From 5bda53eebfad742d07dbe590b0a08ebd5cab6766 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Matej=20Zrim=C5=A1ek?= Date: Thu, 15 Feb 2018 18:46:29 +0100 Subject: [PATCH] Overall refactoring of all canaid permissions and code related to their calls. --- app/controllers/assets_controller.rb | 2 +- app/controllers/concerns/sample_actions.rb | 7 +- app/controllers/custom_fields_controller.rb | 8 +- .../my_module_comments_controller.rb | 2 +- app/controllers/my_modules_controller.rb | 3 +- .../project_comments_controller.rb | 2 +- app/controllers/protocols_controller.rb | 54 +++++------- app/controllers/reports_controller.rb | 4 +- app/controllers/repositories_controller.rb | 6 +- .../repository_columns_controller.rb | 6 +- app/controllers/repository_rows_controller.rb | 15 ++-- app/controllers/result_comments_controller.rb | 2 +- app/controllers/results_controller.rb | 6 +- app/controllers/sample_groups_controller.rb | 12 ++- app/controllers/sample_types_controller.rb | 12 ++- app/controllers/samples_controller.rb | 9 +- app/controllers/step_comments_controller.rb | 2 +- app/controllers/steps_controller.rb | 6 +- app/controllers/tags_controller.rb | 2 +- app/controllers/teams_controller.rb | 9 +- app/controllers/wopi_controller.rb | 2 +- app/datatables/protocols_datatable.rb | 6 +- app/helpers/results_helper.rb | 2 +- app/helpers/samples_helper.rb | 4 - app/permissions/experiment.rb | 22 ++--- app/permissions/organization.rb | 3 +- app/permissions/project.rb | 20 ++--- app/permissions/team.rb | 88 +++++++++---------- app/views/experiments/canvas.html.erb | 2 +- app/views/my_module_comments/_index.html.erb | 2 +- app/views/my_module_tags/_index_edit.html.erb | 6 +- app/views/my_modules/archive/_result.html.erb | 2 +- .../_protocol_status_bar_buttons.html.erb | 4 +- app/views/my_modules/repository.html.erb | 2 +- app/views/project_comments/_index.html.erb | 2 +- app/views/projects/show.html.erb | 4 +- app/views/protocols/_header.html.erb | 14 +-- app/views/protocols/_steps.html.erb | 2 +- .../_protocol_preview_modal_footer.html.erb | 2 +- app/views/reports/index.html.erb | 2 +- app/views/repositories/_repository.html.erb | 33 ++++--- .../repositories/_repository_table.html.erb | 4 +- app/views/result_comments/_index.html.erb | 2 +- .../results/partials/_step_text.html.erb | 4 +- app/views/shared/_samples.html.erb | 47 +++++----- app/views/step_comments/_index.html.erb | 2 +- app/views/steps/_step.html.erb | 2 +- app/views/steps/_wopi_controlls.html.erb | 2 +- 48 files changed, 220 insertions(+), 236 deletions(-) diff --git a/app/controllers/assets_controller.rb b/app/controllers/assets_controller.rb index 719bcc654..2e44a88be 100644 --- a/app/controllers/assets_controller.rb +++ b/app/controllers/assets_controller.rb @@ -125,7 +125,7 @@ class AssetsController < ApplicationController def check_edit_permission if @assoc.class == Step render_403 && return unless can_manage_protocol_in_module?(@protocol) || - can_update_protocol_in_repository?(@protocol) + can_manage_protocol_in_repository?(@protocol) elsif @assoc.class == Result render_403 and return unless can_manage_module?(@my_module) end diff --git a/app/controllers/concerns/sample_actions.rb b/app/controllers/concerns/sample_actions.rb index 2e94cdbec..0edb9166c 100644 --- a/app/controllers/concerns/sample_actions.rb +++ b/app/controllers/concerns/sample_actions.rb @@ -2,7 +2,6 @@ module SampleActions extend ActiveSupport::Concern def delete_samples - check_destroy_samples_permissions if params[:sample_ids].present? counter_user = 0 @@ -10,7 +9,7 @@ module SampleActions params[:sample_ids].each do |id| sample = Sample.find_by_id(id) - if sample && can_update_or_delete_sample?(sample) + if sample && can_manage_sample?(sample) sample.destroy counter_user += 1 else @@ -42,8 +41,4 @@ module SampleActions redirect_to samples_experiment_path(@experiment) end end - - def check_destroy_samples_permissions - render_403 unless can_manage_samples?(@project.team) - end end diff --git a/app/controllers/custom_fields_controller.rb b/app/controllers/custom_fields_controller.rb index 56f738bb6..014caab75 100644 --- a/app/controllers/custom_fields_controller.rb +++ b/app/controllers/custom_fields_controller.rb @@ -4,7 +4,7 @@ class CustomFieldsController < ApplicationController before_action :load_vars, except: :create before_action :load_vars_nested, only: [:create, :destroy_html] before_action :check_create_permissions, only: :create - before_action :check_update_and_delete_permissions, except: :create + before_action :check_manage_permissions, except: :create def create @custom_field = CustomField.new(custom_field_params) @@ -105,11 +105,11 @@ class CustomFieldsController < ApplicationController end def check_create_permissions - render_403 unless can_manage_sample_columns?