From 14dea697178956552c24fe322600730c2c201735 Mon Sep 17 00:00:00 2001
From: Anton <anton@scinote.net>
Date: Tue, 1 Oct 2024 11:55:44 +0200
Subject: [PATCH] update permissions for shared locations [SCI-11118]

---
 .../storage_location_repository_rows_controller.rb     |  2 +-
 app/controllers/storage_locations_controller.rb        |  3 +++
 .../vue/storage_locations/modals/move_tree.vue         |  2 +-
 app/javascript/vue/storage_locations/table.vue         | 10 +++++++---
 app/permissions/storage_location.rb                    |  4 ++++
 app/views/storage_locations/index.html.erb             |  8 ++++++--
 app/views/storage_locations/show.html.erb              |  2 +-
 7 files changed, 23 insertions(+), 8 deletions(-)

diff --git a/app/controllers/storage_location_repository_rows_controller.rb b/app/controllers/storage_location_repository_rows_controller.rb
index 2f7309611..8aa723387 100644
--- a/app/controllers/storage_location_repository_rows_controller.rb
+++ b/app/controllers/storage_location_repository_rows_controller.rb
@@ -123,7 +123,7 @@ class StorageLocationRepositoryRowsController < ApplicationController
   end
 
   def check_manage_permissions
-    render_403 unless can_manage_storage_location?(@storage_location)
+    render_403 unless can_create_storage_location_repository_rows?(@storage_location)
   end
 
   def log_activity(type_of, message_items = {})
diff --git a/app/controllers/storage_locations_controller.rb b/app/controllers/storage_locations_controller.rb
index 5c9dc9a62..965d766a0 100644
--- a/app/controllers/storage_locations_controller.rb
+++ b/app/controllers/storage_locations_controller.rb
@@ -197,6 +197,7 @@ class StorageLocationsController < ApplicationController
 
   def load_storage_location
     @storage_location = StorageLocation.find(storage_location_params[:id])
+    @parent_location = @storage_location.parent
     render_404 unless can_read_storage_location?(@storage_location)
   end
 
@@ -205,6 +206,8 @@ class StorageLocationsController < ApplicationController
   end
 
   def check_create_permissions
+    render_403 if @parent_location && !can_manage_storage_location?(@parent_location.team)
+
     if storage_location_params[:container]
       render_403 unless can_create_storage_location_containers?(current_team)
     else
diff --git a/app/javascript/vue/storage_locations/modals/move_tree.vue b/app/javascript/vue/storage_locations/modals/move_tree.vue
index 7972a8b41..dfc872ec7 100644
--- a/app/javascript/vue/storage_locations/modals/move_tree.vue
+++ b/app/javascript/vue/storage_locations/modals/move_tree.vue
@@ -58,7 +58,7 @@ export default {
       }
     },
     managePermission(loc) {
-      return loc.storage_location.parent_id ? this.canManage : loc.can_manage;
+      return (loc.storage_location.parent_id ? this.canManage : loc.can_manage) || loc.storage_location.container;
     }
   }
 };
diff --git a/app/javascript/vue/storage_locations/table.vue b/app/javascript/vue/storage_locations/table.vue
index 34fb86c42..e13803ff0 100644
--- a/app/javascript/vue/storage_locations/table.vue
+++ b/app/javascript/vue/storage_locations/table.vue
@@ -91,7 +91,11 @@ export default {
     },
     directUploadUrl: {
       type: String
-    }
+    },
+    canCreateLocation: Boolean,
+    canCreateContainer: Boolean,
+    canManageParent: Boolean,
+    hasParent: Boolean
   },
   data() {
     return {
@@ -161,7 +165,7 @@ export default {
     },
     toolbarActions() {
       const left = [];
-      if (this.createLocationUrl) {
+      if (this.canCreateLocation && (this.canManageParent || !this.hasParent)) {
         left.push({
           name: 'create_location',
           icon: 'sn-icon sn-icon-new-task',
@@ -172,7 +176,7 @@ export default {
         });
       }
 
-      if (this.createLocationInstanceUrl) {
+      if (this.canCreateContainer && (this.canManageParent || !this.hasParent)) {
         left.push({
           name: 'create_container',
           icon: 'sn-icon sn-icon-item',
diff --git a/app/permissions/storage_location.rb b/app/permissions/storage_location.rb
index 58128d9cf..ec2595db4 100644
--- a/app/permissions/storage_location.rb
+++ b/app/permissions/storage_location.rb
@@ -31,6 +31,10 @@ Canaid::Permissions.register_for(StorageLocation) do
     )
   end
 
+  can :create_storage_location_repository_rows do |user, storage_location|
+    can_read_storage_location?(user, storage_location)
+  end
+
   can :share_storage_location do |user, storage_location|
     user.current_team == storage_location.team &&
       storage_location.root? &&
diff --git a/app/views/storage_locations/index.html.erb b/app/views/storage_locations/index.html.erb
index a87d4abfd..110898cbf 100644
--- a/app/views/storage_locations/index.html.erb
+++ b/app/views/storage_locations/index.html.erb
@@ -12,10 +12,14 @@
       <div id="storageLocationsTable" class="fixed-content-body">
         <storage-locations
           actions-url="<%= actions_toolbar_storage_locations_path(current_team) %>"
+          :can-create-location="<%= can_create_storage_locations?(current_team) %>"
+          :can-create-container="<%= can_create_storage_location_containers?(current_team) %>"
+          :can-manage-parent="<%= can_manage_storage_location?(@parent_location) if @parent_location %>"
+          :has-parent="<%= @parent_location.present? %>"
           data-source="<%= storage_locations_path(format: :json, parent_id: params[:parent_id]) %>"
           direct-upload-url="<%= rails_direct_uploads_url %>"
-          create-location-url="<%= storage_locations_path(parent_id: params[:parent_id]) if can_create_storage_locations?(current_team) %>"
-          create-location-instance-url="<%= storage_locations_path(parent_id: params[:parent_id]) if can_create_storage_location_containers?(current_team) %>"
+          create-location-url="<%= storage_locations_path(parent_id: params[:parent_id]) %>"
+          create-location-instance-url="<%= storage_locations_path(parent_id: params[:parent_id]) %>"
         />
       </div>
     </div>
diff --git a/app/views/storage_locations/show.html.erb b/app/views/storage_locations/show.html.erb
index 0037e222a..5c78f26f3 100644
--- a/app/views/storage_locations/show.html.erb
+++ b/app/views/storage_locations/show.html.erb
@@ -14,7 +14,7 @@
           ref="container"
           actions-url="<%= actions_toolbar_storage_location_storage_location_repository_rows_path(@storage_location) %>"
           data-source="<%= storage_location_storage_location_repository_rows_path(@storage_location)  %>"
-          :can-manage="<%= can_manage_storage_location?(@storage_location) %>"
+          :can-manage="<%= can_create_storage_location_repository_rows?(@storage_location) %>"
           :with-grid="<%= @storage_location.with_grid? %>"
           :grid-size="<%= @storage_location.grid_size.to_json %>"
           :container-id="<%= @storage_location.id %>"