scinote-eln/scinote-web
1
1
Fork 0
mirror of https://github.com/scinote-eln/scinote-web.git synced 2025-02-13 10:23:23 +08:00
Code Issues Projects Releases Packages Wiki Activity

refactor manage sample permissions again by removing authorship and refactor manage sample elements permissions

Browse source
This commit is contained in:
mlorb 2017-12-08 16:40:08 +01:00
parent e577b363b2
commit 3ca51f097f
10 changed files with 207 additions and 255 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
app/controllers/concerns/sample_actions.rb
View file

@ -11,7 +11,7 @@ module SampleActions
params[:sample_ids].each do |id| params[:sample_ids].each do |id|
sample = Sample.find_by_id(id) sample = Sample.find_by_id(id)
if sample && can_update_or_delete_sample?(sample) if sample
sample.destroy sample.destroy
counter_user += 1 counter_user += 1
else else
@ -45,7 +45,7 @@ module SampleActions
end end
def check_destroy_samples_permissions def check_destroy_samples_permissions
unless can_delete_samples?(@project.team) unless can_manage_sample?(@project.team)
render_403 render_403
end end
end end

16
app/controllers/custom_fields_controller.rb
View file

@ -3,9 +3,7 @@ class CustomFieldsController < ApplicationController
before_action :load_vars, except: :create before_action :load_vars, except: :create
before_action :load_vars_nested, only: [:create, :destroy_html] before_action :load_vars_nested, only: [:create, :destroy_html]
before_action :check_create_permissions, only: :create before_action :check_permissions
before_action :check_update_permissions, only: :update
before_action :check_destroy_permissions, only: [:destroy, :destroy_html]
def create def create
@custom_field = CustomField.new(custom_field_params) @custom_field = CustomField.new(custom_field_params)
@ -105,16 +103,8 @@ class CustomFieldsController < ApplicationController
render_404 unless @team render_404 unless @team
end end
def check_create_permissions def check_permissions
render_403 unless can_create_custom_field_in_team(@team) render_403 unless can_manage_sample_elements?(@team)
end
def check_update_permissions
render_403 unless can_edit_custom_field(@custom_field)
end
def check_destroy_permissions
render_403 unless can_delete_custom_field(@custom_field)
end end
def custom_field_params def custom_field_params

8
app/controllers/sample_groups_controller.rb
View file

@ -1,7 +1,7 @@
class SampleGroupsController < ApplicationController class SampleGroupsController < ApplicationController
before_action :load_vars_nested before_action :load_vars_nested
before_action :check_create_permissions before_action :check_permissions, except: %i(index sample_group_element)
before_action :set_sample_group, except: [:create, :index] before_action :set_sample_group, except: %i(create index)
before_action :set_project_my_module, only: :index before_action :set_project_my_module, only: :index
layout 'fluid' layout 'fluid'
@ -133,8 +133,8 @@ class SampleGroupsController < ApplicationController
render_404 unless @team render_404 unless @team
end end
def check_create_permissions def check_permissions
render_403 unless can_create_sample_type_in_team(@team) render_403 unless can_manage_sample_elements?(@team)
end end
def sample_group_params def sample_group_params

8
app/controllers/sample_types_controller.rb
View file

@ -1,7 +1,7 @@
class SampleTypesController < ApplicationController class SampleTypesController < ApplicationController
before_action :load_vars_nested before_action :load_vars_nested
before_action :check_create_permissions before_action :check_permissions, except: %i(index sample_type_element)
before_action :set_sample_type, except: [:create, :index] before_action :set_sample_type, except: %i(create index)
before_action :set_project_my_module, only: :index before_action :set_project_my_module, only: :index
layout 'fluid' layout 'fluid'
@ -129,8 +129,8 @@ class SampleTypesController < ApplicationController
render_404 unless @team render_404 unless @team
end end
def check_create_permissions def check_permissions
render_403 unless can_create_sample_type_in_team(@team) render_403 unless can_manage_sample_elements?(@team)
end end
def set_sample_type def set_sample_type

