scinote-eln/scinote-web
1
1
Fork 0
mirror of https://github.com/scinote-eln/scinote-web.git synced 2025-09-11 15:45:34 +08:00
Code Issues Projects Releases Packages Wiki Activity

Merge pull request #3558 from okriuchykhin/ok_SCI_6076

Browse source 
Update existing roles with new permissions/abilities [SCI-6076]
This commit is contained in:
Alex Kriuchykhin 2021-09-24 10:32:57 +02:00 committed by GitHub
commit 19bac6ce68
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
7 changed files with 97 additions and 67 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

60
app/models/user_role.rb
View file

@ -1,8 +1,7 @@
# frozen_string_literal: true # frozen_string_literal: true
class UserRole < ApplicationRecord class UserRole < ApplicationRecord
before_update :prevent_update, if: :predefined? validate :prevent_update, on: :update, if: :predefined?
validates :name, validates :name,
presence: true, presence: true,
length: { minimum: Constants::NAME_MIN_LENGTH, length: { minimum: Constants::NAME_MIN_LENGTH,
@ -32,18 +31,35 @@ class UserRole < ApplicationRecord
permissions: permissions:
[ [
ProjectPermissions::READ, ProjectPermissions::READ,
ProjectPermissions::EXPERIMENTS_CREATE, ProjectPermissions::READ_ARCHIVED,
ProjectPermissions::ACTIVITIES_READ,
ProjectPermissions::USERS_READ,
ProjectPermissions::COMMENTS_READ,
ProjectPermissions::COMMENTS_CREATE, ProjectPermissions::COMMENTS_CREATE,
ProjectPermissions::EXPERIMENTS_CREATE,
ExperimentPermissions::READ, ExperimentPermissions::READ,
ExperimentPermissions::MANAGE, ExperimentPermissions::MANAGE,
ExperimentPermissions::ARCHIVE, ExperimentPermissions::TASKS_MANAGE,
ExperimentPermissions::RESTORE,
ExperimentPermissions::CLONE,
ExperimentPermissions::TASKS_CREATE,
MyModulePermissions::READ, MyModulePermissions::READ,
MyModulePermissions::MANAGE,
MyModulePermissions::RESULTS_MANAGE,
MyModulePermissions::PROTOCOL_MANAGE,
MyModulePermissions::STEPS_MANAGE,
MyModulePermissions::TAGS_MANAGE,
MyModulePermissions::COMMENTS_CREATE, MyModulePermissions::COMMENTS_CREATE,
MyModulePermissions::COMMENTS_MANAGE,
MyModulePermissions::COMMENTS_MANAGE_OWN,
MyModulePermissions::COMPLETE,
MyModulePermissions::UPDATE_STATUS, MyModulePermissions::UPDATE_STATUS,
MyModulePermissions::REPOSITORY_ROWS_ASSIGN MyModulePermissions::STEPS_COMPLETE,
MyModulePermissions::STEPS_UNCOMPLETE,
MyModulePermissions::STEPS_CHECKLIST_CHECK,
MyModulePermissions::STEPS_CHECKLIST_UNCHECK,
MyModulePermissions::STEPS_COMMENTS_CREATE,
MyModulePermissions::STEPS_COMMENTS_DELETE_OWN,
MyModulePermissions::STEPS_COMMENT_UPDATE_OWN,
MyModulePermissions::REPOSITORY_ROWS_ASSIGN,
MyModulePermissions::REPOSITORY_ROWS_MANAGE
], ],
predefined: true predefined: true
) )
@ -55,12 +71,29 @@ class UserRole < ApplicationRecord
permissions: permissions:
[ [
ProjectPermissions::READ, ProjectPermissions::READ,
ProjectPermissions::READ_ARCHIVED,
ProjectPermissions::ACTIVITIES_READ,
ProjectPermissions::USERS_READ,
ProjectPermissions::COMMENTS_READ,
ProjectPermissions::COMMENTS_CREATE, ProjectPermissions::COMMENTS_CREATE,
ExperimentPermissions::READ, ExperimentPermissions::READ,
ExperimentPermissions::READ_ARCHIVED,
ExperimentPermissions::ACTIVITIES_READ,
ExperimentPermissions::USERS_READ,
MyModulePermissions::READ, MyModulePermissions::READ,
MyModulePermissions::COMMENTS_CREATE, MyModulePermissions::COMMENTS_CREATE,
MyModulePermissions::COMMENTS_MANAGE_OWN,
MyModulePermissions::COMPLETE,
MyModulePermissions::UPDATE_STATUS, MyModulePermissions::UPDATE_STATUS,
MyModulePermissions::REPOSITORY_ROWS_ASSIGN MyModulePermissions::STEPS_COMPLETE,
MyModulePermissions::STEPS_UNCOMPLETE,
MyModulePermissions::STEPS_CHECKLIST_CHECK,
MyModulePermissions::STEPS_CHECKLIST_UNCHECK,
MyModulePermissions::STEPS_COMMENTS_CREATE,
MyModulePermissions::STEPS_COMMENTS_DELETE_OWN,
MyModulePermissions::STEPS_COMMENT_UPDATE_OWN,
MyModulePermissions::REPOSITORY_ROWS_ASSIGN,
MyModulePermissions::REPOSITORY_ROWS_MANAGE
], ],
predefined: true predefined: true
) )
@ -72,7 +105,14 @@ class UserRole < ApplicationRecord
permissions: permissions:
[ [
ProjectPermissions::READ, ProjectPermissions::READ,
ProjectPermissions::READ_ARCHIVED,
ProjectPermissions::ACTIVITIES_READ,
ProjectPermissions::USERS_READ,
ProjectPermissions::COMMENTS_READ,
ExperimentPermissions::READ, ExperimentPermissions::READ,
ExperimentPermissions::READ_ARCHIVED,
ExperimentPermissions::ACTIVITIES_READ,
ExperimentPermissions::USERS_READ,
MyModulePermissions::READ MyModulePermissions::READ
], ],
predefined: true predefined: true
@ -86,6 +126,6 @@ class UserRole < ApplicationRecord
private private
def prevent_update def prevent_update
raise ActiveRecord::RecordInvalid, I18n.t('user_roles.predefined.unchangable_error_message') errors.add(:base, I18n.t('user_roles.predefined.unchangable_error_message'))
end end
end end

