From 975a8910a8e6714cb34e81f9dbd0d3a56404af1e Mon Sep 17 00:00:00 2001 From: Martin Artnik Date: Tue, 7 Sep 2021 11:27:52 +0200 Subject: [PATCH] Updated project permission helpers [SCI-6041] --- .../access_permissions/projects_controller.rb | 2 +- .../api/v1/experiments_controller.rb | 2 +- app/controllers/comments_controller.rb | 2 +- .../dashboard/quick_start_controller.rb | 2 +- app/controllers/experiments_controller.rb | 2 +- .../project_comments_controller.rb | 2 +- app/controllers/tags_controller.rb | 2 +- app/helpers/comment_helper.rb | 2 +- app/models/user_role.rb | 6 +- app/permissions/project.rb | 103 +++++++----------- .../projects/show.json.jbuilder | 2 +- app/views/project_comments/_index.html.erb | 4 +- .../index/_project_actions_dropdown.html.erb | 2 +- .../projects/index/_project_card.html.erb | 2 +- app/views/projects/show/_toolbar.html.erb | 2 +- .../extends/permission_extends.rb | 22 ++-- spec/factories/user_roles.rb | 6 +- 17 files changed, 74 insertions(+), 91 deletions(-) diff --git a/app/controllers/access_permissions/projects_controller.rb b/app/controllers/access_permissions/projects_controller.rb index df0d7ff86..8f2e58d3b 100644 --- a/app/controllers/access_permissions/projects_controller.rb +++ b/app/controllers/access_permissions/projects_controller.rb @@ -94,7 +94,7 @@ module AccessPermissions end def check_manage_permissions - render_403 unless can_manage_project_access?(@project) + render_403 unless can_manage_project_users?(@project) end def check_read_permissions diff --git a/app/controllers/api/v1/experiments_controller.rb b/app/controllers/api/v1/experiments_controller.rb index 761eff5e9..0f4f22642 100644 --- a/app/controllers/api/v1/experiments_controller.rb +++ b/app/controllers/api/v1/experiments_controller.rb @@ -22,7 +22,7 @@ module Api end def create - raise PermissionError.new(Experiment, :create) unless can_create_experiments?(@project) + raise PermissionError.new(Experiment, :create) unless can_create_project_experiments?(@project) experiment = @project.experiments.create!(experiment_params.merge!(created_by: current_user, last_modified_by: current_user)) diff --git a/app/controllers/comments_controller.rb b/app/controllers/comments_controller.rb index 4558aa355..e18c2063e 100644 --- a/app/controllers/comments_controller.rb +++ b/app/controllers/comments_controller.rb @@ -89,7 +89,7 @@ class CommentsController < ApplicationController def check_create_permissions case @commentable when Project - render_403 and return unless can_create_comments_in_project?(@commentable) + render_403 and return unless can_create_project_comments?(@commentable) when MyModule render_403 and return unless can_create_comments_in_module?(@commentable) when Step diff --git a/app/controllers/dashboard/quick_start_controller.rb b/app/controllers/dashboard/quick_start_controller.rb index 098b92e49..ae1378f53 100644 --- a/app/controllers/dashboard/quick_start_controller.rb +++ b/app/controllers/dashboard/quick_start_controller.rb @@ -70,7 +70,7 @@ module Dashboard end unless @experiment - render_403 unless can_create_experiments?(current_user, @project) + render_403 unless can_create_project_experiments?(current_user, @project) return end diff --git a/app/controllers/experiments_controller.rb b/app/controllers/experiments_controller.rb index 869345b4d..a937836cf 100644 --- a/app/controllers/experiments_controller.rb +++ b/app/controllers/experiments_controller.rb @@ -314,7 +314,7 @@ class ExperimentsController < ApplicationController end def check_create_permissions - render_403 unless can_create_experiments?(@project) + render_403 unless can_create_project_experiments?