359
app/controllers/samples_controller.rb
View file

@ -6,27 +6,22 @@ class SamplesController < ApplicationController
before_action :load_vars, only: [:edit, :update, :destroy, :show] before_action :load_vars, only: [:edit, :update, :destroy, :show]
before_action :load_vars_nested, only: [:new, :create] before_action :load_vars_nested, only: [:new, :create]
before_action :check_edit_permissions, only: :edit before_action :check_manage_permissions, exept: :show
before_action :check_destroy_permissions, only: :destroy
def new def new
respond_to do |format| respond_to do |format|
format.html format.html
if can_create_sample?(@team) groups = @team.sample_groups.map do |g|
groups = @team.sample_groups.map do |g| { id: g.id, name: sanitize_input(g.name), color: g.color }
{ id: g.id, name: sanitize_input(g.name), color: g.color } end
end types = @team.sample_types.map do |t|
types = @team.sample_types.map do |t| { id: t.id, name: sanitize_input(t.name) }
{ id: t.id, name: sanitize_input(t.name) } end
end format.json do
format.json do render json: {
render json: { sample_groups: groups.as_json,
sample_groups: groups.as_json, sample_types: types.as_json
sample_types: types.as_json }
}
end
else
format.json { render json: {}, status: :unauthorized }
end end
end end
end end
@ -43,71 +38,67 @@ class SamplesController < ApplicationController
}; };
respond_to do |format| respond_to do |format|
if can_create_sample?(@team) if params[:sample]
if params[:sample] # Sample name
# Sample name if params[:sample][:name]
if params[:sample][:name] sample.name = params[:sample][:name]
sample.name = params[:sample][:name] end
end
# Sample type # Sample type
if params[:sample][:sample_type_id] != "-1" if params[:sample][:sample_type_id] != "-1"
sample_type = SampleType.find_by_id(params[:sample][:sample_type_id]) sample_type = SampleType.find_by_id(params[:sample][:sample_type_id])
if sample_type if sample_type
sample.sample_type_id = params[:sample][:sample_type_id] sample.sample_type_id = params[:sample][:sample_type_id]
end
end
# Sample group
if params[:sample][:sample_group_id] != "-1"
sample_group = SampleGroup.find_by_id(params[:sample][:sample_group_id])
if sample_group
sample.sample_group_id = params[:sample][:sample_group_id]
end
end end
end end
if !sample.save # Sample group
errors[:init_fields] = sample.errors.messages if params[:sample][:sample_group_id] != "-1"
else sample_group = SampleGroup.find_by_id(params[:sample][:sample_group_id])
# Sample was saved, we can add all newly added sample fields
params[:custom_fields].to_a.each do |id, val| if sample_group
scf = SampleCustomField.new( sample.sample_group_id = params[:sample][:sample_group_id]
custom_field_id: id, end
sample_id: sample.id, end
value: val end
if !sample.save
errors[:init_fields] = sample.errors.messages
else
# Sample was saved, we can add all newly added sample fields
params[:custom_fields].to_a.each do |id, val|
scf = SampleCustomField.new(
custom_field_id: id,
sample_id: sample.id,
value: val
)
if !scf.save
errors[:custom_fields] << {
"#{id}": scf.errors.messages
}
else
sample_annotation_notification(sample, scf)
end
end
end
errors.delete_if { |k, v| v.blank? }
if errors.empty?
format.json do
render json: {
id: sample.id,
flash: t(
'samples.create.success_flash',
sample: escape_input(sample.name),
team: escape_input(@team.name)
) )
},
if !scf.save status: :ok
errors[:custom_fields] << {
"#{id}": scf.errors.messages
}
else
sample_annotation_notification(sample, scf)
end
end
end
errors.delete_if { |k, v| v.blank? }
if errors.empty?
format.json do
render json: {
id: sample.id,
flash: t(
'samples.create.success_flash',
sample: escape_input(sample.name),
team: escape_input(@team.name)
)
},
status: :ok
end
else
format.json { render json: errors, status: :bad_request }
end end
else else
format.json { render json: {}, status: :unauthorized } format.json { render json: errors, status: :bad_request }
end end
end end
end end
@ -167,128 +158,124 @@ class SamplesController < ApplicationController
respond_to do |format| respond_to do |format|
if sample if sample
if can_update_or_delete_sample?(sample) if params[:sample]
if params[:sample] if params[:sample][:name]
if params[:sample][:name] sample.name = params[:sample][:name]
sample.name = params[:sample][:name] end
end
# Check if user selected empty sample type # Check if user selected empty sample type
if params[:sample][:sample_type_id] == "-1" if params[:sample][:sample_type_id] == "-1"
sample.sample_type_id = nil sample.sample_type_id = nil
elsif params[:sample][:sample_type_id] elsif params[:sample][:sample_type_id]
sample_type = SampleType.find_by_id(params[:sample][:sample_type_id]) sample_type = SampleType.find_by_id(params[:sample][:sample_type_id])
if sample_type if sample_type
sample.sample_type_id = params[:sample][:sample_type_id] sample.sample_type_id = params[:sample][:sample_type_id]
end
end
# Check if user selected empty sample type
if params[:sample][:sample_group_id] == "-1"
