Renamed permission 'update_project' to 'manage_project'. Some permissions fixes; added them in some places where they were missing.

app/controllers/projects_controller.rb

@@ -12,7 +12,7 @@ class ProjectsController < ApplicationController
                                                   samples experiment_archive
                                                   samples_index)
   before_action :check_create_permissions, only: [ :new, :create ]
-  before_action :check_edit_permissions, only: [ :edit ]
+  before_action :check_manage_permissions, only: %i(edit update)
 
   @filter_by_archived = false
 
@@ -116,7 +116,7 @@ class ProjectsController < ApplicationController
 
     # Check archive permissions if archiving/restoring
     if project_params.include? :archive
-      if (project_params[:archive] && !can_update_project?(@project)) ||
+      if (project_params[:archive] && !can_manage_project?(@project)) ||
          (!project_params[:archive] && !can_restore_project?(@project))
         return_error = true
         is_archive = URI(request.referer).path == projects_archive_path ? "restore" : "archive"
@@ -322,8 +322,8 @@ class ProjectsController < ApplicationController
     render_403 unless can_create_projects?(current_team)
   end
 
-  def check_edit_permissions
-    render_403 unless can_update_project?(@project)
+  def check_manage_permissions
+    render_403 unless can_manage_project?(@project)
   end
 
   def choose_layout

app/controllers/user_projects_controller.rb

@@ -6,7 +6,7 @@ class UserProjectsController < ApplicationController
   before_action :check_view_permissions, only: :index
   before_action :check_manage_users_permissions, only: :index_edit
   before_action :check_create_permissions, only: :create
-  before_action :check_update_permisisons, only: %i(update destroy)
+  before_action :check_manage_permisisons, only: %i(update destroy)
 
   def index
     @users = @project.user_projects
@@ -183,16 +183,16 @@ class UserProjectsController < ApplicationController
   end
 
   def check_manage_users_permissions
-    render_403 unless can_update_project?(@project)
+    render_403 unless can_manage_project?(@project)
   end
 
   def check_create_permissions
     render_403 unless can_create_projects?(current_team)
   end
 
-  def check_update_permisisons
-    render_403 unless can_update_project?(@project) ||
-                      params[:id] != current_user.id
+  def check_manage_permisisons
+    render_403 unless can_manage_project?(@project) &&
+                      params[:id] == current_user.id
   end
 
   def init_gui

app/permissions/project.rb

@@ -5,12 +5,12 @@ Canaid::Permissions.register_for(Project) do
       (project.visible? && user.is_member_of_team?(project.team))
   end
 
-  can :update_project do |user, project|
+  can :manage_project do |user, project|
     user.is_owner_of_project?(project)
   end
 
   can :restore_project do |user, project|
-    can_update_project?(user, project) && project.archived?
+    can_manage_project?(user, project) && project.archived?
   end
 
   can :create_experiment do |user, project|
@@ -31,7 +31,7 @@ Canaid::Permissions.register_for(Project) do
     user.is_technician_or_higher_of_project?(project)
   end
 
-  %(read_project
+  %i(read_project
      update_project
      create_experiment
      add_comment_to_project
@@ -50,10 +50,10 @@ Canaid::Permissions.register_for(Comment) do
       user.is_owner_of_project?(project))
   end
 
-  %(update_or_delete_project_comment)
+  %i(update_or_delete_project_comment)
     .each do |perm|
-    can perm do |_, project|
-      project.active?
+    can perm do |_, comment|
+      comment.project.active?
     end
   end
 end

app/views/projects/index.html.erb

@@ -23,7 +23,7 @@
   </div>
 <% end %>
 
-<% if can_update_project?(@project) %>
+<% if can_manage_project?(@project) %>
   <!-- Edit project modal -->
   <div class="modal" id="edit-project-modal" tabindex="-1" role="dialog" aria-labelledby="edit-project-modal-label">
     <div class="modal-dialog" role="document">
@@ -41,7 +41,6 @@
       </div>
     </div>
   </div>
-<% end %>
 
   <!-- Manage users modal -->
   <div class="modal" id="manage-users-modal" tabindex="-1" role="dialog" aria-labelledby="manage-users-modal-label">
@@ -56,6 +55,7 @@
       </div>
     </div>
   </div>
+<% end %>
 
 <div id="projects-toolbar">
 
@@ -67,8 +67,8 @@
         <span class="glyphicon glyphicon-briefcase" aria-hidden="true"></span>
       </a>
 
+      <% if can_create_project?(@project) && @teams.length > 0 %>
       <!-- new project button -->
-      <% if @teams.length > 0 %>
         <a class="btn btn-primary pull-right" id="new-project-btn">
           <span class="glyphicon glyphicon-plus" aria-hidden="true"></span>
           <span class="hidden-xs"><%=t "projects.index.new" %></span>

app/views/projects/index/_project.html.erb

@@ -2,7 +2,7 @@
 data-project-users-tab-url="<%= url_for project_user_projects_path(project_id: project.id, format: :json) %>">
   <div class="panel-heading">
 
-    <% if can_update_project?(@project) %>
+    <% if can_manage_project?(@project) %>
       <div class="dropdown pull-right">
         <button class="btn btn-link dropdown-toggle" type="button" id="dropdownMenu1" data-toggle="dropdown" aria-haspopup="true" aria-expanded="true">
           <span class="caret"></span>

app/views/user_projects/_index.html.erb

@@ -20,7 +20,7 @@
     <% end %>
   <% end %>
 </ul>
-<% if can_update_project?(@project) %>
+<% if can_manage_project?(@project) %>
     <p>
       <hr>
       <%= link_to t("projects.index.manage_users"), project_users_edit_path(@project, format: :json), class: "manage-users-link", remote: true %>