Merge pull request #2544 from okriuchykhin/ok_SCI_4597

Refactor Repository permissions and implement deduplication for files in snapshots [SCI-4597]

Gemfile.lock

@@ -1,6 +1,6 @@
 GIT
   remote: https://github.com/biosistemika/canaid
-  revision: 2ac3004d728adbf1be7f4271689b83464f612b23
+  revision: f595a096f402900e184bf51298dca38fbb7e0820
   branch: rails_6
   specs:
     canaid (1.0.4)
@@ -42,38 +42,38 @@ GIT
 GEM
   remote: http://rubygems.org/
   specs:
-    actioncable (6.0.0)
-      actionpack (= 6.0.0)
+    actioncable (6.0.3)
+      actionpack (= 6.0.3)
       nio4r (~> 2.0)
       websocket-driver (>= 0.6.1)
-    actionmailbox (6.0.0)
-      actionpack (= 6.0.0)
-      activejob (= 6.0.0)
-      activerecord (= 6.0.0)
-      activestorage (= 6.0.0)
-      activesupport (= 6.0.0)
+    actionmailbox (6.0.3)
+      actionpack (= 6.0.3)
+      activejob (= 6.0.3)
+      activerecord (= 6.0.3)
+      activestorage (= 6.0.3)
+      activesupport (= 6.0.3)
       mail (>= 2.7.1)
-    actionmailer (6.0.0)
-      actionpack (= 6.0.0)
-      actionview (= 6.0.0)
-      activejob (= 6.0.0)
+    actionmailer (6.0.3)
+      actionpack (= 6.0.3)
+      actionview (= 6.0.3)
+      activejob (= 6.0.3)
       mail (~> 2.5, >= 2.5.4)
       rails-dom-testing (~> 2.0)
-    actionpack (6.0.0)
-      actionview (= 6.0.0)
-      activesupport (= 6.0.0)
-      rack (~> 2.0)
+    actionpack (6.0.3)
+      actionview (= 6.0.3)
+      activesupport (= 6.0.3)
+      rack (~> 2.0, >= 2.0.8)
       rack-test (>= 0.6.3)
       rails-dom-testing (~> 2.0)
       rails-html-sanitizer (~> 1.0, >= 1.2.0)
-    actiontext (6.0.0)
-      actionpack (= 6.0.0)
-      activerecord (= 6.0.0)
-      activestorage (= 6.0.0)
-      activesupport (= 6.0.0)
+    actiontext (6.0.3)
+      actionpack (= 6.0.3)
+      activerecord (= 6.0.3)
+      activestorage (= 6.0.3)
+      activesupport (= 6.0.3)
       nokogiri (>= 1.8.5)
-    actionview (6.0.0)
-      activesupport (= 6.0.0)
+    actionview (6.0.3)
+      activesupport (= 6.0.3)
       builder (~> 3.1)
       erubi (~> 1.4)
       rails-dom-testing (~> 2.0)
@@ -83,27 +83,27 @@ GEM
       activemodel (>= 4.1, < 6.1)
       case_transform (>= 0.2)
       jsonapi-renderer (>= 0.1.1.beta1, < 0.3)
-    activejob (6.0.0)
-      activesupport (= 6.0.0)
+    activejob (6.0.3)
+      activesupport (= 6.0.3)
       globalid (>= 0.3.6)
-    activemodel (6.0.0)
-      activesupport (= 6.0.0)
-    activerecord (6.0.0)
-      activemodel (= 6.0.0)
-      activesupport (= 6.0.0)
+    activemodel (6.0.3)
+      activesupport (= 6.0.3)
+    activerecord (6.0.3)
+      activemodel (= 6.0.3)
+      activesupport (= 6.0.3)
     activerecord-import (1.0.4)
       activerecord (>= 3.2)
-    activestorage (6.0.0)
-      actionpack (= 6.0.0)
-      activejob (= 6.0.0)
-      activerecord (= 6.0.0)
+    activestorage (6.0.3)
+      actionpack (= 6.0.3)
+      activejob (= 6.0.3)
+      activerecord (= 6.0.3)
       marcel (~> 0.3.1)
-    activesupport (6.0.0)
+    activesupport (6.0.3)
       concurrent-ruby (~> 1.0, >= 1.0.2)
       i18n (>= 0.7, < 2)
       minitest (~> 5.1)
       tzinfo (~> 1.1)
-      zeitwerk (~> 2.1, >= 2.1.8)
+      zeitwerk (~> 2.2, >= 2.2.2)
     addressable (2.7.0)
       public_suffix (>= 2.0.2, < 5.0)
     aes_key_wrap (1.0.1)
@@ -159,7 +159,7 @@ GEM
     bootstrap3-datetimepicker-rails (4.17.47)
       momentjs-rails (>= 2.8.1)
     bootstrap_form (2.7.0)
-    builder (3.2.3)
+    builder (3.2.4)
     bullet (6.0.2)
       activesupport (>= 3.0.0)
       uniform_notifier (~> 1.11)
@@ -195,10 +195,10 @@ GEM