(@team) + render_403 unless can_create_sample_columns?(@team) end - def check_update_and_delete_permissions - render_403 unless can_update_or_delete_custom_field?(@custom_field) + def check_manage_permissions + render_403 unless can_manage_sample_column?(@custom_field) end def custom_field_params diff --git a/app/controllers/my_module_comments_controller.rb b/app/controllers/my_module_comments_controller.rb index 5799372dd..2a0251384 100644 --- a/app/controllers/my_module_comments_controller.rb +++ b/app/controllers/my_module_comments_controller.rb @@ -183,7 +183,7 @@ class MyModuleCommentsController < ApplicationController end def check_add_permissions - render_403 unless can_create_comment_in_module?(@my_module) + render_403 unless can_create_comments_in_module?(@my_module) end def check_manage_permissions diff --git a/app/controllers/my_modules_controller.rb b/app/controllers/my_modules_controller.rb index 22b973915..51c98aa28 100644 --- a/app/controllers/my_modules_controller.rb +++ b/app/controllers/my_modules_controller.rb @@ -608,7 +608,8 @@ class MyModulesController < ApplicationController end def check_assign_repository_records_permissions - render_403 unless can_assign_repository_records_to_module?(@my_module) + render_403 unless module_page? && + can_assign_repository_rows_to_module?(@my_module) end def check_complete_module_permission diff --git a/app/controllers/project_comments_controller.rb b/app/controllers/project_comments_controller.rb index b02490737..9cf099cdc 100644 --- a/app/controllers/project_comments_controller.rb +++ b/app/controllers/project_comments_controller.rb @@ -174,7 +174,7 @@ class ProjectCommentsController < ApplicationController end def check_create_permissions - render_403 unless can_create_comment_in_project?(@project) + render_403 unless can_create_comments_in_project?(@project) end def check_manage_permissions diff --git a/app/controllers/protocols_controller.rb b/app/controllers/protocols_controller.rb index 0f110a58b..2be21efdb 100644 --- a/app/controllers/protocols_controller.rb +++ b/app/controllers/protocols_controller.rb @@ -18,7 +18,13 @@ class ProtocolsController < ApplicationController linked_children linked_children_datatable ) - before_action :check_edit_permissions, only: %i( + before_action :check_view_all_permissions, only: %i( + index + datatable + ) + # For update_from_parent and update_from_parent_modal we don't need to check + # read permission for the parent protocol + before_action :check_manage_in_module_permissions, only: %i( edit update_metadata update_keywords @@ -26,14 +32,6 @@ class ProtocolsController < ApplicationController edit_keywords_modal edit_authors_modal edit_description_modal - ) - before_action :check_view_all_permissions, only: %i( - index - datatable - ) - # For update_from_parent and update_from_parent_modal we don't need to check - # read permission for the parent protocol - before_action :check_manage_permissions, only: %i( unlink unlink_modal revert @@ -41,7 +39,7 @@ class ProtocolsController < ApplicationController update_from_parent update_from_parent_modal ) - before_action :check_update_parent_permissions, only: %i( + before_action :check_manage_parent_in_repository_permissions, only: %i( update_parent update_parent_modal ) @@ -1066,27 +1064,17 @@ class ProtocolsController < ApplicationController end end - def check_edit_permissions - load_team_and_type + def check_manage_in_module_permissions @protocol = Protocol.find_by_id(params[:id]) - - unless can_update_protocol_in_repository?(@protocol) - render_403 - end - end - - def check_manage_permissions - @protocol = Protocol.find_by_id(params[:id]) - - render_403 if @protocol.blank? || !can_manage_protocol_in_module?(@protocol) - end - - def check_update_parent_permissions - @protocol = Protocol.find_by_id(params[:id]) - render_403 unless @protocol.present? && - (can_read_protocol_in_module?(@protocol) || - can_update_protocol_in_repository(@protocol.parent)) + can_manage_protocol_in_module?(@protocol) + end + + def check_manage_parent_in_repository_permissions + @protocol = Protocol.find_by_id(params[:id]) + render_403 unless @protocol.present? && + can_read_protocol_in_module?