module Locomotive class Ability include CanCan::Ability ROLES = %w(admin designer author) def initialize(account, site) @account, @site = account, site alias_action :index, :show, :edit, :update, :to => :touch @membership = @site.memberships.where(:account_id => @account.id).first return false if @membership.blank? if @membership.admin? setup_admin_permissions! else setup_default_permissions! setup_designer_permissions! if @membership.designer? setup_author_permissions! if @membership.author? end end def setup_default_permissions! cannot :manage, :all end def setup_author_permissions! can :touch, [Page, ThemeAsset] can :sort, Page can :manage, [ContentEntry, ContentAsset] do |entry| result = true if perm_defs = ContentType.where(:slug => 'permissions').first perms = perm_defs.entries.where(:user_email => @account.email).collect(&:types).collect { |types| types.split(',') }.flatten if !perms.empty? result = perms.any? { |perm| perm == entry.content_type.slug } end end result end can :touch, Site do |site| site == @site end can :read, ContentType end def setup_designer_permissions! can :manage, Page can :manage, ContentEntry can :manage, ContentType can :manage, Snippet can :manage, ThemeAsset can :manage, ContentAsset can :manage, Site do |site| site == @site end can :point, Site cannot :create, Site can :manage, Membership cannot :grant_admin, Membership cannot [:update, :destroy], Membership do |membership| @membership.account_id == membership.account_id || # can not edit myself membership.admin? # can not modify an administrator end end def setup_admin_permissions! can :manage, :all cannot [:update, :destroy], Membership do |membership| @membership.account_id == membership.account_id # can not edit myself end end end end