Rearrange, not change the abilities in Ability

app/controllers/mailings_controller.rb

@@ -1,11 +1,10 @@
 # frozen_string_literal: true
 class MailingsController < ApplicationController
 
-  load_and_authorize_resource except: :index
+  load_and_authorize_resource
 
   def index
     @mailings = Mailing.order('id DESC').page(params[:page])
-    authorize! :read, :mailing
   end
 
   # These actions are here to enable the cancancan 'not authorised' notice

app/models/ability.rb

@@ -1,6 +1,4 @@
 # frozen_string_literal: true
-# See the wiki for details:
-# https://github.com/ryanb/cancan/wiki/Defining-Abilities
 
 class Ability
   include CanCan::Ability
@@ -10,22 +8,66 @@ def initialize(user)
 
     alias_action :create, :read, :update, :destroy, to: :crud
 
-    can :crud, User, id: user.id
-    can :crud, User if user.admin?
+    # guest user
+    can :read, [Activity, User, Team, Project, Conference]
+
+    return unless signed_in?(user)
+
+    # unconfirmed, logged in user
+    can :update, User, id: user.id
+    can :resend_confirmation_instruction, User, id: user.id
+    can :read_email, User, hide_email: false # view helper # delete? only used once
+
+    return unless user.confirmed? && signed_in?(user)
+
+    # confirmed user
+    can [:update, :destroy], User, id: user.id
     can :resend_confirmation_instruction, User, id: user.id
-    can :resend_confirmation_instruction, User if user.admin?
+    can :create, Project
+    can [:join, :create], Team
+    can :index, Mailing
+    can :read, Mailing do |mailing|
+      mailing.recipient? user
+    end
+
+    # Members in a team
+    can [:update, :destroy], Team do |team|
+      on_team?(user, team)
+    end
+
+    # current_student
+    if user.current_student? # TODO is this a valid check?
+      can :create, Team if user.teams.none?
+      can :create, Conference
+    end
 
-    # visibility of email address in user profile
-    can :read_email, User, id: user.id if !user.hide_email?
-    can :read_email, User if user.admin?
-    can :read_email, User do |other_user|
-      user.confirmed? && (supervises?(other_user, user) || !other_user.hide_email?)
+    # supervisor
+    if user.supervisor?
+      can :read, :users_info
+      can :read_email, User do |other_user|
+        supervises?(other_user, user)
+      end
     end
 
-    can :crud, Team do |team|
-      user.admin? || signed_in?(user) && team.new_record? || on_team?(user, team)
+    # project submitter
+    can [:update, :destroy], Project, submitter_id: user.id
+    can :use_as_template, Project do |project|
+      user == project.submitter && !project.season&.current?
     end
 
+    # admin
+    if user.admin?
+      can :manage, :all
+      # MEMO add "cannot's" only; and only after this line
+      cannot :create, User # this only happens through GitHub
+    end
+
+    ################# REMAININGS FROM OLD FILE, # = rewritten above ############
+
+    # can :crud, Team do |team|
+    #   user.admin? || signed_in?(user) && team.new_record? || on_team?(user, team)
+    # end
+
     can :update_conference_preferences, Team do |team|
       team.accepted? && team.students.include?(user)
     end
@@ -38,10 +80,10 @@ def initialize(user)
       team.students.include?(user)
     end
 
-    cannot :create, Team do |team|
-      on_team_for_season?(user, team.season) || !user.confirmed?
-    end
-
+    # cannot :create, Team do |team|
+    #   on_team_for_season?(user, team.season) || !user.confirmed?
+    # end
+    # todo helpdesk team join
     can :join, Team do |team|
       team.helpdesk_team? and signed_in?(user) and user.confirmed? and not on_team?(user, team)
     end
@@ -62,35 +104,10 @@ def initialize(user)
       user.admin? || (preference.team.students.include? user)
     end
 
-    can :crud, Conference if user.admin? || user.current_student?
-
-    # todo add mailing controller and view for users in their namespace, where applicable
-    can :read, Mailing do |mailing|
-      mailing.recipient? user
-    end
-
-    can :crud, :comments if user.admin?
-    can :read, :users_info if user.admin? || user.supervisor?
-
-    # projects
-    can :crud, Project do |project|
-      user.admin? ||
-        (user.confirmed? && user == project.submitter)
-    end
-    can :use_as_template, Project do |project|
-      user == project.submitter && !project.season&.current?
-    end
-
-    can :create, Project if user.confirmed?
-    cannot :create, Project if !user.confirmed?
-
-    # activities
-    can :read, :feed_entry
-    can :read, :mailing if signed_in?(user)
-
     # applications
     can :create, :application_draft if user.student? && user.application_drafts.in_current_season.none?
-  end
+
+  end # initializer
 
   def signed_in?(user)
     user.persisted?

spec/factories/projects.rb

@@ -30,5 +30,9 @@
     trait :in_current_season do
       season { Season.current }
     end
+
+    trait :in_last_season do
+      season { Season.find_or_create_by name: (Date.today.year - 1) }
+    end
   end
 end

spec/factories/users.rb

@@ -1,6 +1,6 @@
 FactoryBot.define do
   factory :user, aliases: [:member] do
-    github_handle { FFaker::InternetSE.user_name_variant_short }
+    github_handle { FFaker::InternetSE.unique.user_name_variant_short }
     name     { FFaker::Name.name }
     email    { FFaker::Internet.email }
     location { FFaker::Address.city }
@@ -84,5 +84,9 @@
         create(:reviewer_role, user: user)
       end
     end
+
+    trait :unconfirmed do
+      confirmed_at { nil }
+    end
   end
 end