diff --git a/app/controllers/assets_controller.rb b/app/controllers/assets_controller.rb index 5b2d1abe3..af81a47e4 100644 --- a/app/controllers/assets_controller.rb +++ b/app/controllers/assets_controller.rb @@ -178,8 +178,8 @@ class AssetsController < ApplicationController # Create file depending on the type if params[:element_type] == 'Step' step = Step.find(params[:element_id].to_i) - render_403 && return unless can_manage_protocol_in_module?(step.protocol) || - can_manage_protocol_in_repository?(step.protocol) + render_403 && return unless can_manage_step?(step) + step_asset = StepAsset.create!(step: step, asset: asset) asset.update!(view_mode: step.assets_view_mode) step.protocol&.update(updated_at: Time.zone.now) diff --git a/app/controllers/bio_eddie_assets_controller.rb b/app/controllers/bio_eddie_assets_controller.rb index 15dceef9c..3237b3a68 100644 --- a/app/controllers/bio_eddie_assets_controller.rb +++ b/app/controllers/bio_eddie_assets_controller.rb @@ -118,8 +118,7 @@ class BioEddieAssetsController < ApplicationController def check_edit_permission case @assoc when Step - return render_403 unless can_manage_protocol_in_module?(@protocol) || - can_manage_protocol_in_repository?(@protocol) + return render_403 unless can_manage_step?(@assoc) when Result, MyModule return render_403 unless can_manage_my_module?(@my_module) else diff --git a/app/controllers/dashboard/current_tasks_controller.rb b/app/controllers/dashboard/current_tasks_controller.rb index 846abc7e1..deb7843c3 100644 --- a/app/controllers/dashboard/current_tasks_controller.rb +++ b/app/controllers/dashboard/current_tasks_controller.rb @@ -15,9 +15,11 @@ module Dashboard elsif @project MyModule.active.where(projects: { id: @project.id }) else - MyModule.active.viewable_by_user(current_user, current_team) + MyModule.active end + tasks = tasks.viewable_by_user(current_user, current_team) + tasks = tasks.joins(experiment: :project) .where(experiments: { archived: false }) .where(projects: { archived: false }) diff --git a/app/controllers/dashboard/quick_start_controller.rb b/app/controllers/dashboard/quick_start_controller.rb index e85ff1659..d60e1b0c1 100644 --- a/app/controllers/dashboard/quick_start_controller.rb +++ b/app/controllers/dashboard/quick_start_controller.rb @@ -35,6 +35,7 @@ module Dashboard experiments = [{ value: 0, label: params[:query] }] elsif @project experiments = @project.experiments + .managable_by_user(current_user) .search(current_user, false, params[:query], 1, current_team) .select(:id, :name) experiments = experiments.map { |i| { value: i.id, label: escape_input(i.name) } } diff --git a/app/controllers/marvin_js_assets_controller.rb b/app/controllers/marvin_js_assets_controller.rb index 886ca3e72..3153a405f 100644 --- a/app/controllers/marvin_js_assets_controller.rb +++ b/app/controllers/marvin_js_assets_controller.rb @@ -95,8 +95,7 @@ class MarvinJsAssetsController < ApplicationController def check_edit_permission if @assoc.class == Step - return render_403 unless can_manage_protocol_in_module?(@protocol) || - can_manage_protocol_in_repository?(@protocol) + return render_403 unless can_manage_step?(@assoc) elsif @assoc.class == Result || @assoc.class == MyModule return render_403 unless can_manage_my_module?(@my_module) else diff --git a/app/controllers/steps_controller.rb b/app/controllers/steps_controller.rb index 1bb3d22f1..80ccc5f07 100644 --- a/app/controllers/steps_controller.rb +++ b/app/controllers/steps_controller.rb @@ -10,7 +10,8 @@ class StepsController < ApplicationController before_action :convert_table_contents_to_utf8, only: %i(create update) before_action :check_view_permissions, only: :show - before_action :check_manage_permissions, only: %i(new create edit update destroy move_up move_down + before_action :check_create_permissions, only: %i(new create) + before_action :check_manage_permissions, only: %i(edit update destroy move_up move_down update_view_state update_asset_view_mode) before_action :check_complete_and_checkbox_permissions, only: %i(toggle_step_state checklistitem_state) @@ -497,7 +498,15 @@ class StepsController < ApplicationController end def check_manage_permissions - render_403 unless can_manage_protocol_in_module?