# frozen_string_literal: true
module Decidim
module Admin
module Abilities
# Defines the abilities for a user in the admin section. Intended to be
# used with `cancancan`.
class AdminAbility < Decidim::Abilities::AdminAbility
def define_abilities
super
can :read, :admin_log
can :manage, Category
can :manage, ParticipatoryProcessUserRole
can [:create, :update, :index, :new, :read], StaticPage
can([:update_slug, :destroy], [StaticPage, StaticPageForm]) do |page|
!StaticPage.default?(page.slug)
end
can([:read, :update], Decidim::Organization) do |organization|
organization == user.organization
end
can :manage, Feature
can :manage, :admin_users
can :manage, :managed_users
cannot [:new, :create], :managed_users if empty_available_authorizations?
can(:impersonate, Decidim::User) do |user_to_impersonate|
user_to_impersonate.managed? && Decidim::ImpersonationLog.active.empty?
end
can(:promote, Decidim::User) do |user_to_promote|
user_to_promote.managed? && Decidim::ImpersonationLog.active.empty?
end
can :manage, Moderation
can :manage, Attachment
can :manage, AttachmentCollection
can :manage, Scope
can :manage, ScopeType
can :manage, Area
can :manage, AreaType
can :manage, Newsletter
can [:create, :index, :new, :read, :invite], User
can([:destroy], [User]) do |user_to_destroy|
user != user_to_destroy
end
can [:index, :verify, :reject], UserGroup
can [:index, :new, :create, :destroy], :officializations
can :index, :authorization_workflows
can [:index, :update], Authorization
end
private
def empty_available_authorizations?
return unless @context[:current_organization]
@context[:current_organization].available_authorizations.empty?
end
end
end
end
end