From 9108102b4223db845fe316b030dbd3ec37aa78f3 Mon Sep 17 00:00:00 2001
From: Mojca Lorber <mojca.lorber@biosistemika.com>
Date: Wed, 7 Jun 2017 17:07:28 +0200
Subject: [PATCH] fix permissions

---
 app/controllers/my_modules_controller.rb      | 18 ++++--
 .../repository_columns_controller.rb          |  4 +-
 app/controllers/repository_rows_controller.rb |  2 +-
 app/helpers/permission_helper.rb              | 16 ++---
 .../repositories/_repository_table.html.erb   |  4 +-
 app/views/repositories/index.html.erb         | 62 ++++++++++---------
 6 files changed, 58 insertions(+), 48 deletions(-)

diff --git a/app/controllers/my_modules_controller.rb b/app/controllers/my_modules_controller.rb
index 3441acbb3..67621878e 100644
--- a/app/controllers/my_modules_controller.rb
+++ b/app/controllers/my_modules_controller.rb
@@ -27,6 +27,10 @@ class MyModulesController < ApplicationController
   before_action :check_assign_samples_permissions, only: :assign_samples
   before_action :check_unassign_samples_permissions, only: :unassign_samples
   before_action :check_complete_my_module_perimission, only: :complete_my_module
+  before_action :check_assign_repository_records_permissions,
+                only: :assign_repository_records
+  before_action :check_unassign_repository_records_permissions,
+                only: :unassign_repository_records
 
   layout 'fluid'.freeze
 
@@ -386,8 +390,6 @@ class MyModulesController < ApplicationController
 
   # Submit actions
   def assign_repository_records
-    render_403 && return unless can_assign_repository_records(@my_module,
-                                                              @repository)
     if params[:selected_rows].present? && params[:repository_id].present?
       records_names = []
 
@@ -437,8 +439,6 @@ class MyModulesController < ApplicationController
   end
 
   def unassign_repository_records
-    render_403 && return unless can_unassign_repository_records(@my_module,
-                                                                @repository)
     if params[:selected_rows].present? && params[:repository_id].present?
       records = []
 
@@ -641,12 +641,20 @@ class MyModulesController < ApplicationController
     end
   end
 
+  def check_assign_repository_records_permissions
+    render_403 unless can_assign_repository_records(@my_module, @repository)
+  end
+
+  def check_unassign_repository_records_permissions
+    render_403 unless can_unassign_repository_records(@my_module, @repository)
+  end
+
   def check_complete_my_module_perimission
     render_403 unless can_complete_module(@my_module)
   end
 
   def my_module_params
     params.require(:my_module).permit(:name, :description, :due_date,
-      :archived)
+                                      :archived)
   end
 end
diff --git a/app/controllers/repository_columns_controller.rb b/app/controllers/repository_columns_controller.rb
index cce71ca02..cab9ea83b 100644
--- a/app/controllers/repository_columns_controller.rb
+++ b/app/controllers/repository_columns_controller.rb
@@ -113,11 +113,11 @@ class RepositoryColumnsController < ApplicationController
   end
 
   def check_update_permissions
-    render_403 unless can_edit_columns_in_repository(@repository)
+    render_403 unless can_edit_column_in_repository(@repository_column)
   end
 
   def check_destroy_permissions
-    render_403 unless can_delete_columns_in_repository(@repository)
+    render_403 unless can_delete_column_in_repository(@repository_column)
   end
 
   def repository_column_params
diff --git a/app/controllers/repository_rows_controller.rb b/app/controllers/repository_rows_controller.rb
index f2c77c412..2d52bdecc 100644
--- a/app/controllers/repository_rows_controller.rb
+++ b/app/controllers/repository_rows_controller.rb
@@ -219,7 +219,7 @@ class RepositoryRowsController < ApplicationController
   end
 
   def check_edit_permissions
-    render_403 unless can_edit_repository_records(@repository)
+    render_403 unless can_edit_repository_record(@record)
   end
 
   def check_destroy_permissions
diff --git a/app/helpers/permission_helper.rb b/app/helpers/permission_helper.rb
index d2b264af5..8a54f164c 100644
--- a/app/helpers/permission_helper.rb
+++ b/app/helpers/permission_helper.rb
@@ -1078,20 +1078,20 @@ module PermissionHelper
     is_normal_user_or_admin_of_team(repository.team)
   end
 
-  def can_delete_columns_in_repository(repository)
-    is_normal_user_or_admin_of_team(repository.team)
+  def can_delete_column_in_repository(column)
+    is_normal_user_or_admin_of_team(column.repository.team)
   end
 
-  def can_edit_columns_in_repository(repository)
-    is_normal_user_or_admin_of_team(repository.team)
+  def can_edit_column_in_repository(column)
+    is_normal_user_or_admin_of_team(column.repository.team)
   end
 
   def can_create_repository_records(repository)
     is_normal_user_or_admin_of_team(repository.team)
   end
 
