Small permission fixes for controllers [SCI-6132] (#3581)

app/controllers/assets_controller.rb

@@ -178,8 +178,8 @@ class AssetsController < ApplicationController
     # Create file depending on the type
     if params[:element_type] == 'Step'
       step = Step.find(params[:element_id].to_i)
-      render_403 && return unless can_manage_protocol_in_module?(step.protocol) ||
-                                  can_manage_protocol_in_repository?(step.protocol)
+      render_403 && return unless can_manage_step?(step)
+
       step_asset = StepAsset.create!(step: step, asset: asset)
       asset.update!(view_mode: step.assets_view_mode)
       step.protocol&.update(updated_at: Time.zone.now)

app/controllers/bio_eddie_assets_controller.rb

@@ -118,8 +118,7 @@ class BioEddieAssetsController < ApplicationController
   def check_edit_permission
     case @assoc
     when Step
-      return render_403 unless can_manage_protocol_in_module?(@protocol) ||
-                               can_manage_protocol_in_repository?(@protocol)
+      return render_403 unless can_manage_step?(@assoc)
     when Result, MyModule
       return render_403 unless can_manage_my_module?(@my_module)
     else

app/controllers/dashboard/current_tasks_controller.rb

@@ -15,9 +15,11 @@ module Dashboard
               elsif @project
                 MyModule.active.where(projects: { id: @project.id })
               else
-                MyModule.active.viewable_by_user(current_user, current_team)
+                MyModule.active
               end
 
+      tasks = tasks.viewable_by_user(current_user, current_team)
+
       tasks = tasks.joins(experiment: :project)
                    .where(experiments: { archived: false })
                    .where(projects: { archived: false })

app/controllers/dashboard/quick_start_controller.rb

@@ -35,6 +35,7 @@ module Dashboard
         experiments = [{ value: 0, label: params[:query] }]
       elsif @project
         experiments = @project.experiments
+                              .managable_by_user(current_user)
                               .search(current_user, false, params[:query], 1, current_team)
                               .select(:id, :name)
         experiments = experiments.map { |i| { value: i.id, label: escape_input(i.name) } }

app/controllers/marvin_js_assets_controller.rb

@@ -95,8 +95,7 @@ class MarvinJsAssetsController < ApplicationController
 
   def check_edit_permission
     if @assoc.class == Step
-      return render_403 unless can_manage_protocol_in_module?(@protocol) ||
-                               can_manage_protocol_in_repository?(@protocol)
+      return render_403 unless can_manage_step?(@assoc)
     elsif @assoc.class == Result || @assoc.class == MyModule
       return render_403 unless can_manage_my_module?(@my_module)
     else

app/controllers/steps_controller.rb

@@ -10,7 +10,8 @@ class StepsController < ApplicationController
   before_action :convert_table_contents_to_utf8, only: %i(create update)
 
   before_action :check_view_permissions, only: :show
-  before_action :check_manage_permissions, only: %i(new create edit update destroy move_up move_down
+  before_action :check_create_permissions, only: %i(new create)
+  before_action :check_manage_permissions, only: %i(edit update destroy move_up move_down
                                                     update_view_state update_asset_view_mode)
   before_action :check_complete_and_checkbox_permissions, only: %i(toggle_step_state checklistitem_state)
 
@@ -497,7 +498,15 @@ class StepsController < ApplicationController
   end
 
   def check_manage_permissions
-    render_403 unless can_manage_protocol_in_module?(@protocol) || can_manage_protocol_in_repository?(@protocol)
+    render_403 unless can_manage_step?(@step)
+  end
+
+  def check_create_permissions
+    if @my_module
+      render_403 unless can_manage_my_module_steps?(@my_module)
+    else
+      render_403 unless can_manage_protocol_in_repository?(@protocol)
+    end
   end
 
   def check_complete_and_checkbox_permissions

app/controllers/tags_controller.rb

@@ -157,11 +157,11 @@ class TagsController < ApplicationController
   def check_manage_my_module_permissions
     my_module = MyModule.find_by id: params[:my_module_id]
 
-    render_403 if my_module && !can_manage_my_module?(my_module)
+    render_403 if my_module && !can_manage_my_module_tags?(my_module)
   end
 
   def check_manage_permissions
-    render_403 unless can_manage_project?(@project)
+    render_403 unless can_manage_project_tags?(@project)
   end
 
   def tag_params

app/controllers/tiny_mce_assets_controller.rb

@@ -121,13 +121,18 @@ class TinyMceAssetsController < ApplicationController
   end
 
   def check_edit_permission
-    if @assoc.class == Step || @assoc.class == Protocol
+    if @assoc.nil?
+      return render_403 unless current_team == @asset.team
+    end
+
+    case @assoc
+    when Step
+      return render_403 unless can_manage_step?(@assoc)
+    when Protocol
       return render_403 unless can_manage_protocol_in_module?(@protocol) ||
                                can_manage_protocol_in_repository?(@protocol)
-    elsif @assoc.class == ResultText || @assoc.class == MyModule
+    when ResultText, MyModule
       return render_403 unless can_manage_my_module?(@my_module)
-    elsif @assoc.nil?
-      return render_403 unless current_team == @asset.team
     else
       render_403
     end

app/controllers/wopi_controller.rb

@@ -282,7 +282,7 @@ class WopiController < ActionController::Base
     if @assoc.class == Step
       if @protocol.in_module?
         @can_read = can_read_protocol_in_module?(@protocol)
-        @can_write = can_manage_protocol_in_module?(@protocol)
+        @can_write = can_manage_step?(@assoc)
         @close_url = protocols_my_module_url(@protocol.my_module, only_path: false, host: ENV['WOPI_USER_HOST'])
 
         project = @protocol.my_module.experiment.project
@@ -291,7 +291,7 @@ class WopiController < ActionController::Base
         @breadcrumb_folder_name = @protocol.my_module.name
       else
         @can_read = can_read_protocol_in_repository?(@protocol)
-        @can_write = can_manage_protocol_in_repository?(@protocol)
+        @can_write = can_manage_step?(@assoc)
         @close_url = protocols_url(only_path: false, host: ENV['WOPI_USER_HOST'])
 
         @breadcrump_brand_name = 'Projects'

app/permissions/step.rb

@@ -0,0 +1,11 @@
+# frozen_string_literal: true
+
+Canaid::Permissions.register_for(Step) do
+  can :manage_step do |user, step|
+    if step.my_module
+      can_manage_my_module_steps?(user, step.my_module)
+    else
+      can_manage_protocol_in_repository?(user, step.protocol)
+    end
+  end
+end