sample.sample_group_id = nil
elsif params[:sample][:sample_group_id]
sample_group = SampleGroup.find_by_id(params[:sample][:sample_group_id])
if sample_group
sample.sample_group_id = params[:sample][:sample_group_id]
end
end end
end end
# Add all newly added sample fields # Check if user selected empty sample type
params[:custom_fields].to_a.each do |id, val| if params[:sample][:sample_group_id] == "-1"
# Check if client is lying (SCF shouldn't exist) sample.sample_group_id = nil
scf = SampleCustomField.where("custom_field_id = ? AND sample_id = ?", id, sample.id).take elsif params[:sample][:sample_group_id]
sample_group = SampleGroup.find_by_id(params[:sample][:sample_group_id])
if scf if sample_group
sample.sample_group_id = params[:sample][:sample_group_id]
end
end
end
# Add all newly added sample fields
params[:custom_fields].to_a.each do |id, val|
# Check if client is lying (SCF shouldn't exist)
scf = SampleCustomField.where("custom_field_id = ? AND sample_id = ?", id, sample.id).take
if scf
old_text = scf.value
# Well, client was naughty, no XMAS for him this year, update
# existing SCF instead of creating new one
scf.value = val
if !scf.save
# This client needs some lessons
errors[:custom_fields] << {
"#{id}": scf.errors.messages
}
else
sample_annotation_notification(sample, scf, old_text)
end
else
# SCF doesn't exist, create it
scf = SampleCustomField.new(
custom_field_id: id,
sample_id: sample.id,
value: val
)
if !scf.save
errors[:custom_fields] << {
"#{id}": scf.errors.messages
}
else
sample_annotation_notification(sample, scf)
end
end
end
scf_to_delete = []
# Update all existing custom values
params[:sample_custom_fields].to_a.each do |id, val|
scf = SampleCustomField.find_by_id(id)
if scf
# SCF exists, but value is empty, add scf to queue to be deleted
# (if everything is correct)
if val.empty?
scf_to_delete << scf
else
old_text = scf.value old_text = scf.value
# Well, client was naughty, no XMAS for him this year, update # SCF exists, update away
# existing SCF instead of creating new one
scf.value = val scf.value = val
if !scf.save if !scf.save
# This client needs some lessons errors[:sample_custom_fields] << {
errors[:custom_fields] << {
"#{id}": scf.errors.messages "#{id}": scf.errors.messages
} }
else else
sample_annotation_notification(sample, scf, old_text) sample_annotation_notification(sample, scf, old_text)
end end
else
# SCF doesn't exist, create it
scf = SampleCustomField.new(
custom_field_id: id,
sample_id: sample.id,
value: val
)
if !scf.save
errors[:custom_fields] << {
"#{id}": scf.errors.messages
}
else
sample_annotation_notification(sample, scf)
end
end
end
scf_to_delete = []
# Update all existing custom values
params[:sample_custom_fields].to_a.each do |id, val|
scf = SampleCustomField.find_by_id(id)
if scf
# SCF exists, but value is empty, add scf to queue to be deleted
# (if everything is correct)
if val.empty?
scf_to_delete << scf
else
old_text = scf.value
# SCF exists, update away
scf.value = val
if !scf.save
errors[:sample_custom_fields] << {
"#{id}": scf.errors.messages
}
else
sample_annotation_notification(sample, scf, old_text)
end
end
else
# SCF doesn't exist, we can't do much but yield error
errors[:sample_custom_fields] << {
"#{id}": I18n.t("samples.edit.scf_does_not_exist")
}
end
end
if !sample.save
errors[:init_fields] = sample.errors.messages
end
errors.delete_if { |k, v| v.blank? }
if errors.empty?
# Now we can destroy empty scfs
scf_to_delete.map(&:destroy)
format.json do
render json: {
id: sample.id,
flash: t(
'samples.update.success_flash',
sample: escape_input(sample.name),
team: escape_input(@team.name)
)
},
status: :ok
end end
else else
format.json { render json: errors, status: :bad_request } # SCF doesn't exist, we can't do much but yield error
errors[:sample_custom_fields] << {
"#{id}": I18n.t("samples.edit.scf_does_not_exist")
}
end
end
if !sample.save
errors[:init_fields] = sample.errors.messages
end
errors.delete_if { |k, v| v.blank? }
if errors.empty?
# Now we can destroy empty scfs
scf_to_delete.map(&:destroy)
format.json do
render json: {
id: sample.id,
flash: t(
'samples.update.success_flash',
sample: escape_input(sample.name),
team: escape_input(@team.name)
)
},
status: :ok
end end
else else
format.json { render json: {}, status: :unauthorized } format.json { render json: errors, status: :bad_request }
end end
else else
format.json { render json: {}, status: :not_found } format.json { render json: {}, status: :not_found }
@ -318,22 +305,8 @@ class SamplesController < ApplicationController
end end
end end
def check_create_permissions def check_manage_permissions
unless can_create_sample?(@team) render_403 unless can_manage_sample?(@team)
render_403
end
end
def check_edit_permissions
unless can_update_or_delete_sample?(@sample)
render_403
end
end
def check_destroy_permissions
unless can_update_or_delete_sample?(@sample)
render_403
end
end end
def sample_params def sample_params

