From 04a6645cfc7e1d67e9a039a206d32fe09bafd305 Mon Sep 17 00:00:00 2001 From: Miha Mencin Date: Wed, 20 Nov 2019 17:12:47 +0100 Subject: [PATCH 1/5] Separate view/edit/modify permissions SCI-4058 --- app/controllers/repositories_controller.rb | 6 ++- app/controllers/repository_rows_controller.rb | 1 + app/permissions/repository.rb | 8 ++++ app/views/repositories/show.html.erb | 39 ++++++++++++------- 4 files changed, 38 insertions(+), 16 deletions(-) diff --git a/app/controllers/repositories_controller.rb b/app/controllers/repositories_controller.rb index 376607973..750d1bbd0 100644 --- a/app/controllers/repositories_controller.rb +++ b/app/controllers/repositories_controller.rb @@ -28,7 +28,11 @@ class RepositoriesController < ApplicationController render 'repositories/index' end - def show; end + def show + @display_edit_button = can_create_repository_rows?(current_user, @repository) + @display_delete_button = can_delete_repository_rows?(current_user, @repository) + @display_duplicate_button = can_create_repository_rows?(current_user, @repository) + end def create_modal @repository = Repository.new diff --git a/app/controllers/repository_rows_controller.rb b/app/controllers/repository_rows_controller.rb index 6c6dc6944..61a1e552c 100644 --- a/app/controllers/repository_rows_controller.rb +++ b/app/controllers/repository_rows_controller.rb @@ -270,6 +270,7 @@ class RepositoryRowsController < ApplicationController end def delete_records + render_403 unless can_delete_repository_rows?(@repository) deleted_count = 0 if selected_params selected_params.each do |row_id| diff --git a/app/permissions/repository.rb b/app/permissions/repository.rb index 05e018c89..47b78d9c8 100644 --- a/app/permissions/repository.rb +++ b/app/permissions/repository.rb @@ -30,6 +30,14 @@ Canaid::Permissions.register_for(Repository) do can_create_repository_rows?(user, repository) end + can :update_repository_rows do |user, repository| + can_manage_repository_rows?(user, repository) + end + + can :delete_repository_rows do |user, repository| + can_manage_repository_rows?(user, repository) + end + # repository: create field can :create_repository_columns do |user, repository| can_create_repository_rows?(user, repository) unless repository.shared_with?(user.current_team) diff --git a/app/views/repositories/show.html.erb b/app/views/repositories/show.html.erb index ef664aeb2..23cd5ea9b 100644 --- a/app/views/repositories/show.html.erb +++ b/app/views/repositories/show.html.erb @@ -128,21 +128,30 @@ <% end %> <% if can_manage_repository_rows?(@repository) %> - - - + + <%if @display_edit_button %> + + <% end %> + + <%if @display_delete_button %> + + <% end %> + + <%if @display_duplicate_button %> + + <%end%> <% elsif @repository.shared_with?(current_team) %>

<%= t('repositories.index.view_only_permission_label') %>

<% end %> From 1bf6663196588a1c3046de71f4cce53c2e5a8f0a Mon Sep 17 00:00:00 2001 From: Miha Mencin Date: Fri, 22 Nov 2019 13:23:02 +0100 Subject: [PATCH 2/5] check the permissions in before action --- app/controllers/repository_rows_controller.rb | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/app/controllers/repository_rows_controller.rb b/app/controllers/repository_rows_controller.rb index 61a1e552c..db7089b9c 100644 --- a/app/controllers/repository_rows_controller.rb +++ b/app/controllers/repository_rows_controller.rb @@ -12,8 +12,9 @@ class RepositoryRowsController < ApplicationController copy_records available_rows) before_action :check_create_permissions, only: :create + before_action :check_delete_permissions, only: :delete_records before_action :check_manage_permissions, - only: %i(edit update delete_records copy_records) + only: %i(edit update copy_records) def index @draw = params[:draw].to_i @@ -270,7 +271,6 @@ class RepositoryRowsController < ApplicationController end def delete_records - render_403 unless can_delete_repository_rows?