Add missing permissions for repository columns [SCI-11147] (#7995)

app/controllers/api/v1/inventory_columns_controller.rb

@@ -8,8 +8,9 @@ module Api
       before_action only: %i(show update destroy) do
         load_inventory_column(:id)
       end
-      before_action :check_manage_permissions, only: %i(update destroy)
       before_action :check_create_permissions, only: %i(create)
+      before_action :check_manage_permissions, only: %i(update)
+      before_action :check_delete_permissions, only: %i(destroy)
 
       def index
         columns = timestamps_filter(@inventory.repository_columns).includes(:repository_list_items)
@@ -61,6 +62,10 @@ module Api
         raise PermissionError.new(RepositoryColumn, :manage) unless can_manage_repository_column?(@inventory_column)
       end
 
+      def check_delete_permissions
+        raise PermissionError.new(RepositoryColumn, :delete) unless can_delete_repository_column?(@inventory_column)
+      end
+
       def check_create_permissions
         raise PermissionError.new(RepositoryColumn, :create) unless can_create_repository_columns?(@inventory)
       end

app/controllers/repository_columns_controller.rb

@@ -5,7 +5,8 @@ class RepositoryColumnsController < ApplicationController
   before_action :load_repository
   before_action :load_column, only: %i(edit update destroy_html destroy items)
   before_action :check_create_permissions, only: %i(new create)
-  before_action :check_manage_permissions, only: %i(edit update destroy_html destroy)
+  before_action :check_manage_permissions, only: %i(edit update)
+  before_action :check_delete_permissions, only: %i(destroy_html destroy)
   before_action :load_asset_type_columns, only: :available_asset_type_columns
 
   def index
@@ -130,6 +131,10 @@ class RepositoryColumnsController < ApplicationController
     render_403 unless can_manage_repository_column?(@repository_column)
   end
 
+  def check_delete_permissions
+    render_403 unless can_delete_repository_column?(@repository_column)
+  end
+
   def search_params
     params.permit(:q, :repository_id)
   end

app/permissions/repository.rb

@@ -25,7 +25,8 @@ Canaid::Permissions.register_for(Repository) do
      create_repository_rows
      manage_repository_rows
      delete_repository_rows
-     create_repository_columns)
+     create_repository_columns
+     manage_repository_columns)
     .each do |perm|
     can perm do |_, repository|
       repository.active? && repository.repository_snapshots.provisioning.none? &&
@@ -106,7 +107,7 @@ Canaid::Permissions.register_for(Repository) do
   end
 
   can :manage_repository_columns do |user, repository|
-    repository.repository_snapshots.provisioning.none? && can_create_repository_columns?(user, repository)
+    repository.permission_granted?(user, RepositoryPermissions::COLUMNS_UPDATE)
   end
 
   # repository: create/update/delete filters
@@ -123,6 +124,10 @@ Canaid::Permissions.register_for(RepositoryColumn) do
   # repository: update/delete field
   # Tested in scope of RepositoryPermissions spec
   can :manage_repository_column do |user, repository_column|
-    repository_column.repository.repository_snapshots.provisioning.none? && can_create_repository_columns?(user, repository_column.repository)
+    repository_column.repository.repository_snapshots.provisioning.none? && repository_column.repository.permission_granted?(user, RepositoryPermissions::COLUMNS_UPDATE)
+  end
+
+  can :delete_repository_column do |user, repository_column|
+    repository_column.repository.repository_snapshots.provisioning.none? && repository_column.repository.permission_granted?(user, RepositoryPermissions::COLUMNS_DELETE)
   end
 end

config/initializers/extends/permission_extends.rb

@@ -210,6 +210,8 @@ module PermissionExtends
       RepositoryPermissions::READ,
       RepositoryPermissions::READ_ARCHIVED,
       RepositoryPermissions::COLUMNS_CREATE,
+      RepositoryPermissions::COLUMNS_UPDATE,
+      RepositoryPermissions::COLUMNS_DELETE,
       RepositoryPermissions::ROWS_CREATE,
       RepositoryPermissions::ROWS_UPDATE,
       RepositoryPermissions::ROWS_DELETE,

db/migrate/20241028105317_add_missing_repository_permissions.rb

@@ -0,0 +1,24 @@
+# frozen_string_literal: true
+
+class AddMissingRepositoryPermissions < ActiveRecord::Migration[6.1]
+  NORMAL_USER_PERMISSIONS = [
+    RepositoryPermissions::COLUMNS_UPDATE,
+    RepositoryPermissions::COLUMNS_DELETE
+  ].freeze
+
+  def change
+    reversible do |dir|
+      dir.up do
+        @normal_user_role = UserRole.find_predefined_normal_user_role
+        @normal_user_role.permissions = @normal_user_role.permissions | NORMAL_USER_PERMISSIONS
+        @normal_user_role.save(validate: false)
+      end
+
+      dir.down do
+        @normal_user_role = UserRole.find_predefined_normal_user_role
+        @normal_user_role.permissions = @normal_user_role.permissions - NORMAL_USER_PERMISSIONS
+        @normal_user_role.save(validate: false)
+      end
+    end
+  end
+end

db/schema.rb

@@ -10,7 +10,7 @@
 #
 # It's strongly recommended that you check this file into your version control system.
 
-ActiveRecord::Schema[7.0].define(version: 2024_10_02_122340) do
+ActiveRecord::Schema[7.0].define(version: 2024_10_28_105317) do
   # These are extensions that must be enabled in order to support this database
   enable_extension "btree_gist"
   enable_extension "pg_trgm"
@@ -635,6 +635,7 @@ ActiveRecord::Schema[7.0].define(version: 2024_10_02_122340) do
     t.bigint "archived_by_id"
     t.bigint "restored_by_id"
     t.string "external_id"
+    t.integer "repository_rows_count", default: 0, null: false
     t.index ["archived"], name: "index_repositories_on_archived"
     t.index ["archived_by_id"], name: "index_repositories_on_archived_by_id"
     t.index ["discarded_at"], name: "index_repositories_on_discarded_at"