2
app/controllers/teams_controller.rb
View file

@ -249,7 +249,7 @@ class TeamsController < ApplicationController
end end
def check_create_sample_permissions def check_create_sample_permissions
unless can_create_sample?(@team) unless can_manage_sample?(@team)
render_403 render_403
end end
end end

34
app/helpers/permission_helper.rb
View file

@ -662,31 +662,31 @@ module PermissionHelper
# ---- SAMPLE TYPES PERMISSIONS ---- # ---- SAMPLE TYPES PERMISSIONS ----
def can_create_sample_type_in_team(team) # def can_create_sample_type_in_team(team)
is_normal_user_or_admin_of_team(team) # is_normal_user_or_admin_of_team(team)
end # end
# ---- SAMPLE GROUPS PERMISSIONS ---- # ---- SAMPLE GROUPS PERMISSIONS ----
def can_create_sample_group_in_team(team) # def can_create_sample_group_in_team(team)
is_normal_user_or_admin_of_team(team) # is_normal_user_or_admin_of_team(team)
end # end
# ---- CUSTOM FIELDS PERMISSIONS ---- # ---- CUSTOM FIELDS PERMISSIONS ----
def can_create_custom_field_in_team(team) # def can_create_custom_field_in_team(team)
is_normal_user_or_admin_of_team(team) # is_normal_user_or_admin_of_team(team)
end # end
def can_edit_custom_field(custom_field) # def can_edit_custom_field(custom_field)
custom_field.user == current_user || # custom_field.user == current_user ||
is_admin_of_team(custom_field.team) # is_admin_of_team(custom_field.team)
end # end
def can_delete_custom_field(custom_field) # def can_delete_custom_field(custom_field)
custom_field.user == current_user || # custom_field.user == current_user ||
is_admin_of_team(custom_field.team) # is_admin_of_team(custom_field.team)
end # end
# ---- PROTOCOL PERMISSIONS ---- # ---- PROTOCOL PERMISSIONS ----

4
app/helpers/samples_helper.rb
View file

@ -8,9 +8,7 @@ module SamplesHelper
end end
def can_add_sample_related_things_to_team def can_add_sample_related_things_to_team
can_create_custom_field_in_team(@team) && can_manage_sample_elements?(@team)
can_create_sample_type_in_team(@team) &&
can_create_sample_group_in_team(@team)
end end
def all_custom_fields def all_custom_fields