(@repository) deleted_count = 0 if selected_params selected_params.each do |row_id| @@ -373,6 +373,11 @@ class RepositoryRowsController < ApplicationController render_403 unless can_manage_repository_rows?(@repository) end + + def check_delete_permissions + render_403 unless can_delete_repository_rows?(@repository) + end + def record_params params.permit(:repository_row_name).to_h end From bd34435b39db527a0e764cd8ea9f7b73150887a6 Mon Sep 17 00:00:00 2001 From: Miha Mencin Date: Mon, 25 Nov 2019 08:44:33 +0100 Subject: [PATCH 3/5] fixing style issues --- app/controllers/repository_rows_controller.rb | 1 - 1 file changed, 1 deletion(-) diff --git a/app/controllers/repository_rows_controller.rb b/app/controllers/repository_rows_controller.rb index db7089b9c..ffab95602 100644 --- a/app/controllers/repository_rows_controller.rb +++ b/app/controllers/repository_rows_controller.rb @@ -373,7 +373,6 @@ class RepositoryRowsController < ApplicationController render_403 unless can_manage_repository_rows?(@repository) end - def check_delete_permissions render_403 unless can_delete_repository_rows?(@repository) end From e65e344c39b1521a223faad3245b10db15c932b3 Mon Sep 17 00:00:00 2001 From: Miha Mencin Date: Mon, 25 Nov 2019 10:45:21 +0100 Subject: [PATCH 4/5] fix styling --- app/controllers/repositories_controller.rb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/app/controllers/repositories_controller.rb b/app/controllers/repositories_controller.rb index 750d1bbd0..8cbeeb43b 100644 --- a/app/controllers/repositories_controller.rb +++ b/app/controllers/repositories_controller.rb @@ -29,8 +29,8 @@ class RepositoriesController < ApplicationController end def show - @display_edit_button = can_create_repository_rows?(current_user, @repository) - @display_delete_button = can_delete_repository_rows?(current_user, @repository) + @display_edit_button = can_create_repository_rows?(current_user, @repository) + @display_delete_button = can_delete_repository_rows?(current_user, @repository) @display_duplicate_button = can_create_repository_rows?(current_user, @repository) end From a328c4ad5656d4222de047c9eb3d06c6b1cbdffb Mon Sep 17 00:00:00 2001 From: Miha Mencin Date: Mon, 25 Nov 2019 17:40:29 +0100 Subject: [PATCH 5/5] fix CR comments --- app/controllers/repositories_controller.rb | 6 +++--- app/views/repositories/show.html.erb | 3 +-- 2 files changed, 4 insertions(+), 5 deletions(-) diff --git a/app/controllers/repositories_controller.rb b/app/controllers/repositories_controller.rb index 8cbeeb43b..212b23aca 100644 --- a/app/controllers/repositories_controller.rb +++ b/app/controllers/repositories_controller.rb @@ -29,9 +29,9 @@ class RepositoriesController < ApplicationController end def show - @display_edit_button = can_create_repository_rows?(current_user, @repository) - @display_delete_button = can_delete_repository_rows?(current_user, @repository) - @display_duplicate_button = can_create_repository_rows?(current_user, @repository) + @display_edit_button = can_create_repository_rows?(@repository) + @display_delete_button = can_delete_repository_rows?(@repository) + @display_duplicate_button = can_create_repository_rows?(@repository) end def create_modal diff --git a/app/views/repositories/show.html.erb b/app/views/repositories/show.html.erb index 23cd5ea9b..6a931cd9b 100644 --- a/app/views/repositories/show.html.erb +++ b/app/views/repositories/show.html.erb @@ -141,8 +141,7 @@ id="deleteRepositoryRecordsButton" onclick="onClickDelete()" disabled> <%= t'repositories.delete_record' %> - <%= submit_tag I18n.t('repositories.delete_record'), :class => "hidden - delete_repository_records_submit" %> + <%= submit_tag I18n.t('repositories.delete_record'), :class => "hidden delete_repository_records_submit" %> <% end %>