(@protocol) && + can_manage_protocol_in_repository(@protocol.parent) end def check_load_from_repository_views_permissions @@ -1130,7 +1118,7 @@ class ProtocolsController < ApplicationController @protocols = Protocol.where(id: params[:protocol_ids]) @protocols.find_each do |protocol| if !protocol.in_repository_public? || - !can_update_protocol_type_in_repository?(protocol) + !can_manage_protocol_in_repository?(protocol) respond_to { |f| f.json { render json: {}, status: :unauthorized } } return end @@ -1141,7 +1129,7 @@ class ProtocolsController < ApplicationController @protocols = Protocol.where(id: params[:protocol_ids]) @protocols.find_each do |protocol| if !protocol.in_repository_private? || - !can_update_protocol_type_in_repository?(protocol) + !can_manage_protocol_in_repository?(protocol) respond_to { |f| f.json { render json: {}, status: :unauthorized } } return end @@ -1152,7 +1140,7 @@ class ProtocolsController < ApplicationController @protocols = Protocol.where(id: params[:protocol_ids]) @protocols.find_each do |protocol| if protocol.in_repository_archived? || - !can_update_protocol_type_in_repository?(protocol) + !can_manage_protocol_in_repository?(protocol) respond_to { |f| f.json { render json: {}, status: :unauthorized } } return end @@ -1163,7 +1151,7 @@ class ProtocolsController < ApplicationController @protocols = Protocol.where(id: params[:protocol_ids]) @protocols.find_each do |protocol| if protocol.in_repository_active? || - !can_update_protocol_type_in_repository?(protocol) + !can_manage_protocol_in_repository?(protocol) respond_to { |f| f.json { render json: {}, status: :unauthorized } } return end diff --git a/app/controllers/reports_controller.rb b/app/controllers/reports_controller.rb index 79504d9af..0238ac5a8 100644 --- a/app/controllers/reports_controller.rb +++ b/app/controllers/reports_controller.rb @@ -450,11 +450,11 @@ class ReportsController < ApplicationController end def check_create_permissions - render_403 unless can_create_or_manage_reports?(@project) + render_403 unless can_manage_reports?(@project) end def check_manage_permissions - render_403 unless can_create_or_manage_reports?(@project) + render_403 unless can_manage_reports?(@project) render_404 unless params.include? :report_ids end diff --git a/app/controllers/repositories_controller.rb b/app/controllers/repositories_controller.rb index 86ed5b094..57e90cc0d 100644 --- a/app/controllers/repositories_controller.rb +++ b/app/controllers/repositories_controller.rb @@ -6,7 +6,7 @@ class RepositoriesController < ApplicationController before_action :check_team, only: %i(parse_sheet import_records) before_action :check_view_all_permissions, only: :index before_action :check_view_permissions, only: :export_repository - before_action :check_edit_and_destroy_permissions, only: + before_action :check_manage_permissions, only: %i(destroy destroy_modal rename_modal update) before_action :check_create_permissions, only: %i(create_new_modal create copy_modal copy) @@ -309,8 +309,8 @@ class RepositoriesController < ApplicationController @team.repositories.count < Constants::REPOSITORIES_LIMIT end - def check_edit_and_destroy_permissions - render_403 unless can_update_or_delete_repository?(@repository) + def check_manage_permissions + render_403 unless can_manage_repository?(@repository) end def repository_params diff --git a/app/controllers/repository_columns_controller.rb b/app/controllers/repository_columns_controller.rb index a98f38d89..e67dda400 100644 --- a/app/controllers/repository_columns_controller.rb +++ b/app/controllers/repository_columns_controller.rb @@ -4,7 +4,7 @@ class RepositoryColumnsController < ApplicationController before_action :load_vars, except: :create before_action :load_vars_nested, only: :create before_action :check_create_permissions, only: :create - before_action :check_update_and_delete_permissions, except: :create + before_action :check_manage_permissions, except: :create def create @repository_column = RepositoryColumn.new(repository_column_params) @@ -111,8 +111,8 @@ class RepositoryColumnsController < ApplicationController render_403 unless can_create_repository_columns?(@repository.team) end - def check_update_and_delete_permissions - render_403 unless can_update_or_delete_repository_column?(@repository_column) + def check_manage_permissions + render_403 unless can_manage_repository_column?