danbooru/app/policies/user_policy.rb

class UserPolicy < ApplicationPolicy
  def create?
    true
  end

  def new?
    true
  end

  def update?
    record.id == user.id || user.is_admin?
  end

  def promote?
    user.is_moderator?
  end

  def upgrade?
    !user.is_anonymous?
  end

  def fix_counts?
    !user.is_anonymous?
  end

  def can_see_last_logged_in_at?
    user.is_moderator?
  end

  def can_see_favorites?
    user.is_admin? || record.id == user.id || !record.enable_private_favorites?
  end

  def permitted_attributes_for_create
    [:name, :password, :password_confirmation, { email_address_attributes: [:address] }]
  end

  def permitted_attributes_for_update
    [
      :comment_threshold, :default_image_size, :favorite_tags,
      :blacklisted_tags, :time_zone, :per_page, :custom_style, :theme,
      :receive_email_notifications, :always_resize_images,
      :new_post_navigation_layout, :enable_private_favorites,
      :hide_deleted_posts, :style_usernames, :show_deleted_children,
      :disable_categorized_saved_searches, :disable_tagged_filenames,
      :disable_cropped_thumbnails, :disable_mobile_gestures, :enable_safe_mode,
      :enable_desktop_mode, :disable_post_tooltips,
    ].compact
  end

  def api_attributes
    attributes = %i[
      id created_at name inviter_id level
      post_upload_count post_update_count note_update_count is_banned
      can_approve_posts can_upload_free level_string
    ]

    if record.id == user.id
      attributes += User::BOOLEAN_ATTRIBUTES
      attributes += %i[
        updated_at last_logged_in_at last_forum_read_at
        comment_threshold default_image_size
        favorite_tags blacklisted_tags time_zone per_page
        custom_style favorite_count statement_timeout favorite_group_limit
        favorite_limit tag_query_limit max_saved_searches theme
      ]
    end

    attributes
  end

  alias_method :profile?, :show?
  alias_method :settings?, :edit?
end