(@project) end def check_manage_permissions diff --git a/app/controllers/project_comments_controller.rb b/app/controllers/project_comments_controller.rb index 05f4f67b5..9d19764e5 100644 --- a/app/controllers/project_comments_controller.rb +++ b/app/controllers/project_comments_controller.rb @@ -51,7 +51,7 @@ class ProjectCommentsController < ApplicationController end def check_create_permissions - render_403 unless can_create_comments_in_project?(@project) + render_403 unless can_create_project_comments?(@project) end def check_manage_permissions diff --git a/app/controllers/tags_controller.rb b/app/controllers/tags_controller.rb index 756ca32c4..7540c7405 100644 --- a/app/controllers/tags_controller.rb +++ b/app/controllers/tags_controller.rb @@ -161,7 +161,7 @@ class TagsController < ApplicationController end def check_manage_permissions - render_403 unless can_manage_tags?(@project) + render_403 unless can_manage_project?(@project) end def tag_params diff --git a/app/helpers/comment_helper.rb b/app/helpers/comment_helper.rb index 4cf4eb889..52f1c5ab9 100644 --- a/app/helpers/comment_helper.rb +++ b/app/helpers/comment_helper.rb @@ -63,7 +63,7 @@ module CommentHelper when 'Step', 'Result' can_create_comments_in_module?(object.my_module) when 'Project' - can_create_comments_in_project?(object) + can_create_project_comments?(object) else false end diff --git a/app/models/user_role.rb b/app/models/user_role.rb index eafc1eb52..b73ce5568 100644 --- a/app/models/user_role.rb +++ b/app/models/user_role.rb @@ -32,8 +32,8 @@ class UserRole < ApplicationRecord permissions: [ ProjectPermissions::READ, - ProjectPermissions::CREATE_EXPERIMENTS, - ProjectPermissions::CREATE_COMMENTS, + ProjectPermissions::EXPERIMENTS_CREATE, + ProjectPermissions::COMMENTS_CREATE, ExperimentPermissions::READ, ExperimentPermissions::MANAGE, ExperimentPermissions::ARCHIVE, @@ -57,7 +57,7 @@ class UserRole < ApplicationRecord permissions: [ ProjectPermissions::READ, - ProjectPermissions::CREATE_COMMENTS, + ProjectPermissions::COMMENTS_CREATE, ExperimentPermissions::READ, MyModulePermissions::READ, MyModulePermissions::CREATE_COMMENTS, diff --git a/app/permissions/project.rb b/app/permissions/project.rb index 1cf02dcd1..f35a68bf1 100644 --- a/app/permissions/project.rb +++ b/app/permissions/project.rb @@ -6,10 +6,10 @@ Canaid::Permissions.register_for(Project) do # Project must be active for all the specified permissions %i(manage_project archive_project - create_experiments - create_comments_in_project - manage_tags - manage_project_access) + create_project_experiments + create_project_comments + manage_project_tags + manage_project_users) .each do |perm| can perm do |_, project| project.active? @@ -23,21 +23,7 @@ Canaid::Permissions.register_for(Project) do project.permission_granted?(user, ProjectPermissions::READ) end end - # project: read, read activities, read comments, read users, read archive, - # read notifications - # reports: read - can :read_project do |_, _| - # Already checked by the wrapper - true - end - # team: export projects - can :export_project do |_, _| - # Already checked by the wrapper - true - end - - # project: update/delete, assign/reassign/unassign users can :manage_project do |user, project| project.permission_granted?(user, ProjectPermissions::MANAGE) && MyModule.joins(experiment: :project) @@ -52,64 +38,55 @@ Canaid::Permissions.register_for(Project) do end end - # project: manage access policies - can :manage_project_access do |user, project| - project.permission_granted?(user, ProjectPermissions::MANAGE_ACCESS) + can :read_project_folders do |user, project| + project.permission_granted?(user, ProjectPermissions::FOLDERS_READ) + end + + can :manage_project_users do |user, project| + project.permission_granted?(user, ProjectPermissions::USERS_MANAGE) end - # project: archive can :archive_project do |user, project| - project.permission_granted?