diff --git a/app/controllers/my_module_tags_controller.rb b/app/controllers/my_module_tags_controller.rb index 7946f36dd..2ce5a0170 100644 --- a/app/controllers/my_module_tags_controller.rb +++ b/app/controllers/my_module_tags_controller.rb @@ -1,8 +1,7 @@ class MyModuleTagsController < ApplicationController before_action :load_vars before_action :check_view_permissions, only: [:index_edit, :index] - before_action :check_create_permissions, only: [:create] - before_action :check_destroy_permissions, only: [:destroy] + before_action :check_manage_permissions, only: %i(create destroy) def index_edit @my_module_tags = @my_module.my_module_tags @@ -75,21 +74,11 @@ class MyModuleTagsController < ApplicationController end def check_view_permissions - unless can_edit_tags_for_module(@my_module) - render_403 - end + render_403 unless can_read_project?(@my_module.experiment.project) end - def check_create_permissions - unless can_add_tag_to_module(@my_module) - render_403 - end - end - - def check_destroy_permissions - unless can_remove_tag_from_module(@my_module) - render_403 - end + def check_manage_permissions + render_403 unless can_create_or_manage_tags?(@my_module.experiment.project) end def init_gui diff --git a/app/controllers/project_activities_controller.rb b/app/controllers/project_activities_controller.rb index 79992ea24..350c8f598 100644 --- a/app/controllers/project_activities_controller.rb +++ b/app/controllers/project_activities_controller.rb @@ -26,9 +26,7 @@ class ProjectActivitiesController < ApplicationController end def check_view_permissions - unless can_view_project_activities(@project) - render_403 - end + render_403 unless can_read_project?(@project) end end diff --git a/app/controllers/project_comments_controller.rb b/app/controllers/project_comments_controller.rb index c4007c94e..b02490737 100644 --- a/app/controllers/project_comments_controller.rb +++ b/app/controllers/project_comments_controller.rb @@ -6,9 +6,8 @@ class ProjectCommentsController < ApplicationController before_action :load_vars before_action :check_view_permissions, only: :index - before_action :check_add_permissions, only: [:create] - before_action :check_edit_permissions, only: [:edit, :update] - before_action :check_destroy_permissions, only: [:destroy] + before_action :check_create_permissions, only: :create + before_action :check_manage_permissions, only: %i(edit update destroy) def index @comments = @project.last_comments(@last_comment_id, @per_page) @@ -171,25 +170,17 @@ class ProjectCommentsController < ApplicationController end def check_view_permissions - unless can_view_project_comments(@project) - render_403 - end + render_403 unless can_read_project?(@project) end - def check_add_permissions - unless can_add_comment_to_project(@project) - render_403 - end + def check_create_permissions + render_403 unless can_create_comment_in_project?(@project) end - def check_edit_permissions + def check_manage_permissions @comment = ProjectComment.find_by_id(params[:id]) - render_403 unless @comment.present? && can_edit_project_comment(@comment) - end - - def check_destroy_permissions - @comment = ProjectComment.find_by_id(params[:id]) - render_403 unless @comment.present? && can_delete_project_comment(@comment) + render_403 unless @comment.present? && + can_manage_comment_in_project?(@comment) end def comment_params diff --git a/app/controllers/projects_controller.rb b/app/controllers/projects_controller.rb index d169017ac..96c96c97a 100644 --- a/app/controllers/projects_controller.rb +++ b/app/controllers/projects_controller.rb @@ -8,14 +8,11 @@ class ProjectsController < ApplicationController :notifications, :reports, :samples, :experiment_archive, :delete_samples, :samples_index] - before_action :check_view_permissions, only: [:show, :reports, - :samples, :experiment_archive, - :samples_index] - before_action :check_view_notifications_permissions, only: [ :notifications ] + before_action :check_view_permissions, only: %i(show reports notifications + samples experiment_archive + samples_index) before_action :check_create_permissions, only: [ :new, :create ] - before_action :check_edit_permissions, only: [ :edit ] - before_action :check_experiment_archive_permissions, - only: [:experiment_archive] + before_action :check_manage_permissions, only: %i(edit update) @filter_by_archived = false @@ -119,8 +116,8 @@ class ProjectsController < ApplicationController # Check archive permissions if archiving/restoring if project_params.include? :archive - if (project_params[:archive] and !can_archive_project(@project)) or - (!project_params[:archive] and !can_restore_project(@project)) + if (project_params[:archive] && !can_archive_project?