diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb index 678f4b7aa..3143debb3 100644 --- a/app/controllers/application_controller.rb +++ b/app/controllers/application_controller.rb @@ -13,6 +13,15 @@ class ApplicationController < ActionController::Base around_action :set_time_zone, if: :current_user layout 'main' + def respond_422(message = t('client_api.permission_error')) + respond_to do |format| + format.json do + render json: { message: message }, + status: 422 + end + end + end + def forbidden render_403 end diff --git a/app/controllers/client_api/teams/teams_controller.rb b/app/controllers/client_api/teams/teams_controller.rb index f003a66da..468c1c098 100644 --- a/app/controllers/client_api/teams/teams_controller.rb +++ b/app/controllers/client_api/teams/teams_controller.rb @@ -3,6 +3,8 @@ module ClientApi class TeamsController < ApplicationController include ClientApi::Users::UserTeamsHelper + before_action :check_update_team_permission, only: :update + def index teams = current_user.datatables_teams success_response(template: '/client_api/teams/index', @@ -67,6 +69,13 @@ module ClientApi params.require(:team).permit(:name, :description) end + def check_update_team_permission + @team = Team.find_by_id(params[:team_id]) + unless can_update_team?(@team) + respond_422(t('client_api.teams.permission_error')) + end + end + def success_response(args = {}) template = args.fetch(:template) { nil } locals = args.fetch(:locals) { {} } diff --git a/app/controllers/client_api/users/invitations_controller.rb b/app/controllers/client_api/users/invitations_controller.rb index f6636b516..44bf4c93a 100644 --- a/app/controllers/client_api/users/invitations_controller.rb +++ b/app/controllers/client_api/users/invitations_controller.rb @@ -34,12 +34,7 @@ module ClientApi def check_invite_users_permission @team = Team.find_by_id(params[:team_id]) if @team && !can_create_user_team?(@team) - respond_to do |format| - format.json do - render json: t('client_api.invite_users.permission_error'), - status: 422 - end - end + respond_422(t('client_api.invite_users.permission_error')) end end end diff --git a/app/controllers/client_api/users/user_teams_controller.rb b/app/controllers/client_api/users/user_teams_controller.rb index afe4df565..64e23076d 100644 --- a/app/controllers/client_api/users/user_teams_controller.rb +++ b/app/controllers/client_api/users/user_teams_controller.rb @@ -49,12 +49,7 @@ module ClientApi def check_manage_user_team_permission @user_team = UserTeam.find_by_id(params[:user_team]) unless can_update_or_delete_user_team?(@user_team) - respond_to do |format| - format.json do - render json: t('client_api.user_teams.permission_error'), - status: 422 - end - end + respond_422(t('client_api.user_teams.permission_error')) end end diff --git a/app/javascript/src/scenes/SettingsPage/scenes/team/components/UpdateTeamDescriptionModal.jsx b/app/javascript/src/scenes/SettingsPage/scenes/team/components/UpdateTeamDescriptionModal.jsx index 7f2625767..52b0c0ddc 100644 --- a/app/javascript/src/scenes/SettingsPage/scenes/team/components/UpdateTeamDescriptionModal.jsx +++ b/app/javascript/src/scenes/SettingsPage/scenes/team/components/UpdateTeamDescriptionModal.jsx @@ -54,7 +54,7 @@ class UpdateTeamDescriptionModal extends Component { this.onCloseModal(); }) .catch(error => { - (this: any).form.setErrorsForTag('description', [error.message]) + (this: any).form.setErrorsForTag('description', error.response.data.message) }); } diff --git a/app/javascript/src/scenes/SettingsPage/scenes/team/components/UpdateTeamNameModal.jsx b/app/javascript/src/scenes/SettingsPage/scenes/team/components/UpdateTeamNameModal.jsx index 0432c0a8f..0335962b7 100644 --- a/app/javascript/src/scenes/SettingsPage/scenes/team/components/UpdateTeamNameModal.jsx +++ b/app/javascript/src/scenes/SettingsPage/scenes/team/components/UpdateTeamNameModal.jsx @@ -54,7 +54,7 @@ class UpdateTeamNameModal extends Component { this.onCloseModal(); }) .catch(error => { - (this: any).form.setErrorsForTag("name", [error.message]); + (this: any).form.setErrorsForTag("name", error.response.data.message); }); } diff --git a/app/permissions/organization.rb b/app/permissions/organization.rb index e69de29bb..eb9350f22 100644 --- a/app/permissions/organization.rb +++ b/app/permissions/organization.rb @@ -0,0 +1,6 @@ +Canaid::Permissions.register_generic do + can :create_team do |user| + # TBD + true + end +end diff --git a/app/permissions/team.rb b/app/permissions/team.rb index a3ee98f50..3e530c664 100644 --- a/app/permissions/team.rb +++ b/app/permissions/team.rb @@ -4,6 +4,11 @@ Canaid::Permissions.register_for(Team) do user.is_member_of_team?(team) end + # edit team name, edit team description + can :update_team do |user, team| + user.is_admin_of_team?(team) + end + # invite user to team can :create_user_team do |user, team| user.is_admin_of_team?(team) diff --git a/config/locales/en.yml b/config/locales/en.yml index f3d868cd5..259b0ab9b 100644 --- a/config/locales/en.yml +++ b/config/locales/en.yml @@ -1817,12 +1817,15 @@ en: by: 'by' client_api: + permission_error: "You don't have permission for this action." invalid_arguments: "Invalid arguments" generic_error_message: "Something went wrong! Please try again later." user_teams: permission_error: "You don't have permission to manage users." leave_team_error: "An error occured." leave_flash: "Successfuly left team %{team}." + teams: + permission_error: "You don't have permission to edit team." user: current_password_invalid: "incorrect password" password_confirmation_not_match: "doesn't match"