(user, ProjectPermissions::ARCHIVE) + project.permission_granted?(user, ProjectPermissions::MANAGE) end - # NOTE: Must not be dependent on canaid parmision for which we check if it's - # active - # project: restore can :restore_project do |user, project| - project.archived? && project.permission_granted?(user, ProjectPermissions::RESTORE) + project.archived? && project.permission_granted?(user, ProjectPermissions::MANAGE) end - # experiment: create - - can :create_experiments do |user, project| - project.permission_granted?(user, ProjectPermissions::CREATE_EXPERIMENTS) + can :create_project_experiments do |user, project| + project.permission_granted?(user, ProjectPermissions::EXPERIMENTS_CREATE) end - can :manage_experiments do |user, project| - project.permission_granted?(user, ProjectPermissions::CREATE_EXPERIMENTS) + can :read_project_experiments do |user, project| + project.permission_granted?(user, ProjectPermissions::EXPERIMENTS_READ) end - # project: create comment - can :create_comments_in_project do |user, project| - project.permission_granted?(user, ProjectPermissions::CREATE_COMMENTS) + can :read_archived_project_experiments do |user, project| + project.permission_granted?(user, ProjectPermissions::EXPERIMENTS_READ_ARCHIVED) end - # project: create/update/delete tag - # module: assign/reassign/unassign tag - can :manage_tags do |user, project| - project.permission_granted?(user, ProjectPermissions::MANAGE_TAGS) - end -end - -Canaid::Permissions.register_for(ProjectComment) do - # Project must be active for all the specified permissions - %i(manage_comment_in_project) - .each do |perm| - can perm do |_, project_comment| - project_comment.project.active? - end - end - - # project: update/delete comment - can :manage_comment_in_project do |user, project_comment| - project_comment.project.present? && (project_comment.user == user || - project.permission_granted?(user, ProjectPermissions::MANAGE_COMMENTS)) - end -end - -Canaid::Permissions.register_for(ProjectFolder) do - # ProjectFolder: delete - can :delete_project_folder do |_, project_folder| - !project_folder.projects.exists? && !project_folder.project_folders.exists? + can :read_canvas_of_project_experiments do |user, project| + project.permission_granted?(user, ProjectPermissions::EXPERIMENTS_READ_CANVAS) + end + + can :read_activities_of_project_experiments do |user, project| + project.permission_granted?(user, ProjectPermissions::EXPERIMENTS_ACTIVITIES_READ) + end + + can :read_users_of_project_experiments do |user, project| + project.permission_granted?(user, ProjectPermissions::EXPERIMENTS_USERS_READ) + end + + can :create_project_comments do |user, project| + project.permission_granted?(user, ProjectPermissions::COMMENTS_CREATE) + end + + can :manage_project_comments do |user, project| + project.permission_granted?(user, ProjectPermissions::COMMENTS_MANAGE) + end + + can :manage_project_tags do |user, project| + project.permission_granted?(user, ProjectPermissions::MANAGE) end end diff --git a/app/views/access_permissions/projects/show.json.jbuilder b/app/views/access_permissions/projects/show.json.jbuilder index 6cd404159..693132237 100644 --- a/app/views/access_permissions/projects/show.json.jbuilder +++ b/app/views/access_permissions/projects/show.json.jbuilder @@ -5,7 +5,7 @@ json.modal controller.render_to_string( formats: [:html], locals: { resource: @project, - can_manage_resource: can_manage_project_access?(@project) + can_manage_resource: can_manage_project_users?(@project) }, layout: false ) diff --git a/app/views/project_comments/_index.html.erb b/app/views/project_comments/_index.html.erb index 193ea00a6..7116a2a41 100644 --- a/app/views/project_comments/_index.html.erb +++ b/app/views/project_comments/_index.html.erb @@ -2,8 +2,8 @@