(@repository_column) end def repository_column_params diff --git a/app/controllers/repository_rows_controller.rb b/app/controllers/repository_rows_controller.rb index d837579fe..88ba000dc 100644 --- a/app/controllers/repository_rows_controller.rb +++ b/app/controllers/repository_rows_controller.rb @@ -6,8 +6,7 @@ class RepositoryRowsController < ApplicationController before_action :load_vars, only: %i(edit update) before_action :load_repository, only: %i(create delete_records) before_action :check_create_permissions, only: :create - before_action :check_edit_permissions, only: %i(edit update) - before_action :check_destroy_permissions, only: :delete_records + before_action :check_manage_permissions, only: %i(edit update delete_records) def create record = RepositoryRow.new(repository: @repository, @@ -171,7 +170,7 @@ class RepositoryRowsController < ApplicationController if selected_params selected_params.each do |row_id| row = @repository.repository_rows.find_by_id(row_id) - if row && can_update_or_delete_repository_row?(row) + if row && can_manage_repository_row?(row) row.destroy && deleted_count += 1 end end @@ -221,12 +220,10 @@ class RepositoryRowsController < ApplicationController render_403 unless can_manage_repository_rows?(@repository.team) end - def check_edit_permissions - render_403 unless can_update_or_delete_repository_row?(@record) - end - - def check_destroy_permissions - render_403 unless can_manage_repository_rows?(@repository.team) + def check_manage_permissions + render_403 unless @repository.repository_rows.all? do |row| + can_manage_repository_row?(row) + end end def record_params diff --git a/app/controllers/result_comments_controller.rb b/app/controllers/result_comments_controller.rb index 884364a9f..6d4c48544 100644 --- a/app/controllers/result_comments_controller.rb +++ b/app/controllers/result_comments_controller.rb @@ -175,7 +175,7 @@ class ResultCommentsController < ApplicationController end def check_add_permissions - render_403 unless can_create_comment_in_module?(@my_module) + render_403 unless can_create_comments_in_module?(@my_module) end def check_manage_permissions diff --git a/app/controllers/results_controller.rb b/app/controllers/results_controller.rb index a66b01880..dffe877cc 100644 --- a/app/controllers/results_controller.rb +++ b/app/controllers/results_controller.rb @@ -1,6 +1,6 @@ class ResultsController < ApplicationController before_action :load_vars - before_action :can_destroy_permissions + before_action :check_destroy_permissions def destroy act_log = t('my_modules.module_archive.table_log', @@ -39,7 +39,7 @@ class ResultsController < ApplicationController @my_module = @result.my_module end - def can_destroy_permissions - render_403 unless can_delete_or_archive_result?(@my_module) + def check_destroy_permissions + render_403 unless can_manage_result?(@my_module) end end diff --git a/app/controllers/sample_groups_controller.rb b/app/controllers/sample_groups_controller.rb index e5f3d09dd..ff6e49e84 100644 --- a/app/controllers/sample_groups_controller.rb +++ b/app/controllers/sample_groups_controller.rb @@ -1,6 +1,8 @@ class SampleGroupsController < ApplicationController before_action :load_vars_nested - before_action :check_permissions, except: %i(index sample_group_element) + before_action :check_view_permissions, only: %i(index sample_group_element) + before_action :check_manage_permissions, only: %i(create edit update destroy + destroy_confirmation) before_action :set_sample_group, except: %i(create index) before_action :set_project_my_module, only: :index layout 'fluid' @@ -133,8 +135,12 @@ class SampleGroupsController < ApplicationController render_404 unless @team end - def check_permissions - render_403 unless can_manage_sample_columns?(@team) + def check_view_permissions + render_403 unless can_read_team?(@team) + end + + def check_manage_permissions + render_403 unless can_manage_sample_types_and_groups?(@team) end def sample_group_params diff --git a/app/controllers/sample_types_controller.rb b/app/controllers/sample_types_controller.rb index 0b499bd66..cefbd9ee1 100644 --- a/app/controllers/sample_types_controller.rb +++ b/app/controllers/sample_types_controller.rb @@ -1,6 +1,8 @@ class SampleTypesController < ApplicationController before_action :load_vars_nested - before_action :check_permissions, except: %i(index sample_type_element) + before_action :check_view_permissions, only: %i(index sample_type_element) + before_action :check_manage_permissions, only: %i(create edit update destroy + destroy_confirmation) before_action :set_sample_type, except: %i(create index) before_action :set_project_my_module, only: :index layout 'fluid' @@ -129,8 +131,12 @@ class SampleTypesController < ApplicationController render_404 unless @team end - def check_permissions - render_403 unless can_manage_sample_columns?