(@protocol) || can_manage_protocol_in_repository?(@protocol) + render_403 unless can_manage_step?(@step) + end + + def check_create_permissions + if @my_module + render_403 unless can_manage_my_module_steps?(@my_module) + else + render_403 unless can_manage_protocol_in_repository?(@protocol) + end end def check_complete_and_checkbox_permissions diff --git a/app/controllers/tags_controller.rb b/app/controllers/tags_controller.rb index b394a05c4..b1164cf4d 100644 --- a/app/controllers/tags_controller.rb +++ b/app/controllers/tags_controller.rb @@ -157,11 +157,11 @@ class TagsController < ApplicationController def check_manage_my_module_permissions my_module = MyModule.find_by id: params[:my_module_id] - render_403 if my_module && !can_manage_my_module?(my_module) + render_403 if my_module && !can_manage_my_module_tags?(my_module) end def check_manage_permissions - render_403 unless can_manage_project?(@project) + render_403 unless can_manage_project_tags?(@project) end def tag_params diff --git a/app/controllers/tiny_mce_assets_controller.rb b/app/controllers/tiny_mce_assets_controller.rb index c0dfe32d8..8e55bc03b 100644 --- a/app/controllers/tiny_mce_assets_controller.rb +++ b/app/controllers/tiny_mce_assets_controller.rb @@ -121,13 +121,18 @@ class TinyMceAssetsController < ApplicationController end def check_edit_permission - if @assoc.class == Step || @assoc.class == Protocol + if @assoc.nil? + return render_403 unless current_team == @asset.team + end + + case @assoc + when Step + return render_403 unless can_manage_step?(@assoc) + when Protocol return render_403 unless can_manage_protocol_in_module?(@protocol) || can_manage_protocol_in_repository?(@protocol) - elsif @assoc.class == ResultText || @assoc.class == MyModule + when ResultText, MyModule return render_403 unless can_manage_my_module?(@my_module) - elsif @assoc.nil? - return render_403 unless current_team == @asset.team else render_403 end diff --git a/app/controllers/wopi_controller.rb b/app/controllers/wopi_controller.rb index 134bc49dd..b4fd31622 100644 --- a/app/controllers/wopi_controller.rb +++ b/app/controllers/wopi_controller.rb @@ -282,7 +282,7 @@ class WopiController < ActionController::Base if @assoc.class == Step if @protocol.in_module? @can_read = can_read_protocol_in_module?(@protocol) - @can_write = can_manage_protocol_in_module?(@protocol) + @can_write = can_manage_step?(@assoc) @close_url = protocols_my_module_url(@protocol.my_module, only_path: false, host: ENV['WOPI_USER_HOST']) project = @protocol.my_module.experiment.project @@ -291,7 +291,7 @@ class WopiController < ActionController::Base @breadcrumb_folder_name = @protocol.my_module.name else @can_read = can_read_protocol_in_repository?(@protocol) - @can_write = can_manage_protocol_in_repository?(@protocol) + @can_write = can_manage_step?(@assoc) @close_url = protocols_url(only_path: false, host: ENV['WOPI_USER_HOST']) @breadcrump_brand_name = 'Projects' diff --git a/app/permissions/step.rb b/app/permissions/step.rb new file mode 100644 index 000000000..aef73030a --- /dev/null +++ b/app/permissions/step.rb @@ -0,0 +1,11 @@ +# frozen_string_literal: true + +Canaid::Permissions.register_for(Step) do + can :manage_step do |user, step| + if step.my_module + can_manage_my_module_steps?(user, step.my_module) + else + can_manage_protocol_in_repository?(user, step.protocol) + end + end +end