# frozen_string_literal: true module Decidim module Admin module Abilities # Defines the abilities for a user in the admin section. Intended to be # used with `cancancan`. class AdminAbility < Decidim::Abilities::AdminAbility def define_abilities super can :read, :admin_log can :manage, Category can :manage, ParticipatoryProcessUserRole can [:create, :update, :index, :new, :read], StaticPage can([:update_slug, :destroy], [StaticPage, StaticPageForm]) do |page| !StaticPage.default?(page.slug) end can([:read, :update], Decidim::Organization) do |organization| organization == user.organization end can :manage, Feature can :manage, :admin_users can :manage, :managed_users cannot [:new, :create], :managed_users if empty_available_authorizations? can(:impersonate, Decidim::User) do |user_to_impersonate| user_to_impersonate.managed? && Decidim::ImpersonationLog.active.empty? end can(:promote, Decidim::User) do |user_to_promote| user_to_promote.managed? && Decidim::ImpersonationLog.active.empty? end can :manage, Moderation can :manage, Attachment can :manage, AttachmentCollection can :manage, Scope can :manage, ScopeType can :manage, Area can :manage, AreaType can :manage, Newsletter can [:create, :index, :new, :read, :invite], User can([:destroy], [User]) do |user_to_destroy| user != user_to_destroy end can [:index, :verify, :reject], UserGroup can [:index, :new, :create, :destroy], :officializations can :index, :authorization_workflows can [:index, :update], Authorization end private def empty_available_authorizations? return unless @context[:current_organization] @context[:current_organization].available_authorizations.empty? end end end end end