14
app/permissions/experiment.rb
View file

@ -20,6 +20,10 @@ Canaid::Permissions.register_for(Experiment) do
experiment.permission_granted?(user, ExperimentPermissions::READ) experiment.permission_granted?(user, ExperimentPermissions::READ)
end end
can :read_users_of_experiment do |user, project|
project.permission_granted?(user, ExperimentPermissions::USERS_READ)
end
# experiment: create/update/delete # experiment: create/update/delete
# canvas: update # canvas: update
# module: create, copy, reposition, create/update/delete connection, # module: create, copy, reposition, create/update/delete connection,
@ -40,12 +44,12 @@ Canaid::Permissions.register_for(Experiment) do
# experiment: manage access policies # experiment: manage access policies
can :manage_experiment_access do |user, experiment| can :manage_experiment_access do |user, experiment|
experiment.permission_granted?(user, ExperimentPermissions::MANAGE_ACCESS) experiment.permission_granted?(user, ExperimentPermissions::USERS_MANAGE)
end end
# experiment: archive # experiment: archive
can :archive_experiment do |user, experiment| can :archive_experiment do |user, experiment|
experiment.permission_granted?(user, ExperimentPermissions::ARCHIVE) experiment.permission_granted?(user, ExperimentPermissions::MANAGE)
end end
# NOTE: Must not be dependent on canaid parmision for which we check if it's # NOTE: Must not be dependent on canaid parmision for which we check if it's
@ -53,19 +57,19 @@ Canaid::Permissions.register_for(Experiment) do
# experiment: restore # experiment: restore
can :restore_experiment do |user, experiment| can :restore_experiment do |user, experiment|
project = experiment.project project = experiment.project
experiment.permission_granted?(user, ExperimentPermissions::RESTORE) && experiment.permission_granted?(user, ExperimentPermissions::MANAGE) &&
experiment.archived? && experiment.archived? &&
project.active? project.active?
end end
# experiment: copy # experiment: copy
can :clone_experiment do |user, experiment| can :clone_experiment do |user, experiment|
experiment.permission_granted?(user, ExperimentPermissions::CLONE) experiment.permission_granted?(user, ExperimentPermissions::MANAGE)
end end
# experiment: move # experiment: move
can :move_experiment do |user, experiment| can :move_experiment do |user, experiment|
experiment.permission_granted?(user, ExperimentPermissions::MOVE) experiment.permission_granted?(user, ExperimentPermissions::MANAGE)
end end
end end

