redmine/plugins/redmine_hourglass/app/policies/concerns/redmine_authorization.rb

module RedmineAuthorization
  def allowed_to?(action, controller_name = nil)
    controller = controller_name || self.class.name.gsub('::Scope', '').demodulize.gsub('Policy', '').tableize
    action_args = {controller: "hourglass/#{controller}", action: action}
    project.blank? ? user.allowed_to_globally?(action_args) : user.allowed_to?(action_args, project)
  end

  private
  def authorized?(action)
    return foreign_authorized? action if foreign_entry?
    allowed_to? action
  end

  def foreign_authorized?(action)
    foreign_forbidden_message and return false unless allowed_to? "#{action}_foreign"
    true
  end

  def foreign_entry?
    record_user && record_user != user
  end

  def unsafe_attributes?
    return false unless record.respond_to? :changed
    unsafe_attributes = record.changed.map(&:to_sym).select { |attr| protected_parameters.include? attr }
    if record.new_record?
      unsafe_attributes.delete :user_id
      unsafe_attributes.delete :start
    end
    unsafe_attributes.length > 0
  end

  def foreign_forbidden_message
    @message ||= I18n.t('hourglass.api.errors.change_others_forbidden')
  end

  def update_all_forbidden_message
    @message ||= I18n.t('hourglass.api.errors.update_all_forbidden')
  end
end