diff --git a/app/models/team.rb b/app/models/team.rb index da0722b96..ded06872c 100644 --- a/app/models/team.rb +++ b/app/models/team.rb @@ -35,6 +35,13 @@ class Team < ApplicationRecord has_many :projects, inverse_of: :team has_many :project_folders, inverse_of: :team, dependent: :destroy has_many :protocols, inverse_of: :team, dependent: :destroy + has_many :repository_protocols, + (lambda do + where(protocol_type: [Protocol.protocol_types[:in_repository_public], + Protocol.protocol_types[:in_repository_private], + Protocol.protocol_types[:in_repository_archived]]) + end), + class_name: 'Protocol' has_many :protocol_keywords, inverse_of: :team, dependent: :destroy has_many :tiny_mce_assets, inverse_of: :team, dependent: :destroy has_many :repositories, dependent: :destroy diff --git a/config/initializers/extends/permission_extends.rb b/config/initializers/extends/permission_extends.rb index da7d1c991..71d1eb416 100644 --- a/config/initializers/extends/permission_extends.rb +++ b/config/initializers/extends/permission_extends.rb @@ -4,8 +4,9 @@ module PermissionExtends module TeamPermissions %w( READ - USERS_INVITE + MANAGE USERS_MANAGE + PROJECTS_CREATE INVENTORIES_CREATE PROTOCOLS_CREATE ).each { |permission| const_set(permission, "team_#{permission.underscore}") } @@ -92,20 +93,17 @@ module PermissionExtends module RepositoryPermissions %w( READ + READ_ARCHIVED MANAGE - ARCHIVE RESTORE DELETE SHARE - CREATE_SNAPSHOT - DELETE_SNAPSHOT - CREATE_ROW - UPDATE_ROW - ARCHIVE_ROW - DELETE_ROW - CREATE_COLUMN - UPDATE_COLUMN - DELETE_COLUMN + ROWS_CREATE + ROWS_UPDATE + ROWS_DELETE + COLUMNS_CREATE + COLUMNS_UPDATE + COLUMNS_DELETE USERS_MANAGE ).each { |permission| const_set(permission, "inventory_#{permission.underscore}") } end @@ -121,6 +119,7 @@ module PermissionExtends ) NORMAL_USER_PERMISSIONS = [ + TeamPermissions::PROJECTS_CREATE, TeamPermissions::PROTOCOLS_CREATE, ProtocolPermissions::READ, ProtocolPermissions::MANAGE, @@ -167,11 +166,11 @@ module PermissionExtends MyModulePermissions::USERS_READ, MyModulePermissions::STOCK_CONSUMPTION_UPDATE, RepositoryPermissions::READ, - RepositoryPermissions::CREATE_COLUMN, - RepositoryPermissions::CREATE_ROW, - RepositoryPermissions::UPDATE_ROW, - RepositoryPermissions::ARCHIVE_ROW, - RepositoryPermissions::DELETE_ROW + RepositoryPermissions::READ_ARCHIVED, + RepositoryPermissions::COLUMNS_CREATE, + RepositoryPermissions::ROWS_CREATE, + RepositoryPermissions::ROWS_UPDATE, + RepositoryPermissions::ROWS_DELETE ] TECHNICIAN_PERMISSIONS = [ diff --git a/db/migrate/20220516111152_add_team_level_permissions.rb b/db/migrate/20220516111152_add_team_level_permissions.rb new file mode 100644 index 000000000..591404838 --- /dev/null +++ b/db/migrate/20220516111152_add_team_level_permissions.rb @@ -0,0 +1,115 @@ +# frozen_string_literal: true + +class AddTeamLevelPermissions < ActiveRecord::Migration[6.1] + OWNER_PERMISSIONS = [ + TeamPermissions::READ, + TeamPermissions::MANAGE, + TeamPermissions::USERS_MANAGE, + TeamPermissions::PROJECTS_CREATE, + TeamPermissions::INVENTORIES_CREATE, + TeamPermissions::PROTOCOLS_CREATE, + ProtocolPermissions::READ, + ProtocolPermissions::MANAGE, + ProtocolPermissions::USERS_MANAGE, + RepositoryPermissions::READ, + RepositoryPermissions::READ_ARCHIVED, + RepositoryPermissions::MANAGE, + RepositoryPermissions::DELETE, + RepositoryPermissions::SHARE, + RepositoryPermissions::ROWS_CREATE, + RepositoryPermissions::ROWS_UPDATE, + RepositoryPermissions::ROWS_DELETE, + RepositoryPermissions::COLUMNS_CREATE, + RepositoryPermissions::COLUMNS_UPDATE, + RepositoryPermissions::COLUMNS_DELETE, + RepositoryPermissions::USERS_MANAGE + ].freeze + + NORMAL_USER_PERMISSIONS = [ + TeamPermissions::PROJECTS_CREATE, + TeamPermissions::PROTOCOLS_CREATE, + ProtocolPermissions::READ, + ProtocolPermissions::MANAGE, + RepositoryPermissions::READ, + RepositoryPermissions::COLUMNS_CREATE, + RepositoryPermissions::ROWS_CREATE, + RepositoryPermissions::ROWS_UPDATE, + RepositoryPermissions::ROWS_DELETE + ].freeze + + VIEWER_PERMISSIONS = [ProtocolPermissions::READ].freeze + + def change + reversible do |dir| + dir.up do + @owner_role = UserRole.find_by(name: UserRole.public_send('owner_role').name) + @normal_user_role = UserRole.find_by(name: UserRole.public_send('normal_user_role').name) + @viewer_role = UserRole.find_by(name: UserRole.public_send('viewer_role').name) + + @owner_role.permissions = @owner_role.permissions | OWNER_PERMISSIONS + @owner_role.save(validate: false) + @normal_user_role.permissions = @normal_user_role.permissions | NORMAL_USER_PERMISSIONS + @normal_user_role.save(validate: false) + @viewer_role.permissions = @viewer_role.permissions | VIEWER_PERMISSIONS + @viewer_role.save(validate: false) + + create_user_assignments(UserTeam.admin, @owner_role) + create_user_assignments(UserTeam.normal_user, @normal_user_role) + create_user_assignments(UserTeam.guest, @viewer_role) + end + + dir.down do + @owner_role = UserRole.find_by(name: UserRole.public_send('owner_role').name) + @normal_user_role = UserRole.find_by(name: UserRole.public_send('normal_user_role').name) + @viewer_role = UserRole.find_by(name: UserRole.public_send('viewer_role').name) + + @owner_role.permissions = @owner_role.permissions - OWNER_PERMISSIONS + @owner_role.save(validate: false) + @normal_user_role.permissions = @normal_user_role.permissions - NORMAL_USER_PERMISSIONS + @normal_user_role.save(validate: false) + @viewer_role.permissions = @viewer_role.permissions - VIEWER_PERMISSIONS + @viewer_role.save(validate: false) + + UserAssignment.where(assignable_type: %w(Team Protocol Repository)).delete_all + end + end + end + + private + + def new_user_assignment(user, assignable, user_role, assigned) + UserAssignment.new( + user: user, + assignable: assignable, + assigned: assigned, + user_role: user_role + ) + end + + def create_user_assignments(user_teams, user_role) + user_teams.includes(:user, team: %i(repositories repository_protocols)) + .find_in_batches(batch_size: 100) do |user_team_batch| + user_assignments = [] + user_team_batch.each do |user_team| + user_assignments << new_user_assignment(user_team.user, user_team.team, user_role, :manually) + user_team.team.repositories.each do |repository| + user_assignments << new_user_assignment(user_team.user, repository, user_role, :automatically) + end + user_team.team.repository_protocols.each do |protocol| + if protocol.in_repository_private? && user_team.user_id == protocol.added_by_id + user_assignments << new_user_assignment(user_team.user, protocol, @owner_role, :automatically) + elsif protocol.in_repository_archived? + if user_team.user_id == protocol.added_by_id + user_assignments << new_user_assignment(user_team.user, protocol, @owner_role, :automatically) + elsif protocol.published_on.present? + user_assignments << new_user_assignment(user_team.user, protocol, @viewer_role, :automatically) + end + elsif protocol.in_repository_public? + user_assignments << new_user_assignment(user_team.user, protocol, @viewer_role, :automatically) + end + end + end + UserAssignment.import(user_assignments) + end + end +end diff --git a/db/structure.sql b/db/structure.sql index 34429dbac..5173c750c 100644 --- a/db/structure.sql +++ b/db/structure.sql @@ -8370,4 +8370,7 @@ INSERT INTO "schema_migrations" (version) VALUES ('20220310105144'), ('20220321122111'), ('20220325101011'), -('20220328164215'); +('20220328164215'), +('20220516111152'); + +