From 321ddc29160954738ee143a8b8a7c8ac3f6ecc4a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Matej=20Zrim=C5=A1ek?= Date: Fri, 19 Jan 2018 18:25:58 +0100 Subject: [PATCH 01/12] Grouped existing project permissions and used 'canaid' gem. --- .../project_activities_controller.rb | 2 +- .../project_comments_controller.rb | 8 +- app/controllers/projects_controller.rb | 10 +- app/controllers/reports_controller.rb | 6 +- app/controllers/tags_controller.rb | 6 +- app/controllers/user_projects_controller.rb | 8 +- app/helpers/permission_helper.rb | 112 +----------------- app/models/concerns/user/project_roles.rb | 2 +- app/permissions/project.rb | 40 +++++++ app/views/experiments/canvas.html.erb | 2 +- app/views/my_module_tags/_index_edit.html.erb | 8 +- app/views/project_comments/_comment.html.erb | 6 +- app/views/project_comments/_index.html.erb | 2 +- app/views/projects/index/_project.html.erb | 22 ++-- app/views/projects/show.html.erb | 4 +- app/views/reports/index.html.erb | 4 +- .../results/partials/_project_text.html.erb | 4 +- .../results/partials/_report_text.html.erb | 2 +- .../shared/_secondary_navigation.html.erb | 20 ++-- app/views/user_projects/_index.html.erb | 2 +- 20 files changed, 100 insertions(+), 170 deletions(-) create mode 100644 app/permissions/project.rb diff --git a/app/controllers/project_activities_controller.rb b/app/controllers/project_activities_controller.rb index 79992ea24..639f71209 100644 --- a/app/controllers/project_activities_controller.rb +++ b/app/controllers/project_activities_controller.rb @@ -26,7 +26,7 @@ class ProjectActivitiesController < ApplicationController end def check_view_permissions - unless can_view_project_activities(@project) + unless can_read_project?(@project) render_403 end end diff --git a/app/controllers/project_comments_controller.rb b/app/controllers/project_comments_controller.rb index c4007c94e..90f19159a 100644 --- a/app/controllers/project_comments_controller.rb +++ b/app/controllers/project_comments_controller.rb @@ -171,25 +171,25 @@ class ProjectCommentsController < ApplicationController end def check_view_permissions - unless can_view_project_comments(@project) + unless can_read_project?(@project) render_403 end end def check_add_permissions - unless can_add_comment_to_project(@project) + unless can_add_comment_to_project?(@project) render_403 end end def check_edit_permissions @comment = ProjectComment.find_by_id(params[:id]) - render_403 unless @comment.present? && can_edit_project_comment(@comment) + render_403 unless @comment.present? && can_update_or_delete_project_comment?(@comment) end def check_destroy_permissions @comment = ProjectComment.find_by_id(params[:id]) - render_403 unless @comment.present? && can_delete_project_comment(@comment) + render_403 unless @comment.present? && can_update_or_delete_project_comment?(@comment) end def comment_params diff --git a/app/controllers/projects_controller.rb b/app/controllers/projects_controller.rb index d169017ac..2ed6cc89b 100644 --- a/app/controllers/projects_controller.rb +++ b/app/controllers/projects_controller.rb @@ -119,8 +119,8 @@ class ProjectsController < ApplicationController # Check archive permissions if archiving/restoring if project_params.include? :archive - if (project_params[:archive] and !can_archive_project(@project)) or - (!project_params[:archive] and !can_restore_project(@project)) + if (project_params[:archive] and !can_update_project?(@project)) or + (!project_params[:archive] and !can_restore_project?(@project)) return_error = true is_archive = URI(request.referer).path == projects_archive_path ? "restore" : "archive" flash_error = t("projects.#{is_archive}.error_flash", name: @project.name) @@ -318,7 +318,7 @@ class ProjectsController < ApplicationController end def check_view_permissions - unless can_view_project(@project) + unless can_read_project?(@project) render_403 end end @@ -328,7 +328,7 @@ class ProjectsController < ApplicationController end def check_view_notifications_permissions - unless can_view_project_notifications(@project) + unless can_read_project?(@project) render_403 end end @@ -340,7 +340,7 @@ class ProjectsController < ApplicationController end def check_experiment_archive_permissions - render_403 unless can_view_project_archive(@project) + render_403 unless can_read_project?