10
app/permissions/my_module.rb
View file

@ -36,15 +36,15 @@ Canaid::Permissions.register_for(MyModule) do
end end
can :update_my_module_start_date do |user, my_module| can :update_my_module_start_date do |user, my_module|
my_module.permission_granted?(user, MyModulePermissions::UPDATE_START_DATE) my_module.permission_granted?(user, MyModulePermissions::MANAGE)
end end
can :update_my_module_due_date do |user, my_module| can :update_my_module_due_date do |user, my_module|
my_module.permission_granted?(user, MyModulePermissions::UPDATE_DUE_DATE) my_module.permission_granted?(user, MyModulePermissions::MANAGE)
end end
can :update_my_module_notes do |user, my_module| can :update_my_module_notes do |user, my_module|
my_module.permission_granted?(user, MyModulePermissions::UPDATE_NOTES) my_module.permission_granted?(user, MyModulePermissions::MANAGE)
end end
can :manage_my_module_tags do |user, my_module| can :manage_my_module_tags do |user, my_module|
@ -96,11 +96,11 @@ Canaid::Permissions.register_for(MyModule) do
end end
can :check_my_module_steps do |user, my_module| can :check_my_module_steps do |user, my_module|
my_module.permission_granted?(user, MyModulePermissions::STEPS_CHECK) my_module.permission_granted?(user, MyModulePermissions::STEPS_CHECKLIST_CHECK)
end end
can :uncheck_my_module_steps do |user, my_module| can :uncheck_my_module_steps do |user, my_module|
my_module.permission_granted?(user, MyModulePermissions::STEPS_UNCHECK) my_module.permission_granted?(user, MyModulePermissions::STEPS_CHECKLIST_UNCHECK)
end end
can :create_comments_in_my_module_steps do |user, my_module| can :create_comments_in_my_module_steps do |user, my_module|

24
app/permissions/project.rb
View file

@ -38,10 +38,6 @@ Canaid::Permissions.register_for(Project) do
end end
end end
can :read_project_folders do |user, project|
project.permission_granted?(user, ProjectPermissions::FOLDERS_READ)
end
can :manage_project_users do |user, project| can :manage_project_users do |user, project|
project.permission_granted?(user, ProjectPermissions::USERS_MANAGE) project.permission_granted?(user, ProjectPermissions::USERS_MANAGE)
end end
@ -58,26 +54,6 @@ Canaid::Permissions.register_for(Project) do
project.permission_granted?(user, ProjectPermissions::EXPERIMENTS_CREATE) project.permission_granted?(user, ProjectPermissions::EXPERIMENTS_CREATE)
end end
can :read_project_experiments do |user, project|
project.permission_granted?(user, ProjectPermissions::EXPERIMENTS_READ)
end
can :read_archived_project_experiments do |user, project|
project.permission_granted?(user, ProjectPermissions::EXPERIMENTS_READ_ARCHIVED)
end
can :read_canvas_of_project_experiments do |user, project|
project.permission_granted?(user, ProjectPermissions::EXPERIMENTS_READ_CANVAS)
end
can :read_activities_of_project_experiments do |user, project|
project.permission_granted?(user, ProjectPermissions::EXPERIMENTS_ACTIVITIES_READ)
end
can :read_users_of_project_experiments do |user, project|
project.permission_granted?(user, ProjectPermissions::EXPERIMENTS_USERS_READ)
end
can :create_project_comments do |user, project| can :create_project_comments do |user, project|
project.permission_granted?(user, ProjectPermissions::COMMENTS_CREATE) project.permission_granted?(user, ProjectPermissions::COMMENTS_CREATE)
end end

