refactor manage sample elements permissions again because of addons

2025-09-06 13:14:29 +08:00 · 2018-01-03 16:37:02 +01:00 · 2018-01-03 16:37:02 +01:00 · 0c519b8f03
commit 0c519b8f03
parent dc68b3068b
3 changed files with 18 additions and 5 deletions
--- a/app/controllers/custom_fields_controller.rb
+++ b/app/controllers/custom_fields_controller.rb
@ -3,7 +3,8 @@ class CustomFieldsController < ApplicationController

  before_action :load_vars, except: :create
  before_action :load_vars_nested, only: [:create, :destroy_html]
-  before_action :check_permissions
+  before_action :check_create_permissions, only: :create
+  before_action :check_update_and_delete_permissions, except: :create

  def create
    @custom_field = CustomField.new(custom_field_params)
@ -103,10 +104,14 @@ class CustomFieldsController < ApplicationController
    render_404 unless @team
  end

-  def check_permissions
+  def check_create_permissions
    render_403 unless can_manage_sample_elements?(@team)
  end

+  def check_update_and_delete_permissions
+    render_403 unless can_update_or_delete_custom_field?(@custom_field)
+  end
+
  def custom_field_params
    params.require(:custom_field).permit(:name)
  end
--- a/app/permissions/team.rb
+++ b/app/permissions/team.rb
@ -32,7 +32,8 @@ Canaid::Permissions.register_for(Team) do
    user.is_normal_user_or_admin_of_team?(team)
  end

-  # create, update, delete custom field, sample type and sample group
+  # create custom field
+  # create, update, delete sample type or sample group
  can :manage_sample_elements do |user, team|
    user.is_normal_user_or_admin_of_team?(team)
  end
@ -88,3 +89,10 @@ Canaid::Permissions.register_for(Sample) do
    can_manage_samples?(user, sample.team)
  end
 end
+
+Canaid::Permissions.register_for(CustomField) do
+  # update, delete custom field
+  can :update_or_delete_custom_field do |user, custom_field|
+    can_manage_sample_elements?(user, custom_field.team)
+  end
+end
--- a/app/views/shared/_samples.html.erb
+++ b/app/views/shared/_samples.html.erb
@ -148,8 +148,8 @@
        <% all_custom_fields.each do |cf| %>
        <th class="custom-field"
            id="<%= cf.id %>"
-            <%= 'data-editable' if can_manage_sample_elements?(@team) %>
-            <%= 'data-deletable' if can_manage_sample_elements?(@team) %>
+            <%= 'data-editable' if can_update_or_delete_custom_field?(cf) %>
+            <%= 'data-deletable' if can_update_or_delete_custom_field?(cf) %>
            <%= "data-edit-url='#{edit_team_custom_field_path(@team, cf)}'" %>
            <%= "data-update-url='#{team_custom_field_path(@team, cf)}'" %>
            <%= "data-destroy-html-url='#{team_custom_field_destroy_html_path(@team, cf)}'" %>