17
app/permissions/team.rb
View file

@ -24,13 +24,13 @@ Canaid::Permissions.register_for(Team) do
user.is_normal_user_or_admin_of_team?(team) user.is_normal_user_or_admin_of_team?(team)
end end
# create sample, import sample # create, import, edit, delete sample
can :create_sample do |user, team| can :manage_sample do |user, team|
user.is_normal_user_or_admin_of_team?(team) user.is_normal_user_or_admin_of_team?(team)
end end
# delete samples (general permission, not for specific sample) # create, update, delete custom field, sample type and sample group
can :delete_samples do |user, team| can :manage_sample_elements do |user, team|
user.is_normal_user_or_admin_of_team?(team) user.is_normal_user_or_admin_of_team?(team)
end end
end end
@ -70,12 +70,3 @@ Canaid::Permissions.register_for(Protocol) do
can_read_protocol_in_repository?(user, protocol) can_read_protocol_in_repository?(user, protocol)
end end
end end
Canaid::Permissions.register_for(Sample) do
# edit sample, delete sample
can :update_or_delete_sample do |user, sample|
user.is_admin_of_team?(sample.team) ||
user.is_normal_user_or_admin_of_team?(sample.team) &&
user == sample.user
end
end

10
app/views/shared/_samples.html.erb
View file

@ -21,7 +21,7 @@
data-module-id="<%= @my_module.id %>" data-module-id="<%= @my_module.id %>"
<% end %>> <% end %>>
<% if can_create_sample?(@team) %> <% if can_manage_sample?(@team) %>
<button type="button" class="btn btn-default editAdd" id="addSample" onclick="onClickAddSample()"> <button type="button" class="btn btn-default editAdd" id="addSample" onclick="onClickAddSample()">
<span class="glyphicon glyphicon-plus"></span> <span class="glyphicon glyphicon-plus"></span>
<span class="hidden-xs"><%= t("samples.add_new_sample") %></span> <span class="hidden-xs"><%= t("samples.add_new_sample") %></span>
@ -51,7 +51,7 @@
<span class="caret"></span> <span class="caret"></span>
</button> </button>
<ul class="dropdown-menu dropdown-menu-right smart-dropdown" id="samples-columns-list"> <ul class="dropdown-menu dropdown-menu-right smart-dropdown" id="samples-columns-list">
<% if can_create_custom_field_in_team(@team) %> <% if can_manage_sample_elements?(@team) %>
<li class="add-new-column-form"> <li class="add-new-column-form">
<div id="new-column-form" class="form-group" data-action="<%= team_custom_fields_path(@team) %>"> <div id="new-column-form" class="form-group" data-action="<%= team_custom_fields_path(@team) %>">
<div class="input-group"> <div class="input-group">
@ -99,7 +99,7 @@
<span class="hidden-xs-custom"><%= t("samples.edit_sample") %></span> <span class="hidden-xs-custom"><%= t("samples.edit_sample") %></span>
</button> </button>
<% if can_delete_samples?(@team) %> <% if can_manage_sample?(@team) %>
<button type="button" class="btn btn-default" <button type="button" class="btn btn-default"
id="deleteSamplesButton" data-target="#deleteSamples" data-toggle="modal" disabled> id="deleteSamplesButton" data-target="#deleteSamples" data-toggle="modal" disabled>
<span class="glyphicon glyphicon-trash"></span> <span class="glyphicon glyphicon-trash"></span>
@ -148,8 +148,8 @@
<% all_custom_fields.each do |cf| %> <% all_custom_fields.each do |cf| %>
<th class="custom-field" <th class="custom-field"
id="<%= cf.id %>" id="<%= cf.id %>"
<%= 'data-editable' if can_edit_custom_field(cf) %> <%= 'data-editable' if can_manage_sample_elements?(@team) %>
<%= 'data-deletable' if can_delete_custom_field(cf) %> <%= 'data-deletable' if can_manage_sample_elements?(@team) %>
<%= "data-edit-url='#{edit_team_custom_field_path(@team, cf)}'" %> <%= "data-edit-url='#{edit_team_custom_field_path(@team, cf)}'" %>
<%= "data-update-url='#{team_custom_field_path(@team, cf)}'" %> <%= "data-update-url='#{team_custom_field_path(@team, cf)}'" %>
<%= "data-destroy-html-url='#{team_custom_field_destroy_html_path(@team, cf)}'" %> <%= "data-destroy-html-url='#{team_custom_field_destroy_html_path(@team, cf)}'" %>