(@project) end def choose_layout diff --git a/app/controllers/reports_controller.rb b/app/controllers/reports_controller.rb index 7a544e972..7944d6884 100644 --- a/app/controllers/reports_controller.rb +++ b/app/controllers/reports_controller.rb @@ -447,15 +447,15 @@ class ReportsController < ApplicationController end def check_view_permissions - render_403 unless can_view_reports(@project) + render_403 unless can_read_project?(@project) end def check_create_permissions - render_403 unless can_create_new_report(@project) + render_403 unless can_manage_reports?(@project) end def check_destroy_permissions - render_403 unless can_delete_reports(@project) + render_403 unless can_manage_reports?(@project) render_404 unless params.include? :report_ids end diff --git a/app/controllers/tags_controller.rb b/app/controllers/tags_controller.rb index 1df5da37e..720681c2c 100644 --- a/app/controllers/tags_controller.rb +++ b/app/controllers/tags_controller.rb @@ -144,19 +144,19 @@ class TagsController < ApplicationController # Currently unimplemented def check_create_permissions - unless can_create_new_tag(@project) + unless can_manage_tags?(@project) render_403 end end def check_update_permissions - unless can_edit_tag(@project) + unless can_manage_tags?(@project) render_403 end end def check_destroy_permissions - unless can_delete_tag(@project) + unless can_manage_tags?(@project) render_403 end end diff --git a/app/controllers/user_projects_controller.rb b/app/controllers/user_projects_controller.rb index 779d2479d..83d70cd7a 100644 --- a/app/controllers/user_projects_controller.rb +++ b/app/controllers/user_projects_controller.rb @@ -181,19 +181,19 @@ class UserProjectsController < ApplicationController end def check_view_tab_permissions - unless can_view_project_users(@project) + unless can_read_project?(@project) render_403 end end def check_view_permissions - unless can_edit_users_on_project(@project) + unless can_update_project?(@project) render_403 end end def check_create_permissions - unless can_add_user_to_project(@project) + unless can_update_project?(@project) render_403 end end @@ -210,7 +210,7 @@ class UserProjectsController < ApplicationController unless params[:id] != current_user.id render_403 end - unless can_remove_user_from_project(@project) + unless can_update_project?(@project) render_403 end end diff --git a/app/helpers/permission_helper.rb b/app/helpers/permission_helper.rb index cb583af18..4b8c4c847 100644 --- a/app/helpers/permission_helper.rb +++ b/app/helpers/permission_helper.rb @@ -43,33 +43,15 @@ module PermissionHelper # ---- Almost everything is disabled for archived projects ---- around [ :can_view_project, - :can_view_project_activities, - :can_view_project_users, - :can_view_project_notifications, - :can_view_project_comments, :can_edit_project, - :can_archive_project, - :can_add_user_to_project, - :can_remove_user_from_project, - :can_edit_users_on_project, - :can_add_comment_to_project, :can_restore_archived_modules, - :can_view_project_samples, - :can_view_project_archive, - :can_create_new_tag, - :can_edit_tag, - :can_delete_tag, :can_edit_canvas, :can_reposition_modules, :can_edit_connections, :can_create_modules, :can_edit_modules, :can_clone_modules, - :can_archive_modules, - :can_view_reports, - :can_create_new_report, - :can_delete_reports, - :can_create_experiment + :can_archive_modules ] do |proxy, *args, &block| if args[0] project = args[0] @@ -267,90 +249,14 @@ module PermissionHelper (project.visible? and is_member_of_team(project.team)) end - def can_view_project_activities(project) - is_member_of_project(project) - end - - def can_view_project_users(project) - can_view_project(project) - end - - def can_view_project_notifications(project) - can_view_project(project) - end - - def can_view_project_comments(project) - can_view_project(project) - end - def can_edit_project(project) is_owner_of_project(project) end - def can_archive_project(project) - is_owner_of_project(project) - end - - def can_restore_project(project) - project.archived? && is_owner_of_project(project) - end - - def can_add_user_to_project(project) - is_owner_of_project(project) - end - - def can_remove_user_from_project(project) - is_owner_of_project(project) - end - - def can_edit_users_on_project(project) - is_owner_of_project(project) - end - - def can_add_comment_to_project(project) - is_technician_or_higher_of_project(project) - end - - def can_edit_project_comment(comment) - comment.project.present? && - ( - comment.user == current_user || - is_owner_of_project(comment.project) - ) - end - - def can_delete_project_comment(comment) - comment.project.present? && - ( - comment.user == current_user || - is_owner_of_project(comment.project) - ) - end - def can_restore_archived_modules(project) is_user_or_higher_of_project(project) end - def can_view_project_samples(project) - can_view_project(project) - end - - def can_view_project_archive(project) - is_user_or_higher_of_project(project) - end - - def can_create_new_tag(project) - is_user_or_higher_of_project(project) - end - - def can_edit_tag(project) - is_user_or_higher_of_project(project) - end - - def can_delete_tag(project) - is_user_or_higher_of_project(project) - end - # ---- EXPERIMENT PERMISSIONS ---- def can_view_experiment_actions(experiment) @@ -358,10 +264,6 @@ module PermissionHelper can_archive_experiment(experiment) end - def can_create_experiment(project) - is_user_or_higher_of_project(project) - end - def can_edit_experiment(experiment) is_user_or_higher_of_project(experiment.project) end @@ -614,18 +516,6 @@ module PermissionHelper # ---- REPORTS PERMISSIONS ---- - def can_view_reports(project) - can_view_project(project) - end - - def can_create_new_report(project) - is_technician_or_higher_of_project(project) - end - - def can_delete_reports(project) - is_technician_or_higher_of_project(project) - end - # ---- SAMPLE PERMISSIONS ---- # def can_create_samples(team) diff --git a/app/models/concerns/user/project_roles.rb b/app/models/concerns/user/project_roles.rb index db2100993..c20d2da55 100644 --- a/app/models/concerns/user/project_roles.rb +++ b/app/models/concerns/user/project_roles.rb @@ -57,4 +57,4 @@ module User::ProjectRoles def is_viewer_of_project?(project) @user_project.viewer? end -end \ No newline at end of file +end diff --git a/app/permissions/project.rb b/app/permissions/project.rb new file mode 100644 index 000000000..ca88a8a63 --- /dev/null +++ b/app/permissions/project.rb @@ -0,0 +1,40 @@ +Canaid::Permissions.register_for(Project) do + can :read_project do |user, project| + user.is_user_or_higher_of_project?(project) || + user.is_admin_of_team?(project.team) || + (project.visible? && user.is_member_of_team?(project.team)) + end + + can :update_project do |user, project| + user.is_owner_of_project?(project) + end + + can :restore_project do |user, project| + can_update_project?(user, project) && project.archived? + end + + can :create_experiment do |user, project| + user.is_user_or_higher_of_project?(project) + end + + can :add_comment_to_project do |user, project| + user.is_technician_or_higher_of_project?(project) + end + + # create, update, delete + can :manage_tags do |user, project| + user.is_user_or_higher_of_project?(project) + end + + # create, update, delete + can :manage_reports do |user, project| + user.is_technician_or_higher_of_project?(project) + end +end + +Canaid::Permissions.register_for(Comment) do + can :update_or_delete_project_comment do |user, comment| + comment.project.present? && (comment.user == user || + can_update_project?(user, comment.project)) + end +end diff --git a/app/views/experiments/canvas.html.erb b/app/views/experiments/canvas.html.erb index 279c5c3b6..b71d827ee 100644 --- a/app/views/experiments/canvas.html.erb +++ b/app/views/experiments/canvas.html.erb @@ -43,7 +43,7 @@ - <% if can_create_experiment(@project) && @experiment.active? %> + <% if can_create_experiment?(@project) && @experiment.active? %> <%= link_to new_project_experiment_url(@project), remote: true, type: "button", diff --git a/app/views/my_module_tags/_index_edit.html.erb b/app/views/my_module_tags/_index_edit.html.erb index cb1fafd2d..0a33a6ff9 100644 --- a/app/views/my_module_tags/_index_edit.html.erb +++ b/app/views/my_module_tags/_index_edit.html.erb @@ -11,7 +11,7 @@

<%= tag.name %>

- <% if can_edit_tag(@my_module.experiment.project) then %> + <% if can_manage_tags?(@my_module.experiment.project) then %> <%= link_to "", remote: true, class: 'btn btn-link edit-tag-link', title: t("experiments.canvas.modal_manage_tags.edit_tag") do %> <% end %> @@ -21,7 +21,7 @@ <% end %> <% end %> - <% if can_delete_tag(@my_module.experiment.project) then %> + <% if can_manage_tags?(@my_module.experiment.project) then %> <%= bootstrap_form_for tag, remote: true, url: project_tag_path(@my_module.experiment.project, tag, format: :json), method: :delete, html: { class: "delete-tag-form"} do |f| %> <%= hidden_field_tag :my_module_id, @my_module.id %> <%= f.button class: 'btn btn-link delete-tag-link', title: t("experiments.canvas.modal_manage_tags.delete_tag") do %> @@ -32,7 +32,7 @@
