# Copyright (C) 2012-2024 Zammad Foundation, https://zammad-foundation.org/ class StorePolicy < ApplicationPolicy # Store objects are authorized based on the policy of the object that "owns" them, # like the ticket or knowledge base answer they are attached to. # If no owner class or record can be found, forbid access by default. def show? store_object_policy(store_object_owner)&.show? end def destroy? store_object_policy(store_object_owner)&.destroy? end def user_required? false end def custom_exception ActiveRecord::RecordNotFound.new end private def store_object_class record.store_object&.name&.safe_constantize end def store_object_policy(target) Pundit.policy user, target end def store_object_owner if store_object_class == UploadCache return UploadCache.new(record.o_id) end store_object_class&.find record.o_id end end