(@team) + def check_view_permissions + render_403 unless can_read_team?(@team) + end + + def check_manage_permissions + render_403 unless can_manage_sample_types_and_groups?(@team) end def set_sample_type diff --git a/app/controllers/samples_controller.rb b/app/controllers/samples_controller.rb index 94684f2ff..459fbf445 100644 --- a/app/controllers/samples_controller.rb +++ b/app/controllers/samples_controller.rb @@ -7,8 +7,7 @@ class SamplesController < ApplicationController before_action :load_vars_nested, only: [:new, :create] before_action :check_create_permissions, only: %i(new create) - before_action :check_update_and_delete_permissions, - only: %i(edit update destroy) + before_action :check_manage_permissions, only: %i(edit update destroy) def new respond_to do |format| @@ -308,11 +307,11 @@ class SamplesController < ApplicationController end def check_create_permissions - render_403 unless can_manage_samples?(@team) + render_403 unless can_create_samples?(@team) end - def check_update_and_delete_permissions - render_403 unless can_update_or_delete_sample?(@sample) + def check_manage_permissions + render_403 unless can_manage_sample?(@sample) end def sample_params diff --git a/app/controllers/step_comments_controller.rb b/app/controllers/step_comments_controller.rb index 523c674db..259fbc88a 100644 --- a/app/controllers/step_comments_controller.rb +++ b/app/controllers/step_comments_controller.rb @@ -184,7 +184,7 @@ class StepCommentsController < ApplicationController end def check_add_permissions - render_403 unless can_create_comment_in_module?(@protocol.my_module) + render_403 unless can_create_comments_in_module?(@protocol.my_module) end def check_manage_permissions diff --git a/app/controllers/steps_controller.rb b/app/controllers/steps_controller.rb index 084506f99..500994b2c 100644 --- a/app/controllers/steps_controller.rb +++ b/app/controllers/steps_controller.rb @@ -396,7 +396,7 @@ class StepsController < ApplicationController if step protocol = step.protocol if can_manage_protocol_in_module?(protocol) || - can_update_protocol_in_repository?(protocol) + can_manage_protocol_in_repository?(protocol) if step.position > 0 step_down = step.protocol.steps.where(position: step.position - 1).first step.position -= 1 @@ -443,7 +443,7 @@ class StepsController < ApplicationController if step protocol = step.protocol if can_manage_protocol_in_module?(protocol) || - can_update_protocol_in_repository?(protocol) + can_manage_protocol_in_repository?(protocol) if step.position < step.protocol.steps.count - 1 step_up = step.protocol.steps.where(position: step.position + 1).first step.position += 1 @@ -615,7 +615,7 @@ class StepsController < ApplicationController def check_manage_permissions render_403 unless can_manage_protocol_in_module?(@protocol) || - can_update_protocol_in_repository?(@protocol) + can_manage_protocol_in_repository?(@protocol) end def check_complete_and_checkbox_permissions diff --git a/app/controllers/tags_controller.rb b/app/controllers/tags_controller.rb index a5194d8db..2cdab52e4 100644 --- a/app/controllers/tags_controller.rb +++ b/app/controllers/tags_controller.rb @@ -141,7 +141,7 @@ class TagsController < ApplicationController end def check_manage_permissions - render_403 unless can_create_or_manage_tags?(@project) + render_403 unless can_manage_tags?(@project) end def tag_params diff --git a/app/controllers/teams_controller.rb b/app/controllers/teams_controller.rb index 14b7a7fce..a910df32a 100644 --- a/app/controllers/teams_controller.rb +++ b/app/controllers/teams_controller.rb @@ -1,7 +1,8 @@ class TeamsController < ApplicationController before_action :load_vars, only: [:parse_sheet, :import_samples, :export_samples] - before_action :check_create_sample_permissions, only: [:parse_sheet, :import_samples] + before_action :check_create_samples_permissions, only: %i(parse_sheet + import_samples) before_action :check_view_samples_permission, only: [:export_samples] def parse_sheet @@ -258,10 +259,8 @@ class TeamsController < ApplicationController params.permit(sample_ids: [], header_ids: []).to_h end - def check_create_sample_permissions - unless can_manage_samples?(@team) - render_403 - end + def check_create_samples_permissions + render_403 unless can_create_samples?