       execjs
     coffee-script-source (1.12.2)
     commit_param_routing (0.0.1)
-    concurrent-ruby (1.1.5)
+    concurrent-ruby (1.1.6)
     crack (0.4.3)
       safe_yaml (~> 1.0.0)
-    crass (1.0.5)
+    crass (1.0.6)
     cucumber (3.1.2)
       builder (>= 2.1.2)
       cucumber-core (~> 3.2.0)
@@ -250,7 +250,7 @@ GEM
       railties (>= 5)
     down (5.0.0)
       addressable (~> 2.5)
-    erubi (1.8.0)
+    erubi (1.9.0)
     et-orbi (1.2.2)
       tzinfo
     execjs (2.7.0)
@@ -330,7 +330,7 @@ GEM
     logging (2.0.0)
       little-plugger (~> 1.1)
       multi_json (~> 1.10)
-    loofah (2.3.1)
+    loofah (2.5.0)
       crass (~> 1.0.2)
       nokogiri (>= 1.5.9)
     mail (2.7.1)
@@ -341,7 +341,7 @@ GEM
     mime-types (3.3)
       mime-types-data (~> 3.2015)
     mime-types-data (3.2019.0904)
-    mimemagic (0.3.3)
+    mimemagic (0.3.5)
     mini_magick (4.9.5)
     mini_mime (1.0.2)
     mini_portile2 (2.4.0)
@@ -359,7 +359,7 @@ GEM
       rails (>= 3.2.0)
     newrelic_rpm (6.6.0.358)
     nio4r (2.5.2)
-    nokogiri (1.10.8)
+    nokogiri (1.10.9)
       mini_portile2 (~> 2.4.0)
     nokogumbo (2.0.1)
       nokogiri (~> 1.8, >= 1.8.4)
@@ -407,27 +407,27 @@ GEM
     puma (4.3.3)
       nio4r (~> 2.0)
     raabro (1.1.6)
-    rack (2.0.8)
+    rack (2.2.2)
     rack-attack (6.1.0)
       rack (>= 1.0, < 3)
     rack-proxy (0.6.5)
       rack
     rack-test (1.1.0)
       rack (>= 1.0, < 3)
-    rails (6.0.0)
-      actioncable (= 6.0.0)
-      actionmailbox (= 6.0.0)
-      actionmailer (= 6.0.0)
-      actionpack (= 6.0.0)
-      actiontext (= 6.0.0)
-      actionview (= 6.0.0)
-      activejob (= 6.0.0)
-      activemodel (= 6.0.0)
-      activerecord (= 6.0.0)
-      activestorage (= 6.0.0)
-      activesupport (= 6.0.0)
+    rails (6.0.3)
+      actioncable (= 6.0.3)
+      actionmailbox (= 6.0.3)
+      actionmailer (= 6.0.3)
+      actionpack (= 6.0.3)
+      actiontext (= 6.0.3)
+      actionview (= 6.0.3)
+      activejob (= 6.0.3)
+      activemodel (= 6.0.3)
+      activerecord (= 6.0.3)
+      activestorage (= 6.0.3)
+      activesupport (= 6.0.3)
       bundler (>= 1.3.0)
-      railties (= 6.0.0)
+      railties (= 6.0.3)
       sprockets-rails (>= 2.0.0)
     rails-controller-testing (1.0.4)
       actionpack (>= 5.0.1.x)
@@ -436,8 +436,8 @@ GEM
     rails-dom-testing (2.0.3)
       activesupport (>= 4.2.0)
       nokogiri (>= 1.6)
-    rails-html-sanitizer (1.2.0)
-      loofah (~> 2.2, >= 2.2.2)
+    rails-html-sanitizer (1.3.0)
+      loofah (~> 2.3)
     rails_12factor (0.0.3)
       rails_serve_static_assets
       rails_stdout_logging
@@ -445,9 +445,9 @@ GEM
       rails (> 3.1)
     rails_serve_static_assets (0.0.5)
     rails_stdout_logging (0.0.5)
-    railties (6.0.0)
-      actionpack (= 6.0.0)
-      activesupport (= 6.0.0)
+    railties (6.0.3)
+      actionpack (= 6.0.3)
+      activesupport (= 6.0.3)
       method_source
       rake (>= 0.8.7)
       thor (>= 0.20.3, < 2.0)
@@ -541,7 +541,7 @@ GEM
     simplecov-html (0.10.2)
     spinjs-rails (1.4)
       rails (>= 3.1)
-    sprockets (3.7.2)
+    sprockets (4.0.0)
       concurrent-ruby (~> 1.0)
       rack (> 1, < 3)
     sprockets-rails (3.2.1)
@@ -558,7 +558,7 @@ GEM
     turbolinks (5.1.1)
       turbolinks-source (~> 5.1)
     turbolinks-source (5.2.0)
-    tzinfo (1.2.6)
+    tzinfo (1.2.7)
       thread_safe (~> 0.1)
     uglifier (4.1.20)
       execjs (>= 0.3.0, < 3)
@@ -584,7 +584,7 @@ GEM
     wkhtmltopdf-heroku (2.12.5.0)
     xpath (3.2.0)
       nokogiri (~> 1.8)
-    zeitwerk (2.2.2)
+    zeitwerk (2.3.0)
 
