API v1 orders endpoints

2018-10-13 16:16:44 +02:00 · 2018-10-13 16:16:44 +02:00 · 127ae83f04
commit 127ae83f04
parent 7d5155bef6
9 changed files with 165 additions and 10 deletions
--- a/app/controllers/concerns/auth_api.rb
+++ b/app/controllers/concerns/auth_api.rb
@ -53,14 +53,19 @@ module Concerns::AuthApi
    end

    case scope_parts.first
-    when 'user'           then true # access to the current user's own profile
-    when 'config'         then current_user.role_admin?
-    when 'users'          then current_user.role_admin?
-    when 'workgroups'     then current_user.role_admin?
-    when 'suppliers'      then current_user.role_suppliers?
-    when 'group_orders'   then current_user.role_orders?
-    when 'finance'        then current_user.role_finance?
+    when 'user'           then return true # access to the current user's own profile
+    when 'config'         then return current_user.role_admin?
+    when 'users'          then return current_user.role_admin?
+    when 'workgroups'     then return current_user.role_admin?
+    when 'suppliers'      then return current_user.role_suppliers?
+    when 'group_orders'   then return current_user.role_orders?
+    when 'finance'        then return current_user.role_finance?
    # please note that offline_access does not belong here, since it is not used for permission checking
    end
+
+    case scope
+    when 'orders:read'    then return true
+    when 'orders:write'   then return current_user.role_orders?
+    end
  end
 end