1 files changed, 15 insertions, 8 deletions

diff --git a/app/models/user.rb b/app/models/user.rb
index 4ba05b164..1d9e435d5 100644
--- a/app/models/user.rb
+++ b/app/models/user.rb
@@ -28,10 +28,21 @@ class User < ActiveRecord::Base
   end
   after_destroy :check_destroy_organisation
 
-  @@edit_offer_permissions = ['routes.create', 'routes.edit', 'routes.destroy', 'journey_patterns.create', 'journey_patterns.edit', 'journey_patterns.destroy',
-    'vehicle_journeys.create', 'vehicle_journeys.edit', 'vehicle_journeys.destroy', 'time_tables.create', 'time_tables.edit', 'time_tables.destroy',
-    'footnotes.edit', 'footnotes.create', 'footnotes.destroy', 'routing_constraint_zones.create', 'routing_constraint_zones.edit',
-    'routing_constraint_zones.destroy', 'referentials.create', 'referentials.edit', 'referentials.destroy', 'boiv:edit-offer']
+  def self.destructive_permissions_for(models)
+    models.product( %w{create destroy update} ).map{ |model_action| model_action.join('.') }
+  end
+
+  @@edit_offer_permissions =
+    destructive_permissions_for( %w[
+      footnotes
+      journey_patterns
+      referentials
+      routes
+      routing_constraint_zones
+      time_tables
+      vehicle_journeys
+    ]) << 'boiv:edit-offer'
+
   mattr_reader :edit_offer_permissions
 
   def self.all_permissions
@@ -44,8 +55,6 @@ class User < ActiveRecord::Base
     self.name         = extra[:full_name]
     self.email        = extra[:email]
     self.organisation = Organisation.sync_update extra[:organisation_code], extra[:organisation_name], extra[:functional_scope]
-      # TODO: Discuss the following behavior in the light of how the portal's permissions will evolve
-      # boiv:edit-offer does not imply boiv:read-offer, which needs to be provided specifically for any connection rights
     self.permissions  = extra[:permissions].include?('boiv:edit-offer') ? @@edit_offer_permissions : []
   end
 
@@ -74,8 +83,6 @@ class User < ActiveRecord::Base
       user.locked_at    = el['locked_at']
       user.organisation = Organisation.sync_update el['organization_code'], el['organization_name'], el['functional_scope']
       user.synced_at    = Time.now
-      # TODO: Discuss the following behavior in the light of how the portal's permissions will evolve
-      # boiv:edit-offer does not imply boiv:read-offer, which needs to be provided specifically for any connection rights
       user.permissions  = el['permissions'].include?('boiv:edit-offer') ? @@edit_offer_permissions : []
       user.save
     end