12345678910111213141516171819202122232425262728293031323334 |
- # Copyright (C) 2012-2022 Zammad Foundation, https://zammad-foundation.org/
- # We need a special UserContext when authorizing in controller context
- # because of Token authentication which has it's own permissions
- # See: https://github.com/varvet/pundit#additional-context
- # We use a Delegator here to have transparent / DuckType access
- # to the underlying User instance in the Policy
- class UserContext < Delegator
- def initialize(user, token = nil) # rubocop:disable Lint/MissingSuper
- @user = user
- @token = token
- end
- def __getobj__
- @user
- end
- def permissions!(permissions)
- raise Exceptions::Forbidden, __('Authentication required') if !@user
- raise Exceptions::Forbidden, __('Not authorized (user)!') if !@user.permissions?(permissions)
- return if !@token
- return if @token.with_context(user: @user) { permissions?(permissions) }
- raise Exceptions::Forbidden, __('Not authorized (token)!')
- end
- def permissions?(permissions)
- permissions!(permissions)
- true
- rescue Exceptions::Forbidden
- false
- end
- end
|