diff --git a/app/models/user_role.rb b/app/models/user_role.rb index dc1cc2b00..bd71722f0 100644 --- a/app/models/user_role.rb +++ b/app/models/user_role.rb @@ -1,8 +1,7 @@ # frozen_string_literal: true class UserRole < ApplicationRecord - before_update :prevent_update, if: :predefined? - + validate :prevent_update, on: :update, if: :predefined? validates :name, presence: true, length: { minimum: Constants::NAME_MIN_LENGTH, @@ -32,18 +31,35 @@ class UserRole < ApplicationRecord permissions: [ ProjectPermissions::READ, - ProjectPermissions::EXPERIMENTS_CREATE, + ProjectPermissions::READ_ARCHIVED, + ProjectPermissions::ACTIVITIES_READ, + ProjectPermissions::USERS_READ, + ProjectPermissions::COMMENTS_READ, ProjectPermissions::COMMENTS_CREATE, + ProjectPermissions::EXPERIMENTS_CREATE, ExperimentPermissions::READ, ExperimentPermissions::MANAGE, - ExperimentPermissions::ARCHIVE, - ExperimentPermissions::RESTORE, - ExperimentPermissions::CLONE, - ExperimentPermissions::TASKS_CREATE, + ExperimentPermissions::TASKS_MANAGE, MyModulePermissions::READ, + MyModulePermissions::MANAGE, + MyModulePermissions::RESULTS_MANAGE, + MyModulePermissions::PROTOCOL_MANAGE, + MyModulePermissions::STEPS_MANAGE, + MyModulePermissions::TAGS_MANAGE, MyModulePermissions::COMMENTS_CREATE, + MyModulePermissions::COMMENTS_MANAGE, + MyModulePermissions::COMMENTS_MANAGE_OWN, + MyModulePermissions::COMPLETE, MyModulePermissions::UPDATE_STATUS, - MyModulePermissions::REPOSITORY_ROWS_ASSIGN + MyModulePermissions::STEPS_COMPLETE, + MyModulePermissions::STEPS_UNCOMPLETE, + MyModulePermissions::STEPS_CHECKLIST_CHECK, + MyModulePermissions::STEPS_CHECKLIST_UNCHECK, + MyModulePermissions::STEPS_COMMENTS_CREATE, + MyModulePermissions::STEPS_COMMENTS_DELETE_OWN, + MyModulePermissions::STEPS_COMMENT_UPDATE_OWN, + MyModulePermissions::REPOSITORY_ROWS_ASSIGN, + MyModulePermissions::REPOSITORY_ROWS_MANAGE ], predefined: true ) @@ -55,12 +71,29 @@ class UserRole < ApplicationRecord permissions: [ ProjectPermissions::READ, + ProjectPermissions::READ_ARCHIVED, + ProjectPermissions::ACTIVITIES_READ, + ProjectPermissions::USERS_READ, + ProjectPermissions::COMMENTS_READ, ProjectPermissions::COMMENTS_CREATE, ExperimentPermissions::READ, + ExperimentPermissions::READ_ARCHIVED, + ExperimentPermissions::ACTIVITIES_READ, + ExperimentPermissions::USERS_READ, MyModulePermissions::READ, MyModulePermissions::COMMENTS_CREATE, + MyModulePermissions::COMMENTS_MANAGE_OWN, + MyModulePermissions::COMPLETE, MyModulePermissions::UPDATE_STATUS, - MyModulePermissions::REPOSITORY_ROWS_ASSIGN + MyModulePermissions::STEPS_COMPLETE, + MyModulePermissions::STEPS_UNCOMPLETE, + MyModulePermissions::STEPS_CHECKLIST_CHECK, + MyModulePermissions::STEPS_CHECKLIST_UNCHECK, + MyModulePermissions::STEPS_COMMENTS_CREATE, + MyModulePermissions::STEPS_COMMENTS_DELETE_OWN, + MyModulePermissions::STEPS_COMMENT_UPDATE_OWN, + MyModulePermissions::REPOSITORY_ROWS_ASSIGN, + MyModulePermissions::REPOSITORY_ROWS_MANAGE ], predefined: true ) @@ -72,7 +105,14 @@ class UserRole < ApplicationRecord permissions: [ ProjectPermissions::READ, + ProjectPermissions::READ_ARCHIVED, + ProjectPermissions::ACTIVITIES_READ, + ProjectPermissions::USERS_READ, + ProjectPermissions::COMMENTS_READ, ExperimentPermissions::READ, + ExperimentPermissions::READ_ARCHIVED, + ExperimentPermissions::ACTIVITIES_READ, + ExperimentPermissions::USERS_READ, MyModulePermissions::READ ], predefined: true @@ -86,6 +126,6 @@ class UserRole < ApplicationRecord private def prevent_update - raise ActiveRecord::RecordInvalid, I18n.t('user_roles.predefined.unchangable_error_message') + errors.add(:base, I18n.t('user_roles.predefined.unchangable_error_message')) end end diff --git a/app/permissions/experiment.rb b/app/permissions/experiment.rb index f8a251223..81dd5c1df 100644 --- a/app/permissions/experiment.rb +++ b/app/permissions/experiment.rb @@ -20,6 +20,10 @@ Canaid::Permissions.register_for(Experiment) do experiment.permission_granted?(user, ExperimentPermissions::READ) end + can :read_users_of_experiment do |user, project| + project.permission_granted?(user, ExperimentPermissions::USERS_READ) + end + # experiment: create/update/delete # canvas: update # module: create, copy, reposition, create/update/delete connection, @@ -40,12 +44,12 @@ Canaid::Permissions.register_for(Experiment) do # experiment: manage access policies can :manage_experiment_access do |user, experiment| - experiment.permission_granted?(user, ExperimentPermissions::MANAGE_ACCESS) + experiment.permission_granted?(user, ExperimentPermissions::USERS_MANAGE) end # experiment: archive can :archive_experiment do |user, experiment| - experiment.permission_granted?(user, ExperimentPermissions::ARCHIVE) + experiment.permission_granted?(user, ExperimentPermissions::MANAGE) end # NOTE: Must not be dependent on canaid parmision for which we check if it's @@ -53,19 +57,19 @@ Canaid::Permissions.register_for(Experiment) do # experiment: restore can :restore_experiment do |user, experiment| project = experiment.project - experiment.permission_granted?(user, ExperimentPermissions::RESTORE) && + experiment.permission_granted?(user, ExperimentPermissions::MANAGE) && experiment.archived? && project.active? end # experiment: copy can :clone_experiment do |user, experiment| - experiment.permission_granted?(user, ExperimentPermissions::CLONE) + experiment.permission_granted?(user, ExperimentPermissions::MANAGE) end # experiment: move can :move_experiment do |user, experiment| - experiment.permission_granted?(user, ExperimentPermissions::MOVE) + experiment.permission_granted?(user, ExperimentPermissions::MANAGE) end end diff --git a/app/permissions/my_module.rb b/app/permissions/my_module.rb index 09167faa9..9f1f8f2c8 100644 --- a/app/permissions/my_module.rb +++ b/app/permissions/my_module.rb @@ -36,15 +36,15 @@ Canaid::Permissions.register_for(MyModule) do end can :update_my_module_start_date do |user, my_module| - my_module.permission_granted?(user, MyModulePermissions::UPDATE_START_DATE) + my_module.permission_granted?(user, MyModulePermissions::MANAGE) end can :update_my_module_due_date do |user, my_module| - my_module.permission_granted?(user, MyModulePermissions::UPDATE_DUE_DATE) + my_module.permission_granted?(user, MyModulePermissions::MANAGE) end can :update_my_module_notes do |user, my_module| - my_module.permission_granted?(user, MyModulePermissions::UPDATE_NOTES) + my_module.permission_granted?(user, MyModulePermissions::MANAGE) end can :manage_my_module_tags do |user, my_module| @@ -96,11 +96,11 @@ Canaid::Permissions.register_for(MyModule) do end can :check_my_module_steps do |user, my_module| - my_module.permission_granted?(user, MyModulePermissions::STEPS_CHECK) + my_module.permission_granted?