(@team) end def check_view_samples_permission diff --git a/app/controllers/wopi_controller.rb b/app/controllers/wopi_controller.rb index a716628de..db188e112 100644 --- a/app/controllers/wopi_controller.rb +++ b/app/controllers/wopi_controller.rb @@ -294,7 +294,7 @@ class WopiController < ActionController::Base @breadcrumb_folder_name = @protocol.my_module.name else @can_read = can_read_protocol_in_repository?(@protocol) - @can_write = can_update_protocol_in_repository?(@protocol) + @can_write = can_manage_protocol_in_repository?(@protocol) @close_url = protocols_url(only_path: false, host: ENV['WOPI_USER_HOST']) diff --git a/app/datatables/protocols_datatable.rb b/app/datatables/protocols_datatable.rb index 21a3f213d..7770a7d5b 100644 --- a/app/datatables/protocols_datatable.rb +++ b/app/datatables/protocols_datatable.rb @@ -3,7 +3,7 @@ class ProtocolsDatatable < CustomDatatable include ActiveRecord::Sanitization::ClassMethods include InputSanitizeHelper - def_delegator :@view, :can_update_protocol_in_repository? + def_delegator :@view, :can_manage_protocol_in_repository? def_delegator :@view, :edit_protocol_path def_delegator :@view, :can_clone_protocol_in_repository? def_delegator :@view, :clone_protocol_path @@ -82,8 +82,8 @@ class ProtocolsDatatable < CustomDatatable protocol = Protocol.find(record.id) result_data << { 'DT_RowId': record.id, - 'DT_CanEdit': can_update_protocol_in_repository?(protocol), - 'DT_EditUrl': if can_update_protocol_in_repository?(protocol) + 'DT_CanEdit': can_manage_protocol_in_repository?(protocol), + 'DT_EditUrl': if can_manage_protocol_in_repository?(protocol) edit_protocol_path(protocol, team: @team, type: @type) diff --git a/app/helpers/results_helper.rb b/app/helpers/results_helper.rb index 94afa84c9..fdff9b034 100644 --- a/app/helpers/results_helper.rb +++ b/app/helpers/results_helper.rb @@ -24,7 +24,7 @@ module ResultsHelper end def can_archive_result(result) - can_delete_or_archive_result?(result.my_module) + can_manage_result?(result.my_module) end def result_unlocked?(result) diff --git a/app/helpers/samples_helper.rb b/app/helpers/samples_helper.rb index 9ecf6591f..cd20f22e7 100644 --- a/app/helpers/samples_helper.rb +++ b/app/helpers/samples_helper.rb @@ -1,8 +1,4 @@ module SamplesHelper - def can_add_sample_related_things_to_team - can_manage_sample_columns?(@team) - end - def all_custom_fields CustomField.where(team_id: @team).order(:created_at) end diff --git a/app/permissions/experiment.rb b/app/permissions/experiment.rb index d7befaf91..3dc2db488 100644 --- a/app/permissions/experiment.rb +++ b/app/permissions/experiment.rb @@ -7,8 +7,8 @@ Canaid::Permissions.register_for(Experiment) do can_read_project?(user, experiment.project) end - # experiment: create, update, delete - # canvas: edit + # experiment: create/update/delete + # canvas: update # module: create, clone, reposition, create/update/delete connection, # assign/reassign/unassign tags can :manage_experiment do |user, experiment| @@ -50,7 +50,7 @@ Canaid::Permissions.register_for(Experiment) do end Canaid::Permissions.register_for(MyModule) do - # module: edit, archive, move + # module: update, archive, move # result: create, update can :manage_module do |user, my_module| can_manage_experiment?(user, my_module.experiment) @@ -67,13 +67,13 @@ Canaid::Permissions.register_for(MyModule) do end # result: delete, archive - can :delete_or_archive_result do |user, my_module| + can :manage_result do |user, my_module| user.is_owner_of_project?(my_module.experiment.project) end # module: assign/unassign sample, assign/unassign repository record # NOTE: Use 'module_page? &&' before calling this permission! - can :assign_repository_records_to_module do |user, my_module| + can :assign_repository_rows_to_module do |user, my_module| user.is_technician_or_higher_of_project?(my_module.experiment.project) end @@ -85,17 +85,17 @@ Canaid::Permissions.register_for(MyModule) do # module: create comment # result: create comment # step: create comment - can :create_comment_in_module do |user, my_module| - can_create_comment_in_project?(user, my_module.experiment.project) + can :create_comments_in_module do |user, my_module| + can_create_comments_in_project?(user, my_module.experiment.project) end # Module, its experiment and its project must be active for all the specified # permissions %i(manage_module manage_users_in_module - delete_or_archive_result + manage_result assign_sample_to_module complete_module - create_comment_in_module).each do |perm| + create_comments_in_module).each do |perm| can perm do |_, my_module| my_module.active? && my_module.experiment.active? && @@ -106,7 +106,7 @@ end Canaid::Permissions.register_for(Protocol) do # protocol in module: read - # step: read, read comments, read assets, download assets + # step in module: read, read comments, read/download assets can :read_protocol_in_module do |user, protocol| if protocol.in_module? can_read_experiment?