From 5c790287ec8bc887a734238e3fe397a5ff71b110 Mon Sep 17 00:00:00 2001 From: mlorb Date: Wed, 13 Dec 2017 14:36:46 +0100 Subject: [PATCH] refactor again manage user team permissions --- .../client_api/users/invitations_controller.rb | 2 +- .../client_api/users/user_teams_controller.rb | 15 ++++++++++++--- app/permissions/team.rb | 13 +++---------- app/services/client_api/user_team_service.rb | 1 - 4 files changed, 16 insertions(+), 15 deletions(-) diff --git a/app/controllers/client_api/users/invitations_controller.rb b/app/controllers/client_api/users/invitations_controller.rb index 44bf4c93a..f970c930e 100644 --- a/app/controllers/client_api/users/invitations_controller.rb +++ b/app/controllers/client_api/users/invitations_controller.rb @@ -33,7 +33,7 @@ module ClientApi def check_invite_users_permission @team = Team.find_by_id(params[:team_id]) - if @team && !can_create_user_team?(@team) + if @team && !can_manage_user_team?(@team) respond_422(t('client_api.invite_users.permission_error')) end end diff --git a/app/controllers/client_api/users/user_teams_controller.rb b/app/controllers/client_api/users/user_teams_controller.rb index 64e23076d..5ed92551d 100644 --- a/app/controllers/client_api/users/user_teams_controller.rb +++ b/app/controllers/client_api/users/user_teams_controller.rb @@ -3,7 +3,9 @@ module ClientApi class UserTeamsController < ApplicationController include ClientApi::Users::UserTeamsHelper - before_action :check_manage_user_team_permission + before_action :check_leave_team_permission, only: :leave_team + before_action :check_manage_user_team_permission, + only: %i(update_role remove_user) def leave_team ut_service = ClientApi::UserTeamService.new( @@ -46,9 +48,16 @@ module ClientApi private + def check_leave_team_permission + user_team = UserTeam.find_by_id(params[:user_team]) + unless current_user == user_team.user || can_read_team?(user_team.team) + respond_422(t('client_api.permission_error')) + end + end + def check_manage_user_team_permission - @user_team = UserTeam.find_by_id(params[:user_team]) - unless can_update_or_delete_user_team?(@user_team) + user_team = UserTeam.find_by_id(params[:user_team]) + unless can_manage_user_team?(user_team.team) respond_422(t('client_api.user_teams.permission_error')) end end diff --git a/app/permissions/team.rb b/app/permissions/team.rb index 5543bee97..ae7055c84 100644 --- a/app/permissions/team.rb +++ b/app/permissions/team.rb @@ -1,5 +1,5 @@ Canaid::Permissions.register_for(Team) do - # view projects, view protocols + # view projects, view protocols, leave team # view samples, export samples # view repositories, view repository, export repository rows can :read_team do |user, team| @@ -11,8 +11,8 @@ Canaid::Permissions.register_for(Team) do user.is_admin_of_team?(team) end - # invite user to team - can :create_user_team do |user, team| + # invite user to team, change user's role, remove user from team + can :manage_user_team do |user, team| user.is_admin_of_team?(team) end @@ -52,13 +52,6 @@ Canaid::Permissions.register_for(Team) do end end -Canaid::Permissions.register_for(UserTeam) do - # change user's role, remove user from team, leave team - can :update_or_delete_user_team do |user, user_team| - user == user_team.user || user.is_admin_of_team?(user_team.team) - end -end - Canaid::Permissions.register_for(Protocol) do # view protocol in repository, export protocol from repository # view step in protocol in repository, view or dowload step asset diff --git a/app/services/client_api/user_team_service.rb b/app/services/client_api/user_team_service.rb index 6cd5685a7..5409ac4ee 100644 --- a/app/services/client_api/user_team_service.rb +++ b/app/services/client_api/user_team_service.rb @@ -24,7 +24,6 @@ module ClientApi end def update_role! - raise ClientApi::CustomUserTeamError if user_cant_leave? unless @role raise ClientApi::CustomUserTeamError, I18n.t('client_api.generic_error_message')