(@project)) || + (!project_params[:archive] && !can_restore_project?(@project)) return_error = true is_archive = URI(request.referer).path == projects_archive_path ? "restore" : "archive" flash_error = t("projects.#{is_archive}.error_flash", name: @project.name) @@ -318,29 +315,15 @@ class ProjectsController < ApplicationController end def check_view_permissions - unless can_view_project(@project) - render_403 - end + render_403 unless can_read_project?(@project) end def check_create_permissions render_403 unless can_create_projects?(current_team) end - def check_view_notifications_permissions - unless can_view_project_notifications(@project) - render_403 - end - end - - def check_edit_permissions - unless can_edit_project(@project) - render_403 - end - end - - def check_experiment_archive_permissions - render_403 unless can_view_project_archive(@project) + def check_manage_permissions + render_403 unless can_manage_project?(@project) end def choose_layout diff --git a/app/controllers/reports_controller.rb b/app/controllers/reports_controller.rb index 7a544e972..79504d9af 100644 --- a/app/controllers/reports_controller.rb +++ b/app/controllers/reports_controller.rb @@ -33,8 +33,6 @@ class ReportsController < ApplicationController before_action :check_create_permissions, only: [ :new, :create, - :edit, - :update, :generate, :save_modal, :project_contents_modal, @@ -47,7 +45,8 @@ class ReportsController < ApplicationController :step_contents, :result_contents ] - before_action :check_destroy_permissions, only: :destroy + before_action :check_manage_permissions, only: %i(edit update + destroy) layout 'fluid' @@ -447,15 +446,15 @@ class ReportsController < ApplicationController end def check_view_permissions - render_403 unless can_view_reports(@project) + render_403 unless can_read_project?(@project) end def check_create_permissions - render_403 unless can_create_new_report(@project) + render_403 unless can_create_or_manage_reports?(@project) end - def check_destroy_permissions - render_403 unless can_delete_reports(@project) + def check_manage_permissions + render_403 unless can_create_or_manage_reports?(@project) render_404 unless params.include? :report_ids end diff --git a/app/controllers/tags_controller.rb b/app/controllers/tags_controller.rb index 1df5da37e..a5194d8db 100644 --- a/app/controllers/tags_controller.rb +++ b/app/controllers/tags_controller.rb @@ -1,9 +1,7 @@ class TagsController < ApplicationController before_action :load_vars, only: [:create, :update, :destroy] before_action :load_vars_nested, only: [:update, :destroy] - before_action :check_create_permissions, only: [:create] - before_action :check_update_permissions, only: [:update] - before_action :check_destroy_permissions, only: [:destroy] + before_action :check_manage_permissions, only: %i(create update destroy) def create @tag = Tag.new(tag_params) @@ -142,23 +140,8 @@ class TagsController < ApplicationController end end - # Currently unimplemented - def check_create_permissions - unless can_create_new_tag(@project) - render_403 - end - end - - def check_update_permissions - unless can_edit_tag(@project) - render_403 - end - end - - def check_destroy_permissions - unless can_delete_tag(@project) - render_403 - end + def check_manage_permissions + render_403 unless can_create_or_manage_tags?