(user, protocol.my_module.experiment) @@ -117,7 +117,7 @@ Canaid::Permissions.register_for(Protocol) do # protocol in module: create/update/delete, unlink, revert, update from # protocol in repository, update from file - # step: create/update/delete, reorder + # step in module: create/update/delete, reorder can :manage_protocol_in_module do |user, protocol| if protocol.in_module? can_manage_module?(user, protocol.my_module) diff --git a/app/permissions/organization.rb b/app/permissions/organization.rb index 0e4bb910a..062aca751 100644 --- a/app/permissions/organization.rb +++ b/app/permissions/organization.rb @@ -1,5 +1,6 @@ Canaid::Permissions.register_generic do - can :create_teams do |user| + # organization: create team + can :create_teams do |_| true end end diff --git a/app/permissions/project.rb b/app/permissions/project.rb index 77da1edb4..b61558372 100644 --- a/app/permissions/project.rb +++ b/app/permissions/project.rb @@ -9,7 +9,7 @@ Canaid::Permissions.register_for(Project) do (project.visible? && user.is_member_of_team?(project.team)) end - # project: update/delete/archive, assign/reassign/unassign users + # project: update/delete, archive, assign/reassign/unassign users can :manage_project do |user, project| user.is_owner_of_project?(project) end @@ -25,23 +25,23 @@ Canaid::Permissions.register_for(Project) do end # experiment: create - can :create_experiment do |user, project| + can :create_experiments do |user, project| user.is_user_or_higher_of_project?(project) end # project: create comment - can :create_comment_in_project do |user, project| + can :create_comments_in_project do |user, project| user.is_technician_or_higher_of_project?(project) end # project: create/update/delete tag # module: assign/reassign/unassign tag - can :create_or_manage_tags do |user, project| + can :manage_tags do |user, project| user.is_user_or_higher_of_project?(project) end - # reports: create/delete - can :create_or_manage_reports do |user, project| + # reports: create, delete + can :manage_reports do |user, project| user.is_technician_or_higher_of_project?(project) end @@ -49,10 +49,10 @@ Canaid::Permissions.register_for(Project) do %i(read_project manage_project archive_project - create_experiment - create_comment_in_project - create_or_manage_tags - create_or_manage_reports) + create_experiments + create_comments_in_project + manage_tags + manage_reports) .each do |perm| can perm do |_, project| project.active? diff --git a/app/permissions/team.rb b/app/permissions/team.rb index 669181027..22461e1b4 100644 --- a/app/permissions/team.rb +++ b/app/permissions/team.rb @@ -1,82 +1,81 @@ Canaid::Permissions.register_for(Team) do - # view projects, view protocols - # leave team, view team users (ATWHO) - # view samples, export samples - # view repositories, view repository, export repository rows + # team: leave, read users, read projects, read/export samples, + # read protocols, read/export repositories + # can :read_team do |user, team| user.is_member_of_team?(team) end - # edit team name, edit team description + # team: update can :update_team do |user, team| user.is_admin_of_team?(team) end - # invite user to team, change user's role, remove user from team + # team: assign/unassing user, change user role can :manage_team_users do |user, team| user.is_admin_of_team?(team) end - # create project + # project: create can :create_projects do |user, team| user.is_normal_user_or_admin_of_team?(team) end - # create protocol in repository, import protocol to repository + # protocol in repository: create, import can :create_protocols_in_repository do |user, team| user.is_normal_user_or_admin_of_team?(team) end - # create, import, edit, delete samples - can :manage_samples do |user, team| + # sample: create, import + can :create_samples do |user, team| user.is_normal_user_or_admin_of_team?(team) end - # create custom field - # create, update, delete sample type or sample group - can :manage_sample_columns do |user, team| + # sample: create field + can :create_sample_columns do |user, team| user.is_normal_user_or_admin_of_team?(team) end - # create, copy repository + # create/update/delete sample type/group + can :manage_sample_types_and_groups do |user, team| + user.is_normal_user_or_admin_of_team?(team) + end + + # repository: create, clone can :create_repositories do |user, team| - user.is_admin_of_team?