant?
|
|
can :manage, Payment
|
|
can :manage, Ipn
|
|
can :manage, PaypalCsv
|
|
end
|
|
|
|
# Admins can manage all
|
|
if user.admin?
|
|
can :manage, :all
|
|
end
|
|
|
|
# Prevent all destruction for now
|
|
#cannot :destroy, User
|
|
#cannot :destroy, Card
|
|
cannot :destroy, Certification
|
|
cannot :destroy, Mac
|
|
cannot :destroy, MacLog
|
|
#cannot :destroy, UserCertification
|
|
cannot :destroy, DoorLog
|
|
# no exception for destroying payments
|
|
end
|
|
# Define abilities for the passed in user here. For example:
|
|
#
|
|
# user ||= User.new # guest user (not logged in)
|
|
# if user.admin?
|
|
# can :manage, :all
|
|
# else
|
|
# can :read, :all
|
|
# end
|
|
#
|
|
# The first argument to `can` is the action you are giving the user permission to do.
|
|
# If you pass :manage it will apply to every action. Other common actions here are
|
|
# :read, :create, :update and :destroy.
|
|
#
|
|
# The second argument is the resource the user can perform the action on. If you pass
|
|
# :all it will apply to every resource. Otherwise pass a Ruby class of the resource.
|
|
#
|
|
# The third argument is an optional hash of conditions to further filter the objects.
|
|
# For example, here the user can only update published articles.
|
|
#
|
|
# can :update, Article, :published => true
|
|
#
|
|
# See the wiki for details: https://github.com/ryanb/cancan/wiki/Defining-Abilities
|
|
end
|
|
end
|