(@project) end def tag_params diff --git a/app/controllers/user_projects_controller.rb b/app/controllers/user_projects_controller.rb index 779d2479d..507c98da2 100644 --- a/app/controllers/user_projects_controller.rb +++ b/app/controllers/user_projects_controller.rb @@ -3,12 +3,10 @@ class UserProjectsController < ApplicationController include InputSanitizeHelper before_action :load_vars - before_action :check_view_tab_permissions, only: :index - before_action :check_view_permissions, only: :index_edit + before_action :check_view_permissions, only: :index + before_action :check_manage_users_permissions, only: :index_edit before_action :check_create_permissions, only: :create - # TODO check update permissions - before_action :check_update_permisisons, only: :update - before_action :check_delete_permisisons, only: :destroy + before_action :check_manage_permisisons, only: %i(update destroy) def index @users = @project.user_projects @@ -180,39 +178,21 @@ class UserProjectsController < ApplicationController end end - def check_view_tab_permissions - unless can_view_project_users(@project) - render_403 - end + def check_view_permissions + render_403 unless can_read_project?(@project) end - def check_view_permissions - unless can_edit_users_on_project(@project) - render_403 - end + def check_manage_users_permissions + render_403 unless can_manage_project?(@project) end def check_create_permissions - unless can_add_user_to_project(@project) - render_403 - end + render_403 unless can_create_projects?(current_team) end - def check_update_permisisons - # TODO improve permissions for changing your role on project - unless params[:id] != current_user.id - render_403 - end - end - - def check_delete_permisisons - # TODO improve permissions for remove yourself from project - unless params[:id] != current_user.id - render_403 - end - unless can_remove_user_from_project(@project) - render_403 - end + def check_manage_permisisons + render_403 unless can_manage_project?(@project) && + params[:id] == current_user.id end def init_gui diff --git a/app/helpers/permission_helper.rb b/app/helpers/permission_helper.rb index cb583af18..25f9f2007 100644 --- a/app/helpers/permission_helper.rb +++ b/app/helpers/permission_helper.rb @@ -43,33 +43,14 @@ module PermissionHelper # ---- Almost everything is disabled for archived projects ---- around [ :can_view_project, - :can_view_project_activities, - :can_view_project_users, - :can_view_project_notifications, - :can_view_project_comments, - :can_edit_project, - :can_archive_project, - :can_add_user_to_project, - :can_remove_user_from_project, - :can_edit_users_on_project, - :can_add_comment_to_project, :can_restore_archived_modules, - :can_view_project_samples, - :can_view_project_archive, - :can_create_new_tag, - :can_edit_tag, - :can_delete_tag, :can_edit_canvas, :can_reposition_modules, :can_edit_connections, :can_create_modules, :can_edit_modules, :can_clone_modules, - :can_archive_modules, - :can_view_reports, - :can_create_new_report, - :can_delete_reports, - :can_create_experiment + :can_archive_modules ] do |proxy, *args, &block| if args[0] project = args[0] @@ -87,9 +68,6 @@ module PermissionHelper # commented out or that functionality will not work any more. #:can_edit_module, :can_archive_module, - :can_edit_tags_for_module, - :can_add_tag_to_module, - :can_remove_tag_from_module, :can_view_module_info, :can_view_module_users, :can_edit_users_on_module, @@ -267,90 +245,10 @@ module PermissionHelper (project.visible? and is_member_of_team(project.team)) end - def can_view_project_activities(project) - is_member_of_project(project) - end - - def can_view_project_users(project) - can_view_project(project) - end - - def can_view_project_notifications(project) - can_view_project(project) - end - - def can_view_project_comments(project) - can_view_project(project) - end - - def can_edit_project(project) - is_owner_of_project(project) - end - - def can_archive_project(project) - is_owner_of_project(project) - end - - def can_restore_project(project) - project.archived? && is_owner_of_project(project) - end - - def can_add_user_to_project(project) - is_owner_of_project(project) - end - - def can_remove_user_from_project(project) - is_owner_of_project(project) - end - - def can_edit_users_on_project(project) - is_owner_of_project(project) - end - - def can_add_comment_to_project(project) - is_technician_or_higher_of_project(project) - end - - def can_edit_project_comment(comment) - comment.project.present? && - ( - comment.user == current_user || - is_owner_of_project(comment.project) - ) - end - - def can_delete_project_comment(comment) - comment.project.present? && - ( - comment.user == current_user || - is_owner_of_project(comment.project) - ) - end - def can_restore_archived_modules(project) is_user_or_higher_of_project(project) end - def can_view_project_samples(project) - can_view_project(project) - end - - def can_view_project_archive(project) - is_user_or_higher_of_project(project) - end - - def can_create_new_tag(project) - is_user_or_higher_of_project(project) - end - - def can_edit_tag(project) - is_user_or_higher_of_project(project) - end - - def can_delete_tag(project) - is_user_or_higher_of_project(project) - end - # ---- EXPERIMENT PERMISSIONS ---- def can_view_experiment_actions(experiment) @@ -358,10 +256,6 @@ module PermissionHelper can_archive_experiment(experiment) end - def can_create_experiment(project) - is_user_or_higher_of_project(project) - end - def can_edit_experiment(experiment) is_user_or_higher_of_project(experiment.project) end @@ -448,18 +342,6 @@ module PermissionHelper is_user_or_higher_of_project(my_module.experiment.project) end - def can_edit_tags_for_module(my_module) - is_user_or_higher_of_project(my_module.experiment.project) - end - - def can_add_tag_to_module(my_module) - is_user_or_higher_of_project(my_module.experiment.project) - end - - def can_remove_tag_from_module(my_module) - is_user_or_higher_of_project(my_module.experiment.project) - end - def can_view_module_info(my_module) can_view_project(my_module.experiment.project) end @@ -614,18 +496,6 @@ module PermissionHelper # ---- REPORTS PERMISSIONS ---- - def can_view_reports(project) - can_view_project(project) - end - - def can_create_new_report(project) - is_technician_or_higher_of_project(project) - end - - def can_delete_reports(project) - is_technician_or_higher_of_project(project) - end - # ---- SAMPLE PERMISSIONS ---- # def can_create_samples(team) diff --git a/app/models/concerns/user/project_roles.rb b/app/models/concerns/user/project_roles.rb index db2100993..c20d2da55 100644 --- a/app/models/concerns/user/project_roles.rb +++ b/app/models/concerns/user/project_roles.rb @@ -57,4 +57,4 @@ module User::ProjectRoles def is_viewer_of_project?(project) @user_project.viewer? end -end \ No newline at end of file +end diff --git a/app/permissions/project.rb b/app/permissions/project.rb new file mode 100644 index 000000000..77da1edb4 --- /dev/null +++ b/app/permissions/project.rb @@ -0,0 +1,77 @@ +Canaid::Permissions.register_for(Project) do + # project: read, read activities, read comments, read users, read archive, + # read notifications + # reports: read + # samples: read + can :read_project do |user, project| + user.is_member_of_project?(project) || + user.is_admin_of_team?(project.team) || + (project.visible? && user.is_member_of_team?(project.team)) + end + + # project: update/delete/archive, assign/reassign/unassign users + can :manage_project do |user, project| + user.is_owner_of_project?(project) + end + + # project: archive + can :archive_project do |user, project| + can_manage_project?(user, project) + end + + # project: restore + can :restore_project do |user, project| + can_manage_project?(user, project) && project.archived? + end + + # experiment: create + can :create_experiment do |user, project| + user.is_user_or_higher_of_project?(project) + end + + # project: create comment + can :create_comment_in_project do |user, project| + user.is_technician_or_higher_of_project?(project) + end + + # project: create/update/delete tag + # module: assign/reassign/unassign tag + can :create_or_manage_tags do |user, project| + user.is_user_or_higher_of_project?(project) + end + + # reports: create/delete + can :create_or_manage_reports do |user, project| + user.is_technician_or_higher_of_project?(project) + end + + # Project must be active for all the specified permissions + %i(read_project + manage_project + archive_project + create_experiment + create_comment_in_project + create_or_manage_tags + create_or_manage_reports) + .each do |perm| + can perm do |_, project| + project.active? + end + end +end + +Canaid::Permissions.register_for(Comment) do + # project: update/delete comment + can :manage_comment_in_project do |user, comment| + comment.project.present? && (comment.user == user || + user.is_owner_of_project?