 PLATFORMS
   ruby

app/assets/config/manifest.js

@@ -0,0 +1,3 @@
+//= link_tree ../images
+//= link application.js
+//= link application.css

app/controllers/assets_controller.rb

@@ -32,7 +32,7 @@ class AssetsController < ApplicationController
                  can_manage_protocol_in_module?(@protocol) || can_manage_protocol_in_repository?(@protocol)
                elsif @assoc.class == Result
                  can_manage_module?(@my_module)
-               elsif @assoc.class == RepositoryCell
+               elsif @assoc.class == RepositoryCell && !@repository.is_a?(RepositorySnapshot)
                  can_manage_repository_rows?(@repository)
                end
     if response_json['type'] == 'previewable'

app/controllers/user_repositories_controller.rb

@@ -31,6 +31,6 @@ class UserRepositoriesController < ApplicationController
 
   def load_vars
     @repository = RepositoryBase.find_by(id: params[:repository_id])
-    render_403 if @repository.nil? || !can_read_repository?(@repository.becomes(Repository))
+    render_403 if @repository.nil? || !can_read_repository?(@repository)
   end
 end

app/models/repository_asset_value.rb

@@ -51,14 +51,8 @@ class RepositoryAssetValue < ApplicationRecord
 
     asset_snapshot.save!
 
-    asset.blob.open do |tmp_file|
-      blob_snapshot = ActiveStorage::Blob.create_after_upload!(
-        io: tmp_file,
-        filename: asset.blob.filename,
-        metadata: asset.blob.metadata
-      )
-      asset_snapshot.file.attach(blob_snapshot)
-    end
+    # ActiveStorage::Blob is immutable, so we can just attach it to the new snapshot
+    asset_snapshot.file.attach(asset.blob)
 
     value_snapshot.assign_attributes(
       repository_cell: cell_snapshot,

app/permissions/repository.rb

@@ -1,24 +1,17 @@
 # frozen_string_literal: true
 
-Canaid::Permissions.register_for(Repository) do
-  %i(manage_repository
-     share_repository
-     create_repository_rows
-     manage_repository_rows
-     update_repository_rows
-     delete_repository_rows
-     create_repository_columns)
-    .each do |perm|
-    can perm do |_, repository|
-      !repository.is_a? RepositorySnapshot
-    end
-  end
-
+Canaid::Permissions.register_for(RepositoryBase) do
   # repository: read/export
   can :read_repository do |user, repository|
-    user.teams.include?(repository.team) || repository.shared_with?(user.current_team)
+    if repository.is_a?(RepositorySnapshot)
+      user.teams.include?(repository.team)
+    else
+      user.teams.include?(repository.team) || repository.shared_with?(user.current_team)
+    end
   end
+end
 
+Canaid::Permissions.register_for(Repository) do
   # repository: update, delete
   can :manage_repository do |user, repository|
     user.is_admin_of_team?(repository.team) unless repository.shared_with?(user.current_team)