Update permissions for Repositories

2025-01-26 17:51:47 +08:00 · 2019-07-12 16:43:54 +02:00 · 2019-07-12 16:43:54 +02:00 · 077369d960
commit 077369d960
parent f569411bc7
16 changed files with 130 additions and 58 deletions
--- a/app/controllers/api/v1/inventory_cells_controller.rb
+++ b/app/controllers/api/v1/inventory_cells_controller.rb
@ -60,9 +60,7 @@ module Api
      end

      def check_manage_permissions
-        unless can_manage_repository_rows?(@team)
-          raise PermissionError.new(RepositoryRow, :manage)
-        end
+        raise PermissionError.new(RepositoryRow, :manage) unless can_manage_repository_rows?(@inventory)
      end

      def inventory_cell_params
--- a/app/controllers/api/v1/inventory_columns_controller.rb
+++ b/app/controllers/api/v1/inventory_columns_controller.rb
@ -61,9 +61,7 @@ module Api
      end

      def check_create_permissions
-        unless can_create_repository_columns?(@inventory.team)
-          raise PermissionError.new(RepositoryColumn, :create)
-        end
+        raise PermissionError.new(RepositoryColumn, :create) unless can_create_repository_columns?(@inventory)
      end

      def inventory_column_params
--- a/app/controllers/api/v1/inventory_items_controller.rb
+++ b/app/controllers/api/v1/inventory_items_controller.rb
@ -97,9 +97,7 @@ module Api
      private

      def check_manage_permissions
-        unless can_manage_repository_rows?(@team)
-          raise PermissionError.new(RepositoryItem, :manage)
-        end
+        raise PermissionError.new(RepositoryItem, :manage) unless can_manage_repository_rows?(@inventory)
      end

      def inventory_item_params
--- a/app/controllers/assets_controller.rb
+++ b/app/controllers/assets_controller.rb
@ -60,7 +60,7 @@ class AssetsController < ApplicationController
               elsif @assoc.class == Result
                 can_manage_module?(@my_module)
               elsif @assoc.class == RepositoryCell
-                 can_manage_repository_rows?(@repository.team)
+                 can_manage_repository_rows?(@repository)
               end

    if @asset.is_image?
@ -309,7 +309,7 @@ class AssetsController < ApplicationController
    elsif @assoc.class == Result
      render_403 and return unless can_manage_module?(@my_module)
    elsif @assoc.class == RepositoryCell
-      render_403 and return unless can_manage_repository_rows?(@repository.team)
+      render_403 and return unless can_manage_repository_rows?(@repository)
    end
  end

--- a/app/controllers/repository_columns_controller.rb
+++ b/app/controllers/repository_columns_controller.rb
@ -195,7 +195,7 @@ class RepositoryColumnsController < ApplicationController
  end

  def check_create_permissions
-    render_403 unless can_create_repository_columns?(@repository.team)
+    render_403 unless can_create_repository_columns?(@repository)
  end

  def check_manage_permissions
--- a/app/controllers/repository_list_items_controller.rb
+++ b/app/controllers/repository_list_items_controller.rb
@ -23,6 +23,6 @@ class RepositoryListItemsController < ApplicationController
    unless @repository_column&.data_type == 'RepositoryListValue'
      render_404 and return
    end
-    render_403 unless can_manage_repository_rows?(repository.team)
+    render_403 unless can_manage_repository_rows?(repository)
  end
 end
--- a/app/controllers/repository_rows_controller.rb
+++ b/app/controllers/repository_rows_controller.rb
@ -274,11 +274,10 @@ class RepositoryRowsController < ApplicationController
    if selected_params
      selected_params.each do |row_id|
        row = @repository.repository_rows.find_by_id(row_id)
-        if row && can_manage_repository_rows?(@repository.team)
-          log_activity(:delete_item_inventory, row)
+        next unless row && can_manage_repository_rows?(@repository)

-          row.destroy && deleted_count += 1
-        end
+        log_activity(:delete_item_inventory, row)
+        row.destroy && deleted_count += 1
      end
      if deleted_count.zero?
        flash = t('repositories.destroy.no_deleted_records_flash',
@ -365,11 +364,11 @@ class RepositoryRowsController < ApplicationController
  end

  def check_create_permissions
-    render_403 unless can_create_repository_rows?(@repository.team)
+    render_403 unless can_create_repository_rows?(@repository)
  end

  def check_manage_permissions
-    render_403 unless can_manage_repository_rows?(@repository.team)
+    render_403 unless can_manage_repository_rows?(@repository)
  end

  def record_params
--- a/app/controllers/wopi_controller.rb
+++ b/app/controllers/wopi_controller.rb
@ -367,6 +367,6 @@ class WopiController < ActionController::Base

