Renamed permission 'update_project' to 'manage_project'. Some permissions fixes; added them in some places where they were missing.

2025-09-06 05:04:35 +08:00 · 2018-02-02 18:48:55 +01:00 · 2018-02-02 18:48:55 +01:00 · 93536afcd5
commit 93536afcd5
parent 13e9a2a132
6 changed files with 36 additions and 36 deletions
--- a/app/controllers/projects_controller.rb
+++ b/app/controllers/projects_controller.rb
@ -12,7 +12,7 @@ class ProjectsController < ApplicationController
                                                  samples experiment_archive
                                                  samples_index)
  before_action :check_create_permissions, only: [ :new, :create ]
-  before_action :check_edit_permissions, only: [ :edit ]
+  before_action :check_manage_permissions, only: %i(edit update)

  @filter_by_archived = false

@ -116,7 +116,7 @@ class ProjectsController < ApplicationController

    # Check archive permissions if archiving/restoring
    if project_params.include? :archive
-      if (project_params[:archive] && !can_update_project?(@project)) ||
+      if (project_params[:archive] && !can_manage_project?(@project)) ||
         (!project_params[:archive] && !can_restore_project?(@project))
        return_error = true
        is_archive = URI(request.referer).path == projects_archive_path ? "restore" : "archive"
@ -322,8 +322,8 @@ class ProjectsController < ApplicationController
    render_403 unless can_create_projects?(current_team)
  end

-  def check_edit_permissions
-    render_403 unless can_update_project?(@project)
+  def check_manage_permissions
+    render_403 unless can_manage_project?(@project)
  end

  def choose_layout
--- a/app/controllers/user_projects_controller.rb
+++ b/app/controllers/user_projects_controller.rb
@ -6,7 +6,7 @@ class UserProjectsController < ApplicationController
  before_action :check_view_permissions, only: :index
  before_action :check_manage_users_permissions, only: :index_edit
  before_action :check_create_permissions, only: :create
-  before_action :check_update_permisisons, only: %i(update destroy)
+  before_action :check_manage_permisisons, only: %i(update destroy)

  def index
    @users = @project.user_projects
@ -183,16 +183,16 @@ class UserProjectsController < ApplicationController
  end

  def check_manage_users_permissions
-    render_403 unless can_update_project?(@project)
+    render_403 unless can_manage_project?(@project)
  end

  def check_create_permissions
    render_403 unless can_create_projects?(current_team)
  end

-  def check_update_permisisons
-    render_403 unless can_update_project?(@project) ||
-                      params[:id] != current_user.id
+  def check_manage_permisisons
+    render_403 unless can_manage_project?(@project) &&
+                      params[:id] == current_user.id
  end

  def init_gui
--- a/app/permissions/project.rb
+++ b/app/permissions/project.rb
@ -5,12 +5,12 @@ Canaid::Permissions.register_for(Project) do
      (project.visible? && user.is_member_of_team?(project.team))
  end

-  can :update_project do |user, project|
+  can :manage_project do |user, project|
    user.is_owner_of_project?(project)
  end

  can :restore_project do |user, project|
-    can_update_project?(user, project) && project.archived?
+    can_manage_project?(user, project) && project.archived?
  end

  can :create_experiment do |user, project|
@ -31,12 +31,12 @@ Canaid::Permissions.register_for(Project) do
    user.is_technician_or_higher_of_project?(project)
  end

-  %(read_project
-    update_project
-    create_experiment
-    add_comment_to_project
-    manage_tags
-    manage_reports)
+  %i(read_project
+     update_project
+     create_experiment
+     add_comment_to_project
+     manage_tags
+     manage_reports)
    .each do |perm|
    can perm do |_, project|
      project.active?
@ -50,10 +50,10 @@ Canaid::Permissions.register_for(Comment) do
      user.is_owner_of_project?(project))
  end

-  %(update_or_delete_project_comment)
+  %i(update_or_delete_project_comment)
    .each do |perm|
-    can perm do |_, project|
-      project.active?
+    can perm do |_, comment|
+      comment.project.active?
    end
  end
 end
--- a/app/views/projects/index.html.erb
+++ b/app/views/projects/index.html.erb
@ -23,7 +23,7 @@
  </div>
 <% end %>

-<% if can_update_project?(@project) %>
+<% if can_manage_project?(@project) %>
  <!-- Edit project modal -->
  <div class="modal" id="edit-project-modal" tabindex="-1" role="dialog" aria-labelledby="edit-project-modal-label">
    <div class="modal-dialog" role="document">
@ -41,21 +41,21 @@
      </div>
    </div>
  </div>
-<% end %>

-<!-- Manage users modal -->
-<div class="modal" id="manage-users-modal" tabindex="-1" role="dialog" aria-labelledby="manage-users-modal-label">
-  <div class="modal-dialog" role="document">
-    <div class="modal-content">
-      <div class="modal-header">
-        <button type="button" class="close" data-dismiss="modal" aria-label="Close"><span aria-hidden="true">&times;</span></button>
-        <h4 class="modal-title" id="manage-users-modal-label"><%= t("projects.index.modal_manage_users.modal_title") %> <span id="manage-users-modal-project"></span></h4>
+  <!-- Manage users modal -->
+  <div class="modal" id="manage-users-modal" tabindex="-1" role="dialog" aria-labelledby="manage-users-modal-label">
+    <div class="modal-dialog" role="document">
+      <div class="modal-content">
+        <div class="modal-header">
+          <button type="button" class="close" data-dismiss="modal" aria-label="Close"><span aria-hidden="true">&times;</span></button>
+          <h4 class="modal-title" id="manage-users-modal-label"><%= t("projects.index.modal_manage_users.modal_title") %> <span id="manage-users-modal-project"></span></h4>
+        </div>
+        <div class="modal-body"></div>
+        <div class="modal-footer"></div>
      </div>
-      <div class="modal-body"></div>
-      <div class="modal-footer"></div>
    </div>
  </div>
-</div>
+<% end %>

 <div id="projects-toolbar">

@ -67,8 +67,8 @@
        <span class="glyphicon glyphicon-briefcase" aria-hidden="true"></span>
      </a>

+      <% if can_create_project?(@project) && @teams.length > 0 %>
      <!-- new project button -->
-      <% if @teams.length > 0 %>
        <a class="btn btn-primary pull-right" id="new-project-btn">
          <span class="glyphicon glyphicon-plus" aria-hidden="true"></span>
          <span class="hidden-xs"><%=t "projects.index.new" %></span>
--- a/app/views/projects/index/_project.html.erb
+++ b/app/views/projects/index/_project.html.erb
@ -2,7 +2,7 @@
 data-project-users-tab-url="<%= url_for project_user_projects_path(project_id: project.id, format: :json) %>">
  <div class="panel-heading">

-    <% if can_update_project?(@project) %>
+    <% if can_manage_project?(@project) %>
      <div class="dropdown pull-right">
        <button class="btn btn-link dropdown-toggle" type="button" id="dropdownMenu1" data-toggle="dropdown" aria-haspopup="true" aria-expanded="true">
          <span class="caret"></span>
--- a/app/views/user_projects/_index.html.erb
+++ b/app/views/user_projects/_index.html.erb
@ -20,7 +20,7 @@
    <% end %>
  <% end %>
 </ul>
-<% if can_update_project?(@project) %>
+<% if can_manage_project?(@project) %>
    <p>
      <hr>
      <%= link_to t("projects.index.manage_users"), project_users_edit_path(@project, format: :json), class: "manage-users-link", remote: true %>