Merge pull request #3556 from okriuchykhin/ok_SCI_6062

Update/implement permission checks in the _my_modules_tags_controller [SCI-6062]
This commit is contained in:
Alex Kriuchykhin 2021-09-23 17:23:22 +02:00 committed by GitHub
commit 51e7f7668a
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
2 changed files with 74 additions and 7 deletions

View file

@ -2,7 +2,7 @@ class MyModuleTagsController < ApplicationController
include InputSanitizeHelper
before_action :load_vars, except: :canvas_index
before_action :check_view_permissions, only: %i(index index_edit)
before_action :check_view_permissions, except: %i(canvas_index create destroy destroy_by_tag_id)
before_action :check_manage_permissions, only: %i(create destroy destroy_by_tag_id)
def index_edit
@ -38,7 +38,8 @@ class MyModuleTagsController < ApplicationController
def canvas_index
experiment = Experiment.find(params[:id])
render_403 unless can_read_experiment?(experiment)
return render_403 unless can_read_experiment?(experiment)
res = []
experiment.my_modules.active.each do |my_module|
res << {
@ -157,17 +158,15 @@ class MyModuleTagsController < ApplicationController
def load_vars
@my_module = MyModule.find_by_id(params[:my_module_id])
unless @my_module
render_404
end
render_404 if @my_module.blank?
end
def check_view_permissions
render_403 unless can_read_experiment?(@my_module.experiment)
render_403 unless can_read_my_module?(@my_module)
end
def check_manage_permissions
render_403 unless can_manage_my_module?(@my_module)
render_403 unless can_manage_my_module_tags?(@my_module)
end
def mt_params

View file

@ -0,0 +1,68 @@
# frozen_string_literal: true
require 'rails_helper'
describe MyModuleTagsController, type: :controller do
include PermissionExtends
it_behaves_like "a controller with authentication", {
index_edit: { my_module_id: 1 },
index: { my_module_id: 1 },
canvas_index: { id: 1 },
create: { my_module_id: 1 },
destroy: { my_module_id: 1, id: 1 },
search_tags: { my_module_id: 1 },
destroy_by_tag_id: { my_module_id: 1, id: 1 }
}, []
login_user
describe 'permissions checking' do
include_context 'reference_project_structure', {
team_role: :normal_user,
tag: true
}
it_behaves_like "a controller action with permissions checking", :get, :index_edit do
let(:testable) { my_module }
let(:permissions) { [MyModulePermissions::READ] }
let(:action_params) { { my_module_id: my_module.id } }
end
it_behaves_like "a controller action with permissions checking", :get, :index do
let(:testable) { my_module }
let(:permissions) { [MyModulePermissions::READ] }
let(:action_params) { { my_module_id: my_module.id } }
end
it_behaves_like "a controller action with permissions checking", :get, :canvas_index do
let(:testable) { experiment }
let(:permissions) { [ExperimentPermissions::READ] }
let(:action_params) { { id: experiment.id } }
end
it_behaves_like "a controller action with permissions checking", :post, :create do
let(:testable) { my_module }
let(:permissions) { [MyModulePermissions::TAGS_MANAGE] }
let(:action_params) { { my_module_id: my_module.id } }
end
it_behaves_like "a controller action with permissions checking", :post, :destroy do
let(:testable) { my_module }
let(:permissions) { [MyModulePermissions::TAGS_MANAGE] }
let(:action_params) { { my_module_id: my_module.id, id: tag.id } }
end
it_behaves_like "a controller action with permissions checking", :get, :search_tags do
let(:testable) { my_module }
let(:permissions) { [MyModulePermissions::READ] }
let(:action_params) { { my_module_id: my_module.id } }
end
it_behaves_like "a controller action with permissions checking", :post, :destroy_by_tag_id do
let(:testable) { my_module }
let(:permissions) { [MyModulePermissions::TAGS_MANAGE] }
let(:action_params) { { my_module_id: my_module.id, id: tag.id } }
end
end
end