  # Overwrriten in electronic signature for locked inventory items
  def can_edit_wopi_file_in_repository_rows?
-    can_manage_repository_rows?(@team)
+    can_manage_repository_rows?(@repository)
  end
 end
--- a/app/helpers/repository_datatable_helper.rb
+++ b/app/helpers/repository_datatable_helper.rb
@ -62,10 +62,9 @@ module RepositoryDatatableHelper
  end

  def can_perform_repository_actions(repository)
-    team = repository.team
    can_manage_repository?(repository) ||
-      can_create_repositories?(team) ||
-      can_manage_repository_rows?(team)
+      can_create_repositories?(repository.team) ||
+      can_manage_repository_rows?(repository)
  end

  # The order must be converted from Ruby Hash into a JS array -
--- a/app/models/repository.rb
+++ b/app/models/repository.rb
@ -8,7 +8,7 @@ class Repository < ApplicationRecord

  attribute :discarded_by_id, :integer

-  belongs_to :team, optional: true
+  belongs_to :team
  belongs_to :created_by, foreign_key: :created_by_id, class_name: 'User'
  has_many :repository_columns, dependent: :destroy
  has_many :repository_rows, dependent: :destroy
--- a/app/permissions/repository.rb
+++ b/app/permissions/repository.rb
@ -0,0 +1,34 @@
+# frozen_string_literal: true
+
+Canaid::Permissions.register_for(Repository) do
+  # repository: update, delete
+  can :manage_repository do |user, repository|
+    user.is_admin_of_team?(repository.team)
+  end
+
+  # repository: create/import record
+  can :create_repository_rows do |user, repository|
+    if user.teams.include?(repository.team)
+      user.is_normal_user_or_admin_of_team?(repository.team)
+    elsif (write_team_repos = repository
+                                .team_repositories
+                                .where(team_id: user.teams.pluck(:id))
+                                .where(permission_level: :write)).any?
+      # When has some repository's relations with write permissions for at least one of user's teams.
+
+      user.is_normal_user_or_admin_of_team?(write_team_repos.first.team)
+    else
+      false
+    end
+  end
+
+  # repository: update/delete records
+  can :manage_repository_rows do |user, repository|
+    can_create_repository_rows?(user, repository)
+  end
+
+  # repository: create field
+  can :create_repository_columns do |user, repository|
+    can_create_repository_rows?(user, repository)
+  end
+end
--- a/app/permissions/repository_column.rb
+++ b/app/permissions/repository_column.rb
@ -0,0 +1,9 @@
+# frozen_string_literal: true
+
+Canaid::Permissions.register_for(RepositoryColumn) do
+  # repository: update/delete field
+  # Tested in scope of RepositoryPermissions spec
+  can :manage_repository_column do |user, repository_column|
+    can_create_repository_columns?(user, repository_column.repository)
+  end
+end
--- a/app/permissions/team.rb
+++ b/app/permissions/team.rb
@ -47,21 +47,6 @@ Canaid::Permissions.register_for(Team) do
      team.repositories.count < Rails.configuration.x.repositories_limit
  end

-  # repository: create/import record
-  can :create_repository_rows do |user, team|
-    user.is_normal_user_or_admin_of_team?(team)
-  end
-
-  # repository: update/delete records
-  can :manage_repository_rows do |user, team|
-    user.is_normal_user_or_admin_of_team?(team)
-  end
-
-  # repository: create field
-  can :create_repository_columns do |user, team|
-    user.is_normal_user_or_admin_of_team?(team)
-  end
-
  # this permission is scattered around the application
  # if you want to make changes here keep in mind to check/change the
  # SQL view that lists reports in index page:
@ -116,17 +101,3 @@ Canaid::Permissions.register_for(CustomField) do
    can_create_sample_columns?(user, custom_field.team)
  end
 end
-
-Canaid::Permissions.register_for(Repository) do
-  # repository: update, delete
-  can :manage_repository do |user, repository|
-    user.is_admin_of_team?(repository.team)
-  end
-end
-
-Canaid::Permissions.register_for(RepositoryColumn) do
-  # repository: update/delete field
-  can :manage_repository_column do |user, repository_column|
-    can_create_repository_columns?(user, repository_column.repository.team)
-  end
-end
--- a/app/services/report_actions/save_pdf_to_inventory_item.rb
+++ b/app/services/report_actions/save_pdf_to_inventory_item.rb
@ -33,7 +33,7 @@ module ReportActions
      @repository        = load_repository
      @repository_column = load_repository_column
      @repository_item   = load_repository_item
-      unless can_create_repository_rows?(@user, @repository.team)
+      unless can_create_repository_rows?(@user, @repository)
        raise ReportActions::RepositoryPermissionError,
                I18n.t('projects.reports.new.no_permissions')
      end
--- a/app/views/repositories/show.html.erb
+++ b/app/views/repositories/show.html.erb
@ -12,7 +12,7 @@
 <div class="content-pane">
  <div id="repository-toolbar">

