settings_controller_policy.rb 1004 B

123456789101112131415161718192021222324252627282930313233343536373839404142434445
  1. # Copyright (C) 2012-2022 Zammad Foundation, https://zammad-foundation.org/
  2. class Controllers::SettingsControllerPolicy < Controllers::ApplicationControllerPolicy
  3. default_permit!('admin.*')
  4. def show?
  5. user.permissions!('admin.*')
  6. authorized_for_setting?(:show?)
  7. end
  8. def update?
  9. updateable?
  10. end
  11. def update_image?
  12. updateable?
  13. end
  14. private
  15. def setting
  16. @setting ||= Setting.lookup(id: record.params[:id])
  17. end
  18. def authorized_for_setting?(query)
  19. Pundit.authorize(user, setting, query)
  20. true
  21. rescue Pundit::NotAuthorizedError
  22. not_authorized("required #{setting.preferences[:permission].inspect}")
  23. end
  24. def updateable?
  25. return false if !user.permissions?('admin.*')
  26. return false if !authorized_for_setting?(:update?)
  27. service_enabled?
  28. end
  29. def service_enabled?
  30. return true if !Setting.get('system_online_service')
  31. return true if !setting.preferences[:online_service_disable]
  32. not_authorized('service disabled')
  33. end
  34. end