mirror of
https://github.com/scinote-eln/scinote-web.git
synced 2024-12-25 09:13:05 +08:00
Merge pull request #3556 from okriuchykhin/ok_SCI_6062
Update/implement permission checks in the _my_modules_tags_controller [SCI-6062]
This commit is contained in:
commit
51e7f7668a
2 changed files with 74 additions and 7 deletions
|
@ -2,7 +2,7 @@ class MyModuleTagsController < ApplicationController
|
|||
include InputSanitizeHelper
|
||||
|
||||
before_action :load_vars, except: :canvas_index
|
||||
before_action :check_view_permissions, only: %i(index index_edit)
|
||||
before_action :check_view_permissions, except: %i(canvas_index create destroy destroy_by_tag_id)
|
||||
before_action :check_manage_permissions, only: %i(create destroy destroy_by_tag_id)
|
||||
|
||||
def index_edit
|
||||
|
@ -38,7 +38,8 @@ class MyModuleTagsController < ApplicationController
|
|||
|
||||
def canvas_index
|
||||
experiment = Experiment.find(params[:id])
|
||||
render_403 unless can_read_experiment?(experiment)
|
||||
return render_403 unless can_read_experiment?(experiment)
|
||||
|
||||
res = []
|
||||
experiment.my_modules.active.each do |my_module|
|
||||
res << {
|
||||
|
@ -157,17 +158,15 @@ class MyModuleTagsController < ApplicationController
|
|||
def load_vars
|
||||
@my_module = MyModule.find_by_id(params[:my_module_id])
|
||||
|
||||
unless @my_module
|
||||
render_404
|
||||
end
|
||||
render_404 if @my_module.blank?
|
||||
end
|
||||
|
||||
def check_view_permissions
|
||||
render_403 unless can_read_experiment?(@my_module.experiment)
|
||||
render_403 unless can_read_my_module?(@my_module)
|
||||
end
|
||||
|
||||
def check_manage_permissions
|
||||
render_403 unless can_manage_my_module?(@my_module)
|
||||
render_403 unless can_manage_my_module_tags?(@my_module)
|
||||
end
|
||||
|
||||
def mt_params
|
||||
|
|
|
@ -0,0 +1,68 @@
|
|||
# frozen_string_literal: true
|
||||
|
||||
require 'rails_helper'
|
||||
|
||||
describe MyModuleTagsController, type: :controller do
|
||||
include PermissionExtends
|
||||
|
||||
it_behaves_like "a controller with authentication", {
|
||||
index_edit: { my_module_id: 1 },
|
||||
index: { my_module_id: 1 },
|
||||
canvas_index: { id: 1 },
|
||||
create: { my_module_id: 1 },
|
||||
destroy: { my_module_id: 1, id: 1 },
|
||||
search_tags: { my_module_id: 1 },
|
||||
destroy_by_tag_id: { my_module_id: 1, id: 1 }
|
||||
}, []
|
||||
|
||||
login_user
|
||||
|
||||
describe 'permissions checking' do
|
||||
include_context 'reference_project_structure', {
|
||||
team_role: :normal_user,
|
||||
tag: true
|
||||
}
|
||||
|
||||
it_behaves_like "a controller action with permissions checking", :get, :index_edit do
|
||||
let(:testable) { my_module }
|
||||
let(:permissions) { [MyModulePermissions::READ] }
|
||||
let(:action_params) { { my_module_id: my_module.id } }
|
||||
end
|
||||
|
||||
it_behaves_like "a controller action with permissions checking", :get, :index do
|
||||
let(:testable) { my_module }
|
||||
let(:permissions) { [MyModulePermissions::READ] }
|
||||
let(:action_params) { { my_module_id: my_module.id } }
|
||||
end
|
||||
|
||||
it_behaves_like "a controller action with permissions checking", :get, :canvas_index do
|
||||
let(:testable) { experiment }
|
||||
let(:permissions) { [ExperimentPermissions::READ] }
|
||||
let(:action_params) { { id: experiment.id } }
|
||||
end
|
||||
|
||||
it_behaves_like "a controller action with permissions checking", :post, :create do
|
||||
let(:testable) { my_module }
|
||||
let(:permissions) { [MyModulePermissions::TAGS_MANAGE] }
|
||||
let(:action_params) { { my_module_id: my_module.id } }
|
||||
end
|
||||
|
||||
it_behaves_like "a controller action with permissions checking", :post, :destroy do
|
||||
let(:testable) { my_module }
|
||||
let(:permissions) { [MyModulePermissions::TAGS_MANAGE] }
|
||||
let(:action_params) { { my_module_id: my_module.id, id: tag.id } }
|
||||
end
|
||||
|
||||
it_behaves_like "a controller action with permissions checking", :get, :search_tags do
|
||||
let(:testable) { my_module }
|
||||
let(:permissions) { [MyModulePermissions::READ] }
|
||||
let(:action_params) { { my_module_id: my_module.id } }
|
||||
end
|
||||
|
||||
it_behaves_like "a controller action with permissions checking", :post, :destroy_by_tag_id do
|
||||
let(:testable) { my_module }
|
||||
let(:permissions) { [MyModulePermissions::TAGS_MANAGE] }
|
||||
let(:action_params) { { my_module_id: my_module.id, id: tag.id } }
|
||||
end
|
||||
end
|
||||
end
|
Loading…
Reference in a new issue