<%= render partial: 'shared/comments/comments.html.erb', locals: { object: @project, - comments: comments, - can_create_comments: can_create_comments_in_project?(@project), + comments: comments, + can_create_comments: can_create_project_comments?(@project), create_url: project_project_comments_path(@project, format: :json), more_url: project_project_comments_path(@project, format: :json, from: comments.first&.id) } %> diff --git a/app/views/projects/index/_project_actions_dropdown.html.erb b/app/views/projects/index/_project_actions_dropdown.html.erb index 3c31dda92..1ba0e419f 100644 --- a/app/views/projects/index/_project_actions_dropdown.html.erb +++ b/app/views/projects/index/_project_actions_dropdown.html.erb @@ -51,7 +51,7 @@ <% if can_read_project?(project) %>
  • - <%= link_to can_manage_project_access?(project) ? edit_access_permissions_project_path(project) : access_permissions_project_path(project), + <%= link_to can_manage_project_users?(project) ? edit_access_permissions_project_path(project) : access_permissions_project_path(project), class: 'btn btn-light', data: { action: 'remote-modal'} do %> diff --git a/app/views/projects/index/_project_card.html.erb b/app/views/projects/index/_project_card.html.erb index 2be75aef9..2beb628fe 100644 --- a/app/views/projects/index/_project_card.html.erb +++ b/app/views/projects/index/_project_card.html.erb @@ -50,7 +50,7 @@
    <%= t('projects.index.card.users') %>
    - <% if can_manage_project_access?(project) %> + <% if can_manage_project_users?(project) %> <%= link_to edit_access_permissions_project_path(project), class: 'project-users-link', data: { action: 'remote-modal' } do %> <%= render partial: 'projects/index/users_list.html.erb', locals: { project: project } %> diff --git a/app/views/projects/show/_toolbar.html.erb b/app/views/projects/show/_toolbar.html.erb index 22bbf6fd9..084469fd7 100644 --- a/app/views/projects/show/_toolbar.html.erb +++ b/app/views/projects/show/_toolbar.html.erb @@ -1,6 +1,6 @@
    - <% if can_create_experiments?(@project) %> + <% if can_create_project_experiments?(@project) %> <%= button_to new_project_experiment_url(@project), remote: true, form_class: 'new-experiment-form', diff --git a/config/initializers/extends/permission_extends.rb b/config/initializers/extends/permission_extends.rb index 2aa3a3a42..d6d381f86 100644 --- a/config/initializers/extends/permission_extends.rb +++ b/config/initializers/extends/permission_extends.rb @@ -4,15 +4,21 @@ module PermissionExtends module ProjectPermissions %w( READ - EXPORT + READ_ARCHIVED MANAGE - ARCHIVE - RESTORE - CREATE_EXPERIMENTS - CREATE_COMMENTS - MANAGE_COMMENTS - MANAGE_TAGS - MANAGE_ACCESS + FOLDERS_READ + ACTIVITIES_READ + USERS_READ + USERS_MANAGE + COMMENTS_READ + COMMENTS_CREATE + COMMENTS_MANAGE + EXPERIMENTS_READ + EXPERIMENTS_READ_ARCHIVED + EXPERIMENTS_CREATE + EXPERIMENTS_READ_CANVAS + EXPERIMENTS_ACTIVITIES_READ + EXPERIMENTS_USERS_READ ).each { |permission| const_set(permission, "project_#{permission.underscore}") } end diff --git a/spec/factories/user_roles.rb b/spec/factories/user_roles.rb index ac655399b..6f286bf11 100644 --- a/spec/factories/user_roles.rb +++ b/spec/factories/user_roles.rb @@ -13,8 +13,8 @@ FactoryBot.define do permissions { [ ProjectPermissions::READ, - ProjectPermissions::CREATE_EXPERIMENTS, - ProjectPermissions::CREATE_COMMENTS, + ProjectPermissions::EXPERIMENTS_CREATE, + ProjectPermissions::COMMENTS_CREATE, ExperimentPermissions::READ, ExperimentPermissions::MANAGE, ExperimentPermissions::ARCHIVE, @@ -37,7 +37,7 @@ FactoryBot.define do permissions { [ ProjectPermissions::READ, - ProjectPermissions::CREATE_COMMENTS, + ProjectPermissions::COMMENTS_CREATE, ExperimentPermissions::READ, MyModulePermissions::READ, MyModulePermissions::CREATE_COMMENTS,