(user, MyModulePermissions::STEPS_CHECKLIST_CHECK) end can :uncheck_my_module_steps do |user, my_module| - my_module.permission_granted?(user, MyModulePermissions::STEPS_UNCHECK) + my_module.permission_granted?(user, MyModulePermissions::STEPS_CHECKLIST_UNCHECK) end can :create_comments_in_my_module_steps do |user, my_module| diff --git a/app/permissions/project.rb b/app/permissions/project.rb index 6655f38bd..9ec1cda28 100644 --- a/app/permissions/project.rb +++ b/app/permissions/project.rb @@ -38,10 +38,6 @@ Canaid::Permissions.register_for(Project) do end end - can :read_project_folders do |user, project| - project.permission_granted?(user, ProjectPermissions::FOLDERS_READ) - end - can :manage_project_users do |user, project| project.permission_granted?(user, ProjectPermissions::USERS_MANAGE) end @@ -58,26 +54,6 @@ Canaid::Permissions.register_for(Project) do project.permission_granted?(user, ProjectPermissions::EXPERIMENTS_CREATE) end - can :read_project_experiments do |user, project| - project.permission_granted?(user, ProjectPermissions::EXPERIMENTS_READ) - end - - can :read_archived_project_experiments do |user, project| - project.permission_granted?(user, ProjectPermissions::EXPERIMENTS_READ_ARCHIVED) - end - - can :read_canvas_of_project_experiments do |user, project| - project.permission_granted?(user, ProjectPermissions::EXPERIMENTS_READ_CANVAS) - end - - can :read_activities_of_project_experiments do |user, project| - project.permission_granted?(user, ProjectPermissions::EXPERIMENTS_ACTIVITIES_READ) - end - - can :read_users_of_project_experiments do |user, project| - project.permission_granted?(user, ProjectPermissions::EXPERIMENTS_USERS_READ) - end - can :create_project_comments do |user, project| project.permission_granted?(user, ProjectPermissions::COMMENTS_CREATE) end diff --git a/config/initializers/extends/permission_extends.rb b/config/initializers/extends/permission_extends.rb index d1f711b61..774768c2b 100644 --- a/config/initializers/extends/permission_extends.rb +++ b/config/initializers/extends/permission_extends.rb @@ -6,33 +6,26 @@ module PermissionExtends READ READ_ARCHIVED MANAGE - FOLDERS_READ ACTIVITIES_READ USERS_READ USERS_MANAGE COMMENTS_READ COMMENTS_CREATE COMMENTS_MANAGE - EXPERIMENTS_READ - EXPERIMENTS_READ_ARCHIVED + TAGS_MANAGE EXPERIMENTS_CREATE - EXPERIMENTS_READ_CANVAS - EXPERIMENTS_ACTIVITIES_READ - EXPERIMENTS_USERS_READ - TASKS_MANAGE ).each { |permission| const_set(permission, "project_#{permission.underscore}") } end module ExperimentPermissions %w( READ + READ_ARCHIVED + ACTIVITIES_READ MANAGE - ARCHIVE - RESTORE - CLONE - MOVE - TASKS_CREATE - MANAGE_ACCESS + TASKS_MANAGE + USERS_READ + USERS_MANAGE ).each { |permission| const_set(permission, "experiment_#{permission.underscore}") } end @@ -52,8 +45,8 @@ module PermissionExtends COMPLETE STEPS_COMPLETE STEPS_UNCOMPLETE - STEPS_CHECK - STEPS_UNCHECK + STEPS_CHECKLIST_CHECK + STEPS_CHECKLIST_UNCHECK STEPS_COMMENTS_CREATE STEPS_COMMENTS_DELETE STEPS_COMMENTS_DELETE_OWN diff --git a/lib/tasks/data.rake b/lib/tasks/data.rake index 32335818c..44e9131f9 100644 --- a/lib/tasks/data.rake +++ b/lib/tasks/data.rake @@ -161,4 +161,21 @@ namespace :data do task cleanup_blobs: :environment do ActiveStorage::Blob.unattached.find_each(&:purge_later) end + + desc 'Reset to defaults all predefined user roles' + task reset_predefined_user_roles: :environment do + ActiveRecord::Base.transaction do + %i(owner_role normal_user_role technician_role viewer_role).each do |predefined_role| + reference_role = UserRole.public_send(predefined_role) + existing_role = UserRole.find_by(name: reference_role.name) + if existing_role.present? + # rubocop:disable Rails/SkipsModelValidations + existing_role.update_attribute(:permissions, reference_role.permissions) + # rubocop:enable Rails/SkipsModelValidations + else + reference_role.save! + end + end + end + end end diff --git a/spec/permissions/controllers/experiments_controller_spec.rb b/spec/permissions/controllers/experiments_controller_spec.rb index dec31fbcd..3a84b872c 100644 --- a/spec/permissions/controllers/experiments_controller_spec.rb +++ b/spec/permissions/controllers/experiments_controller_spec.rb @@ -61,51 +61,51 @@ describe ExperimentsController, type: :controller do it_behaves_like "a controller action with permissions checking", :put, :update do let(:testable) { experiment } - let(:permissions) { [ExperimentPermissions::MANAGE, ExperimentPermissions::RESTORE] } + let(:permissions) { [ExperimentPermissions::MANAGE, ExperimentPermissions::MANAGE] } let(:action_params) { { id: experiment.id, experiment: { name: 'Test1' } } } end it_behaves_like "a controller action with permissions checking", :post, :archive do let(:testable) { experiment } - let(:permissions) { [ExperimentPermissions::ARCHIVE] } + let(:permissions) { [ExperimentPermissions::MANAGE] } let(:action_params) { { id: experiment.id } } end it_behaves_like "a controller action with permissions checking", :post, :archive_group do let(:testable) { experiment } - let(:permissions) { [ExperimentPermissions::ARCHIVE] } + let(:permissions) { [ExperimentPermissions::MANAGE] } let(:action_params) { { project_id: project.id, experiments_ids: [experiment.id] } } let(:custom_response_status) { :unprocessable_entity } end it_behaves_like "a controller action with permissions checking", :post, :restore_group do let(:testable) { experiment } - let(:permissions) { [ExperimentPermissions::RESTORE] } + let(:permissions) { [ExperimentPermissions::MANAGE] } let(:action_params) { { project_id: project.id, experiments_ids: [experiment.id] } } let(:custom_response_status) { :unprocessable_entity } end it_behaves_like "a controller action with permissions checking", :get, :clone_modal do let(:testable) { experiment } - let(:permissions) { [ExperimentPermissions::CLONE] } + let(:permissions) { [ExperimentPermissions::MANAGE] } let(:action_params) { { id: experiment.id } } end it_behaves_like "a controller action with permissions checking", :post, :clone do let(:testable) { experiment } - let(:permissions) { [ExperimentPermissions::CLONE] } + let(:permissions) { [ExperimentPermissions::MANAGE] } let(:action_params) { { id: experiment.id } } end it_behaves_like "a controller action with permissions checking", :get, :move_modal do let(:testable) { experiment } - let(:permissions) { [ExperimentPermissions::MOVE] } + let(:permissions) { [ExperimentPermissions::MANAGE] } let(:action_params) { { id: experiment.id } } end it_behaves_like "a controller action with permissions checking", :post, :move do let(:testable) { experiment } - let(:permissions) { [ExperimentPermissions::MOVE] } + let(:permissions) { [ExperimentPermissions::MANAGE] } let(:action_params) { { id: experiment.id } } end