(project)) + end + + # Project must be active for all the specified permissions + %i(manage_comment_in_project) + .each do |perm| + can perm do |_, comment| + comment.project.active? + end + end +end diff --git a/app/views/canvas/_tags.html.erb b/app/views/canvas/_tags.html.erb index dfc6d1ade..61a88a0df 100644 --- a/app/views/canvas/_tags.html.erb +++ b/app/views/canvas/_tags.html.erb @@ -13,8 +13,8 @@ <%= my_module.tags.count %> <% else %> - "> + "> + <% end %> - \ No newline at end of file + diff --git a/app/views/canvas/full_zoom/_my_module.html.erb b/app/views/canvas/full_zoom/_my_module.html.erb index 3a3fcbdc0..885b1dd7c 100644 --- a/app/views/canvas/full_zoom/_my_module.html.erb +++ b/app/views/canvas/full_zoom/_my_module.html.erb @@ -12,13 +12,13 @@ data-module-tags-url="<%= my_module_my_module_tags_url(my_module, format: :json) %>" data-module-users-tab-url="<%= my_module_user_my_modules_url(my_module_id: my_module.id, format: :json) %>"> - <% if can_edit_tags_for_module(my_module) %> + <% if can_create_or_manage_tags?(my_module.experiment.project) %> <% else %> <% end %> <%= render partial: "canvas/tags.html.erb", locals: { my_module: my_module } %> - <% if can_edit_tags_for_module(my_module) %> + <% if can_create_or_manage_tags?(my_module.experiment.project) %> <% else %> diff --git a/app/views/canvas/medium_zoom/_my_module.html.erb b/app/views/canvas/medium_zoom/_my_module.html.erb index c043ee39c..e468aedc7 100644 --- a/app/views/canvas/medium_zoom/_my_module.html.erb +++ b/app/views/canvas/medium_zoom/_my_module.html.erb @@ -11,15 +11,13 @@ data-module-conns="<%= construct_module_connections(my_module) %>" data-module-tags-url="<%= my_module_my_module_tags_url(my_module, format: :json) %>"> - <% if can_edit_tags_for_module(my_module) %> + <% if can_create_or_manage_tags?(my_module.experiment.project) %> - <% else %> - - <% end %> - <%= render partial: "canvas/tags.html.erb", locals: { my_module: my_module } %> - <% if can_edit_tags_for_module(my_module) %> + <%= render partial: "canvas/tags.html.erb", locals: { my_module: my_module } %> <% else %> + + <%= render partial: "canvas/tags.html.erb", locals: { my_module: my_module } %> <% end %> diff --git a/app/views/experiments/canvas.html.erb b/app/views/experiments/canvas.html.erb index 279c5c3b6..e6eb3409f 100644 --- a/app/views/experiments/canvas.html.erb +++ b/app/views/experiments/canvas.html.erb @@ -43,7 +43,7 @@ - <% if can_create_experiment(@project) && @experiment.active? %> + <% if can_create_experiment?(@project) %> <%= link_to new_project_experiment_url(@project), remote: true, type: "button", diff --git a/app/views/my_module_tags/_index_edit.html.erb b/app/views/my_module_tags/_index_edit.html.erb index cb1fafd2d..b8ccf9f11 100644 --- a/app/views/my_module_tags/_index_edit.html.erb +++ b/app/views/my_module_tags/_index_edit.html.erb @@ -11,17 +11,13 @@

<%= tag.name %>

- <% if can_edit_tag(@my_module.experiment.project) then %> + <% if can_create_or_manage_tags?(@my_module.experiment.project) then %> <%= link_to "", remote: true, class: 'btn btn-link edit-tag-link', title: t("experiments.canvas.modal_manage_tags.edit_tag") do %> <% end %> - <% end %> - <% if can_remove_tag_from_module(@my_module) then %> <%= link_to my_module_my_module_tag_path(@my_module, mmt, format: :json), method: :delete, remote: true, class: 'btn btn-link remove-tag-link', title: t("experiments.canvas.modal_manage_tags.remove_tag", module: @my_module.name) do %> <% end %> - <% end %> - <% if can_delete_tag(@my_module.experiment.project) then %> <%= bootstrap_form_for tag, remote: true, url: project_tag_path(@my_module.experiment.project, tag, format: :json), method: :delete, html: { class: "delete-tag-form"} do |f| %> <%= hidden_field_tag :my_module_id, @my_module.id %> <%= f.button class: 'btn btn-link delete-tag-link', title: t("experiments.canvas.modal_manage_tags.delete_tag") do %> @@ -32,7 +28,7 @@
- <% if can_edit_tag(@my_module.experiment.project) %> + <% if can_create_or_manage_tags?(@my_module.experiment.project) %>