From 5c9a4534394143e44857296b0db59a993a70750e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Matej=20Zrim=C5=A1ek?= <mzrimsek@biosistemika.com>
Date: Wed, 31 May 2017 20:56:05 +0200
Subject: [PATCH] Added permissions for deleting and renaming of repositories.
 [SCI-1269]

---
 app/controllers/repositories_controller.rb |  6 +++
 app/helpers/permission_helper.rb           |  4 ++
 app/views/repositories/index.html.erb      | 53 ++++++++++++----------
 3 files changed, 38 insertions(+), 25 deletions(-)

diff --git a/app/controllers/repositories_controller.rb b/app/controllers/repositories_controller.rb
index 281c9b9e1..84aa3d9c1 100644
--- a/app/controllers/repositories_controller.rb
+++ b/app/controllers/repositories_controller.rb
@@ -1,6 +1,8 @@
 class RepositoriesController < ApplicationController
   before_action :load_vars
   before_action :check_view_all_permissions, only: :index
+  before_action :check_edit_permissions, only: %(destroy destroy_modal
+                                                 rename_modal update)
 
   def index
     render('repositories/index')
@@ -69,6 +71,10 @@ class RepositoriesController < ApplicationController
     render_403 unless can_view_team_repositories(@team)
   end
 
+  def check_edit_permissions
+    render_403 unless can_edit_repository(@repository)
+  end
+
   def repository_params
     params.require(:repository).permit(:name)
   end
diff --git a/app/helpers/permission_helper.rb b/app/helpers/permission_helper.rb
index 929dd1908..c9a158123 100644
--- a/app/helpers/permission_helper.rb
+++ b/app/helpers/permission_helper.rb
@@ -1060,4 +1060,8 @@ module PermissionHelper
   def can_view_repository(repository)
     is_normal_user_or_admin_of_team(repository.team)
   end
+
+  def can_edit_repository(repository)
+    is_admin_of_team(repository.team)
+  end
 end
diff --git a/app/views/repositories/index.html.erb b/app/views/repositories/index.html.erb
index ae6c6b601..e82b3f870 100644
--- a/app/views/repositories/index.html.erb
+++ b/app/views/repositories/index.html.erb
@@ -29,34 +29,37 @@
                    type="button"
                    data-toggle="dropdown"
                    aria-haspopup="true"
-                   aria-expanded="true">
+                   aria-expanded="true"
+                   <%= "disabled='disabled'" if !can_edit_repository repo %>>
                 <span class="glyphicon glyphicon-cog"></span>
                 <span class="caret"></span>
               </div>
-              <ul class="dropdown-menu pull-right">
-                <li class="dropdown-header">
-                  <%= t("repositories.index.options_dropdown.header") %>
-                </li>
-                <li>
-                  <%= link_to t('repositories.index.options_dropdown.rename'),
-                              team_repository_rename_modal_path(repository_id: repo),
-                              class: "rename-repo-option",
-                              remote: true %>
-                </li>
-                <li>
-                  <!-- TODO -->
-                  <a href="#">
-                    <%= t("repositories.index.options_dropdown.copy") %>
-                  </a>
-                </li>
-                <li role="separator" class="divider"></li>
-                <li>
-                  <%= link_to t('repositories.index.modal_delete.delete'),
-                              team_repository_destroy_modal_path(repository_id: repo),
-                              class: "delete-repo-option",
-                              remote: true %>
-                </li>
-              </ul>
+              <% if can_edit_repository repo %>
+                <ul class="dropdown-menu pull-right">
+                  <li class="dropdown-header">
+                    <%= t("repositories.index.options_dropdown.header") %>
+                  </li>
+                  <li>
+                    <%= link_to t('repositories.index.options_dropdown.rename'),
+                                team_repository_rename_modal_path(repository_id: repo),
+                                class: "rename-repo-option",
+                                remote: true %>
+                  </li>
+                  <li>
+                    <!-- TODO -->
+                    <a href="#">
+                      <%= t("repositories.index.options_dropdown.copy") %>
+                    </a>
+                  </li>
+                  <li role="separator" class="divider"></li>
+                  <li>
+                    <%= link_to t('repositories.index.modal_delete.delete'),
+                                team_repository_destroy_modal_path(repository_id: repo),
+                                class: "delete-repo-option",
+                                remote: true %>
+                  </li>
+                </ul>
+              <% end %>
             </div>
           </div>