-  def can_edit_repository_records(repository)
-    is_normal_user_or_admin_of_team(repository.team)
+  def can_edit_repository_record(record)
+    is_normal_user_or_admin_of_team(record.repository.team)
   end
 
   def can_delete_repository_records(repository)
@@ -1105,12 +1105,12 @@ module PermissionHelper
   end
 
   def can_assign_repository_records(my_module, repository)
-    can_edit_repository_records(repository) &&
+    can_delete_repository_records(repository) &&
       is_technician_or_higher_of_project(my_module.experiment.project)
   end
 
   def can_unassign_repository_records(my_module, repository)
-    can_edit_repository_records(repository) &&
+    can_delete_repository_records(repository) &&
       is_technician_or_higher_of_project(my_module.experiment.project)
   end
 end
diff --git a/app/views/repositories/_repository_table.html.erb b/app/views/repositories/_repository_table.html.erb
index c0c91175d..8d841be46 100644
--- a/app/views/repositories/_repository_table.html.erb
+++ b/app/views/repositories/_repository_table.html.erb
@@ -25,8 +25,8 @@
         <th id="added-by"><%= t("repositories.table.added_by") %></th>
         <% repository.repository_columns.each do |column| %>
           <th class="repository-column" id="<%= column.id %>"
-            <%= 'data-editable' if can_edit_columns_in_repository(repository) %>
-            <%= 'data-deletable' if can_delete_columns_in_repository(repository) %>
+            <%= 'data-editable' if can_edit_column_in_repository(column) %>
+            <%= 'data-deletable' if can_delete_column_in_repository(column) %>
             <%= "data-edit-url='#{edit_repository_repository_column_path(repository, column)}'" %>
             <%= "data-update-url='#{repository_repository_column_path(repository, column)}'" %>
             <%= "data-destroy-html-url='#{repository_columns_destroy_html_path(repository, column)}'" %>
diff --git a/app/views/repositories/index.html.erb b/app/views/repositories/index.html.erb
index f9644df68..7ece9e6a1 100644
--- a/app/views/repositories/index.html.erb
+++ b/app/views/repositories/index.html.erb
@@ -45,40 +45,42 @@
                  data-toggle="dropdown"
                  aria-haspopup="true"
                  aria-expanded="true"
-                 <%= "disabled='disabled'" if !can_edit_and_destroy_repository repo %>>
+                 <%= "disabled='disabled'" if !can_edit_and_destroy_repository repo and !can_copy_repository repo %>>
               <span class="glyphicon glyphicon-cog"></span>
               <span class="caret"></span>
             </div>
-            <ul class="dropdown-menu pull-right">
-              <li class="dropdown-header">
-                <%= t("repositories.index.options_dropdown.header") %>
-              </li>
-              <% if can_edit_and_destroy_repository repo %>
-                <li>
-                  <%= link_to t('repositories.index.options_dropdown.rename'),
-                              team_repository_rename_modal_path(repository_id: repo),
-                              class: "rename-repo-option",
-                              remote: true %>
+            <% if can_edit_and_destroy_repository repo or can_copy_repository repo %>
+              <ul class="dropdown-menu pull-right">
+                <li class="dropdown-header">
+                  <%= t("repositories.index.options_dropdown.header") %>
                 </li>
-              <% end %>
-              <% if can_copy_repository(repo) %>
-                <li>
-                  <%= link_to t('repositories.index.options_dropdown.copy'),
-                              team_repository_copy_modal_path(repository_id: repo),
-                              class: "copy-repo-option",
-                              remote: true %>
-                </li>
-              <% end %>
-              <% if can_edit_and_destroy_repository repo %>
-                <li role="separator" class="divider"></li>
-                <li>
-                  <%= link_to t('repositories.index.modal_delete.delete'),
-                              team_repository_destroy_modal_path(repository_id: repo),
-                              class: "delete-repo-option",
-                              remote: true %>
-                </li>
-              <% end %>
-            </ul>
+                <% if can_edit_and_destroy_repository repo %>
+                  <li>
+                    <%= link_to t('repositories.index.options_dropdown.rename'),
+                                team_repository_rename_modal_path(repository_id: repo),
+                                class: "rename-repo-option",
+                                remote: true %>
+                  </li>
+                <% end %>
+                <% if can_copy_repository(repo) %>
+                  <li>
+                    <%= link_to t('repositories.index.options_dropdown.copy'),
+                                team_repository_copy_modal_path(repository_id: repo),
+                                class: "copy-repo-option",
+                                remote: true %>
+                  </li>
+                <% end %>
+                <% if can_edit_and_destroy_repository repo %>
+                  <li role="separator" class="divider"></li>
+                  <li>
+                    <%= link_to t('repositories.index.modal_delete.delete'),
+                                team_repository_destroy_modal_path(repository_id: repo),
+                                class: "delete-repo-option",
+                                remote: true %>
+                  </li>
+                <% end %>
+              </ul>
+            <% end %>
           </div>
         </div>
         <div class="tab-content-body"></div>