-    <% if can_create_repository_rows?(@repository.team) %>
+    <% if can_create_repository_rows?(@repository) %>
      <button type="button" class="btn btn-primary editAdd help_tooltips"
              id="addRepositoryRecord" onclick="onClickAddRecord()"
              data-tooltiplink="<%= I18n.t('tooltips.link.inventory.new') %>"
@ -40,13 +40,13 @@
            <li class="dropdown-header">
              <%= t("repositories.index.options_dropdown.header") %>
            </li>
-            <% if can_create_repository_columns?(@repository.team) %>
+            <% if can_create_repository_columns?(@repository) %>
              <li>
                <%= link_to t('repositories.index.options_dropdown.manage_columns'),
                            repository_repository_columns_path(@repository) %>
              </li>
            <% end %>
-            <% if can_create_repository_rows?(@repository.team) %>
+            <% if can_create_repository_rows?(@repository) %>
            <li>
              <a href="#" id="importRecordsButton" data-turbolinks="false">
                <%= t('repositories.index.options_dropdown.import_items') %>
@ -119,7 +119,7 @@

  <!-- These buttons are appended to table in javascript, after table initialization -->
  <div class="toolbarButtons" style="display:none">
-    <% if can_manage_repository_rows?(@repository.team) %>
+    <% if can_manage_repository_rows?(@repository) %>
      <button type="button" class="btn btn-default editAdd" id="editRepositoryRecord" onclick="onClickEdit()" disabled>
        <span class="fas fa-pencil-alt"></span>
        <span class="hidden-xs-custom"><%= t("repositories.edit_record") %></span>
--- a/spec/permissions/repositroy_permissions_spec.rb
+++ b/spec/permissions/repositroy_permissions_spec.rb
@ -0,0 +1,66 @@
+# frozen_string_literal: true
+
+require 'rails_helper'
+
+describe 'RepositoryPermissions' do
+  include Canaid::Helpers::PermissionsHelper
+
+  let(:user) { create :user }
+  let(:repository) { build :repository, team: team }
+  let(:team) { create :team }
+
+  describe 'create_repository_rows, manage_repository_rows, create_repository_columns' do
+    context 'when team\'s repositroy' do
+      it 'should be true for admin' do
+        create :user_team, :admin, user: user, team: team
+
+        expect(can_create_repository_rows?(user, repository)).to be_truthy
+      end
+
+      it 'should be true for normal_user' do
+        create :user_team, :normal_user, user: user, team: team
+
+        expect(can_create_repository_rows?(user, repository)).to be_truthy
+      end
+
+      it 'should be false for guest' do
+        create :user_team, :guest, user: user, team: team
+
+        expect(can_create_repository_rows?(user, repository)).to be_falsey
+      end
+    end
+
+    context 'when shared repository' do
+      let(:new_team) { create :team }
+      let(:new_repository) { create :repository, team: new_team }
+
+      it 'should be true when have sharred repo with write' do
+        create :user_team, :normal_user, user: user, team: team
+        create :team_repository, :write, team: team, repository: new_repository
+
+        expect(can_create_repository_rows?(user, new_repository)).to be_truthy
+      end
+
+      it 'should be false when have sharred repo with read' do
+        create :user_team, :normal_user, user: user, team: team
+        create :team_repository, :read, team: team, repository: new_repository
+
+        expect(can_create_repository_rows?(user, new_repository)).to be_falsey
+      end
+
+      it 'should be false when do not have sharred repo' do
+        create :user_team, :normal_user, user: user, team: team
+        create :team_repository, :read, team: team
+
+        expect(can_create_repository_rows?(user, new_repository)).to be_falsey
+      end
+
+      it 'should be false when have sharred repo with write but user is guest' do
+        create :user_team, :guest, user: user, team: team
+        create :team_repository, :write, team: team, repository: new_repository
+
+        expect(can_create_repository_rows?(user, new_repository)).to be_falsey
+      end
+    end
+  end
+end