Remove task manage permission [SCI-8528] (#5672)

2025-09-08 06:04:35 +08:00 · 2023-07-11 09:29:17 +02:00 · 2023-07-11 09:29:17 +02:00 · 632716e2cd
commit 632716e2cd
parent 40dc7f988d
7 changed files with 41 additions and 9 deletions
--- a/app/controllers/api/v1/tasks_controller.rb
+++ b/app/controllers/api/v1/tasks_controller.rb
@ -33,7 +33,7 @@ module Api
      end

      def create
-        raise PermissionError.new(MyModule, :create) unless can_manage_experiment_tasks?(@experiment)
+        raise PermissionError.new(MyModule, :create) unless can_create_experiment_tasks?(@experiment)

        my_module = @experiment.my_modules.create!(task_params_create.merge(created_by: current_user))

--- a/app/controllers/my_modules_controller.rb
+++ b/app/controllers/my_modules_controller.rb
@ -498,7 +498,7 @@ class MyModulesController < ApplicationController
  end

  def check_create_permissions
-    render_403 && return unless can_manage_experiment?(@experiment)
+    render_403 && return unless can_create_experiment_tasks?(@experiment)
  end

  def check_manage_permissions
--- a/app/permissions/experiment.rb
+++ b/app/permissions/experiment.rb
@ -1,7 +1,7 @@
 Canaid::Permissions.register_for(Experiment) do
  # Experiment and its project must be active for all the specified permissions
  %i(manage_experiment
-     manage_experiment_tasks
+     create_experiment_tasks
     manage_experiment_users
     archive_experiment
     clone_experiment)
@ -57,8 +57,8 @@ Canaid::Permissions.register_for(Experiment) do
    experiment.permission_granted?(user, ExperimentPermissions::USERS_MANAGE)
  end

-  can :manage_experiment_tasks do |user, experiment|
-    experiment.permission_granted?(user, ExperimentPermissions::TASKS_MANAGE)
+  can :create_experiment_tasks do |user, experiment|
+    experiment.permission_granted?(user, ExperimentPermissions::TASKS_CREATE)
  end

  can :manage_all_experiment_my_modules do |user, experiment|
--- a/app/services/create_my_module_service.rb
+++ b/app/services/create_my_module_service.rb
@ -18,7 +18,7 @@ class CreateMyModuleService
      end

      raise ActiveRecord::Rollback unless @params[:experiment]&.valid? &&
-                                          can_manage_experiment_tasks?(@user, @params[:experiment])
+                                          can_create_experiment_tasks?(@user, @params[:experiment])

      @my_module_params[:x] ||= 0
      @my_module_params[:y] ||= 0
--- a/config/initializers/extends/permission_extends.rb
+++ b/config/initializers/extends/permission_extends.rb
@ -55,7 +55,7 @@ module PermissionExtends
      READ
      READ_ARCHIVED
      MANAGE
-      TASKS_MANAGE
+      TASKS_CREATE
      USERS_READ
      USERS_MANAGE
      READ_CANVAS
@ -155,7 +155,7 @@ module PermissionExtends
      ExperimentPermissions::READ,
      ExperimentPermissions::READ_CANVAS,
      ExperimentPermissions::MANAGE,
-      ExperimentPermissions::TASKS_MANAGE,
+      ExperimentPermissions::TASKS_CREATE,
      ExperimentPermissions::USERS_READ,
      MyModulePermissions::READ,
      MyModulePermissions::READ_ARCHIVED,
--- a/db/migrate/20230620130730_remove_experiment_task_manage_permissions.rb
+++ b/db/migrate/20230620130730_remove_experiment_task_manage_permissions.rb
@ -0,0 +1,32 @@
+# frozen_string_literal: true
+
+class RemoveExperimentTaskManagePermissions < ActiveRecord::Migration[6.1]
+  TASKS_MANAGE_PERMISSION = %w(experiment_tasks_manage).freeze
+  TASKS_CREATE_PERMISSION = %w(experiment_tasks_create).freeze
+
+  def change
+    reversible do |dir|
+      dir.up do
+        owner_role = UserRole.find_predefined_owner_role
+        normal_user_role = UserRole.find_predefined_normal_user_role
+
+        owner_role.permissions = (owner_role.permissions - TASKS_MANAGE_PERMISSION) | TASKS_CREATE_PERMISSION
+        owner_role.save(validate: false)
+        normal_user_role.permissions = (normal_user_role.permissions - TASKS_MANAGE_PERMISSION) |
+                                       TASKS_CREATE_PERMISSION
+        normal_user_role.save(validate: false)
+      end
+
+      dir.down do
+        owner_role = UserRole.find_predefined_owner_role
+        normal_user_role = UserRole.find_predefined_normal_user_role
+
+        owner_role.permissions = (owner_role.permissions | TASKS_MANAGE_PERMISSION) - TASKS_CREATE_PERMISSION
+        owner_role.save(validate: false)
+        normal_user_role.permissions = (normal_user_role.permissions | TASKS_MANAGE_PERMISSION) -
+                                       TASKS_CREATE_PERMISSION
+        normal_user_role.save(validate: false)
+      end
+    end
+  end
+end
--- a/spec/permissions/controllers/api/v1/tasks_controller_spec.rb
+++ b/spec/permissions/controllers/api/v1/tasks_controller_spec.rb
@ -72,7 +72,7 @@ describe Api::V1::TasksController, type: :controller do

    it_behaves_like "a controller action with permissions checking", :post, :create do
      let(:testable) { experiment }
-      let(:permissions) { [ExperimentPermissions::TASKS_MANAGE] }
+      let(:permissions) { [ExperimentPermissions::TASKS_CREATE] }
      let(:action_params) {
        {
          team_id: team.id,