23
config/initializers/extends/permission_extends.rb
View file

@ -6,33 +6,26 @@ module PermissionExtends
READ READ
READ_ARCHIVED READ_ARCHIVED
MANAGE MANAGE
FOLDERS_READ
ACTIVITIES_READ ACTIVITIES_READ
USERS_READ USERS_READ
USERS_MANAGE USERS_MANAGE
COMMENTS_READ COMMENTS_READ
COMMENTS_CREATE COMMENTS_CREATE
COMMENTS_MANAGE COMMENTS_MANAGE
EXPERIMENTS_READ TAGS_MANAGE
EXPERIMENTS_READ_ARCHIVED
EXPERIMENTS_CREATE EXPERIMENTS_CREATE
EXPERIMENTS_READ_CANVAS
EXPERIMENTS_ACTIVITIES_READ
EXPERIMENTS_USERS_READ
TASKS_MANAGE
).each { |permission| const_set(permission, "project_#{permission.underscore}") } ).each { |permission| const_set(permission, "project_#{permission.underscore}") }
end end
module ExperimentPermissions module ExperimentPermissions
%w( %w(
READ READ
READ_ARCHIVED
ACTIVITIES_READ
MANAGE MANAGE
ARCHIVE TASKS_MANAGE
RESTORE USERS_READ
CLONE USERS_MANAGE
MOVE
TASKS_CREATE
MANAGE_ACCESS
).each { |permission| const_set(permission, "experiment_#{permission.underscore}") } ).each { |permission| const_set(permission, "experiment_#{permission.underscore}") }
end end
@ -52,8 +45,8 @@ module PermissionExtends
COMPLETE COMPLETE
STEPS_COMPLETE STEPS_COMPLETE
STEPS_UNCOMPLETE STEPS_UNCOMPLETE
STEPS_CHECK STEPS_CHECKLIST_CHECK
STEPS_UNCHECK STEPS_CHECKLIST_UNCHECK
STEPS_COMMENTS_CREATE STEPS_COMMENTS_CREATE
STEPS_COMMENTS_DELETE STEPS_COMMENTS_DELETE
STEPS_COMMENTS_DELETE_OWN STEPS_COMMENTS_DELETE_OWN

17
lib/tasks/data.rake
View file

@ -161,4 +161,21 @@ namespace :data do
task cleanup_blobs: :environment do task cleanup_blobs: :environment do
ActiveStorage::Blob.unattached.find_each(&:purge_later) ActiveStorage::Blob.unattached.find_each(&:purge_later)
end end
desc 'Reset to defaults all predefined user roles'
task reset_predefined_user_roles: :environment do
ActiveRecord::Base.transaction do
%i(owner_role normal_user_role technician_role viewer_role).each do |predefined_role|
reference_role = UserRole.public_send(predefined_role)
existing_role = UserRole.find_by(name: reference_role.name)
if existing_role.present?
# rubocop:disable Rails/SkipsModelValidations
existing_role.update_attribute(:permissions, reference_role.permissions)
# rubocop:enable Rails/SkipsModelValidations
else
reference_role.save!
end
end
end
end
end end