(team) + user.is_admin_of_team?(team) && + team.repositories.count < Constants::REPOSITORIES_LIMIT end - # create, import, edit, delete repository records - can :manage_repository_rows do |user, team| + # repository: create/import record + can :create_repository_rows do |user, team| user.is_normal_user_or_admin_of_team?(team) end - # create repository column + # repository: create field can :create_repository_columns do |user, team| user.is_normal_user_or_admin_of_team?(team) end end Canaid::Permissions.register_for(Protocol) do - # view protocol in repository, export protocol from repository - # view step in protocol in repository, view or dowload step asset + # protocol in repository: read, export, read step, read/download step asset can :read_protocol_in_repository do |user, protocol| user.is_member_of_team?(protocol.team) && (protocol.in_repository_public? || protocol.in_repository_private? && user == protocol.added_by) end - # edit protocol in repository, - # create, edit, delete or reorder step in repository - can :update_protocol_in_repository do |user, protocol| + # protocol in repository: update, create/update/delete/reorder step, + # toggle visibility (public, private, archive, + # restore) + can :manage_protocol_in_repository do |user, protocol| protocol.in_repository_active? && - can_update_protocol_type_in_repository?(user, protocol) - end - - # toggle protocol visibility (public, private, archive, restore) - can :update_protocol_type_in_repository do |user, protocol| - user.is_normal_user_or_admin_of_team?(protocol.team) && + user.is_normal_user_or_admin_of_team?(protocol.team) && user == protocol.added_by end - # clone protocol in repository + # protocol in repository: clone can :clone_protocol_in_repository do |user, protocol| can_create_protocols_in_repository?(user, protocol.team) && can_read_protocol_in_repository?(user, protocol) @@ -84,37 +83,38 @@ Canaid::Permissions.register_for(Protocol) do end Canaid::Permissions.register_for(Sample) do - # edit, delete specific sample - can :update_or_delete_sample do |user, sample| - can_manage_samples?(user, sample.team) + # sample: update, delete + can :manage_sample do |user, sample| + can_create_samples?(user, sample.team) end end Canaid::Permissions.register_for(CustomField) do - # update, delete custom field - can :update_or_delete_custom_field do |user, custom_field| - can_manage_sample_columns?(user, custom_field.team) + # sample: update/delete field + can :manage_sample_column do |user, custom_field| + custom_field.sample_custom_fields.all? do |sample_custom_field| + can_create_sample_columns?(user, sample_custom_field.sample) + end end end Canaid::Permissions.register_for(Repository) do - # edit, destroy repository - can :update_or_delete_repository do |user, repository| + # repository: update, delete + can :manage_repository do |user, repository| can_create_repositories?(user, repository.team) end end Canaid::Permissions.register_for(RepositoryRow) do - # update, delete specific repository record - can :update_or_delete_repository_row do |user, repository_row| - can_manage_repository_rows?(user, repository_row.repository.team) + # repository: update/delete record + can :manage_repository_row do |user, repository_row| + can_create_repository_rows?(user, repository_row.repository.team) end end Canaid::Permissions.register_for(RepositoryColumn) do - # update, delete repository column - can :update_or_delete_repository_column do |user, repository_column| + # repository: update/delete field + can :manage_repository_column do |user, repository_column| can_create_repository_columns?(user, repository_column.repository.team) end end - diff --git a/app/views/experiments/canvas.html.erb b/app/views/experiments/canvas.html.erb index 6921526e3..d3fec473c 100644 --- a/app/views/experiments/canvas.html.erb +++ b/app/views/experiments/canvas.html.erb @@ -41,7 +41,7 @@ - <% if can_create_experiment?(@project) %> + <% if can_create_experiments?(@project) %> <%= link_to new_project_experiment_url(@project), remote: true, type: "button", diff --git a/app/views/my_module_comments/_index.html.erb b/app/views/my_module_comments/_index.html.erb index 5b736a1b2..ed9d2a4ff 100644 --- a/app/views/my_module_comments/_index.html.erb +++ b/app/views/my_module_comments/_index.html.erb @@ -14,7 +14,7 @@ <%= render 'my_module_comments/list.html.erb', comments: @comments %> <% end %> -<% if can_create_comment_in_module?(@my_module) %> +<% if can_create_comments_in_module?(@my_module) %>