mirror/growstuff
1
0
Fork 0
mirror of https://github.com/Growstuff/growstuff.git synced 2026-01-27 10:47:55 -05:00
Code Issues Packages Projects Releases Wiki Activity
Files
3ce246ef5adfbb4097c51d29cda93e4abe891721
growstuff/app/models/ability.rb
Skud 89a5a777e6 Merge branch 'dev' into payments-new 
Conflicts:
	.gitignore
	app/models/ability.rb
	app/models/member.rb
	db/schema.rb
2013-06-04 19:42:00 +10:00

100 lines
3.3 KiB
Ruby
Raw Blame History

class Ability
include CanCan::Ability
def initialize(member)
# See the wiki for details: https://github.com/ryanb/cancan/wiki/Defining-Abilities
# everyone can do these things, even non-logged in
can :read, :all
# except these, which don't make sense if you're not logged in
cannot :read, Notification
cannot :read, Authentication
cannot :read, Order
cannot :read, OrderItem
# and nobody should be able to view this except admins
cannot :read, Role
cannot :read, Product
cannot :read, Account
cannot :read, AccountType
if member
# managing your own user settings
can :update, Member, :id => member.id
# can read/delete notifications that were sent to them
can :read, Notification, :recipient_id => member.id
can :destroy, Notification, :recipient_id => member.id
# can send a private message to anyone but themselves
# note: sadly, we can't test for this from the view, but it works
# for the model/controller
can :create, Notification do |n|
n.recipient_id != member.id
end
# note we don't support update for notifications
# only crop wranglers can create/edit/destroy crops
if member.has_role? :crop_wrangler
can :manage, Crop
can :manage, ScientificName
end
# can create & destroy their own authentications against other sites.
can :create, Authentication
can :destroy, Authentication, :member_id => member.id
# anyone can create a post, or comment on a post,
# but only the author can edit/destroy it.
can :create, Post
can :update, Post, :author_id => member.id
can :destroy, Post, :author_id => member.id
can :create, Comment
can :update, Comment, :author_id => member.id
can :destroy, Comment, :author_id => member.id
# same deal for gardens and plantings
can :create, Garden
can :update, Garden, :owner_id => member.id
can :destroy, Garden, :owner_id => member.id
can :create, Planting
can :update, Planting, :garden => { :owner_id => member.id }
can :destroy, Planting, :garden => { :owner_id => member.id }
can :create, Photo
can :update, Photo, :owner_id => member.id
can :destroy, Photo, :owner_id => member.id
# orders/shop/etc
can :create, Order
can :read, Order, :member_id => member.id
can :complete, Order, :member_id => member.id, :completed_at => nil
can :checkout, Order, :member_id => member.id, :completed_at => nil
can :cancel, Order, :member_id => member.id, :completed_at => nil
can :destroy, Order, :member_id => member.id, :completed_at => nil
can :create, OrderItem
# for now, let's not let people mess with individual order items
cannot :read, OrderItem, :order => { :member_id => member.id }
cannot :update, OrderItem, :order => { :member_id => member.id, :completed_at => nil }
cannot :destroy, OrderItem, :order => { :member_id => member.id, :completed_at => nil }
if member.has_role? :admin
can :read, :all
can :manage, :all
# can't change order history, because it's *history*
cannot :create, Order
cannot :complete, Order
cannot :destroy, Order
cannot :manage, OrderItem
end
end
end
end
Reference in New Issue View Git Blame Copy Permalink