16
spec/permissions/controllers/experiments_controller_spec.rb
View file

@ -61,51 +61,51 @@ describe ExperimentsController, type: :controller do
it_behaves_like "a controller action with permissions checking", :put, :update do it_behaves_like "a controller action with permissions checking", :put, :update do
let(:testable) { experiment } let(:testable) { experiment }
let(:permissions) { [ExperimentPermissions::MANAGE, ExperimentPermissions::RESTORE] } let(:permissions) { [ExperimentPermissions::MANAGE, ExperimentPermissions::MANAGE] }
let(:action_params) { { id: experiment.id, experiment: { name: 'Test1' } } } let(:action_params) { { id: experiment.id, experiment: { name: 'Test1' } } }
end end
it_behaves_like "a controller action with permissions checking", :post, :archive do it_behaves_like "a controller action with permissions checking", :post, :archive do
let(:testable) { experiment } let(:testable) { experiment }
let(:permissions) { [ExperimentPermissions::ARCHIVE] } let(:permissions) { [ExperimentPermissions::MANAGE] }
let(:action_params) { { id: experiment.id } } let(:action_params) { { id: experiment.id } }
end end
it_behaves_like "a controller action with permissions checking", :post, :archive_group do it_behaves_like "a controller action with permissions checking", :post, :archive_group do
let(:testable) { experiment } let(:testable) { experiment }
let(:permissions) { [ExperimentPermissions::ARCHIVE] } let(:permissions) { [ExperimentPermissions::MANAGE] }
let(:action_params) { { project_id: project.id, experiments_ids: [experiment.id] } } let(:action_params) { { project_id: project.id, experiments_ids: [experiment.id] } }
let(:custom_response_status) { :unprocessable_entity } let(:custom_response_status) { :unprocessable_entity }
end end
it_behaves_like "a controller action with permissions checking", :post, :restore_group do it_behaves_like "a controller action with permissions checking", :post, :restore_group do
let(:testable) { experiment } let(:testable) { experiment }
let(:permissions) { [ExperimentPermissions::RESTORE] } let(:permissions) { [ExperimentPermissions::MANAGE] }
let(:action_params) { { project_id: project.id, experiments_ids: [experiment.id] } } let(:action_params) { { project_id: project.id, experiments_ids: [experiment.id] } }
let(:custom_response_status) { :unprocessable_entity } let(:custom_response_status) { :unprocessable_entity }
end end
it_behaves_like "a controller action with permissions checking", :get, :clone_modal do it_behaves_like "a controller action with permissions checking", :get, :clone_modal do
let(:testable) { experiment } let(:testable) { experiment }
let(:permissions) { [ExperimentPermissions::CLONE] } let(:permissions) { [ExperimentPermissions::MANAGE] }
let(:action_params) { { id: experiment.id } } let(:action_params) { { id: experiment.id } }
end end
it_behaves_like "a controller action with permissions checking", :post, :clone do it_behaves_like "a controller action with permissions checking", :post, :clone do
let(:testable) { experiment } let(:testable) { experiment }
let(:permissions) { [ExperimentPermissions::CLONE] } let(:permissions) { [ExperimentPermissions::MANAGE] }
let(:action_params) { { id: experiment.id } } let(:action_params) { { id: experiment.id } }
end end
it_behaves_like "a controller action with permissions checking", :get, :move_modal do it_behaves_like "a controller action with permissions checking", :get, :move_modal do
let(:testable) { experiment } let(:testable) { experiment }
let(:permissions) { [ExperimentPermissions::MOVE] } let(:permissions) { [ExperimentPermissions::MANAGE] }
let(:action_params) { { id: experiment.id } } let(:action_params) { { id: experiment.id } }
end end
it_behaves_like "a controller action with permissions checking", :post, :move do it_behaves_like "a controller action with permissions checking", :post, :move do
let(:testable) { experiment } let(:testable) { experiment }
let(:permissions) { [ExperimentPermissions::MOVE] } let(:permissions) { [ExperimentPermissions::MANAGE] }
let(:action_params) { { id: experiment.id } } let(:action_params) { { id: experiment.id } }
end end