- <% if can_edit_tag(@my_module.experiment.project) %> + <% if can_manage_tags?(@my_module.experiment.project) %> <% end %> <% end %> - <% if can_create_new_tag(@my_module.experiment.project) then %> + <% if can_manage_tags?(@my_module.experiment.project) then %>
<%= bootstrap_form_for [@my_module.experiment.project, @new_tag], remote: true, format: :json, html: { class: 'add-tag-form' } do |f| %> <%= hidden_field_tag :my_module_id, @my_module.id %> diff --git a/app/views/project_comments/_comment.html.erb b/app/views/project_comments/_comment.html.erb index 33a53f28f..a7ee0b210 100644 --- a/app/views/project_comments/_comment.html.erb +++ b/app/views/project_comments/_comment.html.erb @@ -1,6 +1,6 @@
<%= l comment.created_at, format: '%H:%M' %> - <% if can_edit_project_comment(comment) || can_delete_project_comment(comment) %> + <% if can_update_or_delete_project_comment?(comment) %>
-<% if can_add_comment_to_project(@project) %> +<% if can_add_comment_to_project?(@project) %> @@ -32,7 +32,7 @@ data-project-users-tab-url="<%= url_for project_user_projects_path(project_id: p <% else %> <% end %> - <% if can_view_project(project) then %> + <% if can_read_project?(project) then %> <%= link_to project.name, project_path(project), id: "#{project.id}-project-canvas-link" %> <% else %> <%= project.name %> @@ -53,14 +53,14 @@ data-project-users-tab-url="<%= url_for project_user_projects_path(project_id: p
- <% if can_create_experiment(@project) %> + <% if can_create_experiment?(@project) %> <%= link_to new_project_experiment_url(@project), remote: true, type: "button", @@ -51,7 +51,7 @@ <%= content_tag(:div, '', class: 'clearfix visible-lg-block') if (index + 1) % 2 == 0 %> <% end %> - <% if can_create_experiment(@project) %> + <% if can_create_experiment?(@project) %> <%= render 'projects/show/new_experiment' %> <% end %>
diff --git a/app/views/reports/index.html.erb b/app/views/reports/index.html.erb index 88dfe5ee0..980bb37ea 100644 --- a/app/views/reports/index.html.erb +++ b/app/views/reports/index.html.erb @@ -4,7 +4,7 @@
- <% if can_create_new_report(@project) %> + <% if can_manage_reports?(@project) %> <%= link_to new_project_reports_path(@project), class: 'btn btn-primary', id: 'new-report-btn', 'data-no-turbolink' => true do %> @@ -14,7 +14,7 @@ <% end %> - <% if can_delete_reports(@project) %> + <% if can_manage_reports?(@project) %> <%= link_to "", remote: true, class: "btn btn-default", id: "delete-reports-btn" do %> diff --git a/app/views/search/results/partials/_project_text.html.erb b/app/views/search/results/partials/_project_text.html.erb index 1ce47e429..c654e1593 100644 --- a/app/views/search/results/partials/_project_text.html.erb +++ b/app/views/search/results/partials/_project_text.html.erb @@ -4,7 +4,7 @@ <% if project.archived? %> <%=t 'search.index.archived' %> - <% if can_read_team?(project.team) and can_restore_project(project) %> + <% if can_read_team?(project.team) and can_restore_project?(project) %> <%= route_to_other_team projects_archive_path(team: project.team), project.team, text %> @@ -12,7 +12,7 @@ <%= text %> <% end %> <% else %> - <% if can_view_project(project) %> + <% if can_read_project?(project) %> <% if link_to_page == :show %> <%= route_to_other_team project_path(project), project.team, diff --git a/app/views/search/results/partials/_report_text.html.erb b/app/views/search/results/partials/_report_text.html.erb index 67917099b..3db68b78e 100644 --- a/app/views/search/results/partials/_report_text.html.erb +++ b/app/views/search/results/partials/_report_text.html.erb @@ -1,7 +1,7 @@ <% query ||= nil %> <% text = query.present? ? highlight(report.name, query.strip.split(/\s+/)) : report.name %> -<% if can_view_reports(report.project) %> +<% if can_read_project?(report.project) %> <%= route_to_other_team edit_project_report_path(report.project, report), report.project.team, text %> diff --git a/app/views/shared/_secondary_navigation.html.erb b/app/views/shared/_secondary_navigation.html.erb index 1824d3b92..b45e88eed 100644 --- a/app/views/shared/_secondary_navigation.html.erb +++ b/app/views/shared/_secondary_navigation.html.erb @@ -30,11 +30,11 @@ <% else %>
  • - <% if can_view_project(@project) %> + <% if can_read_project?(@project) %> <% end %> - <% if can_view_project(@project) %> + <% if can_read_project?(@project) %> <% end %>
    • @@ -73,7 +73,7 @@ <% if project_page? || sample_types_page_project? || sample_groups_page_project? %> - <% if can_view_project(@project) then %> + <% if can_read_project?(@project) then %>
  • "> "> @@ -81,7 +81,7 @@
    • <% end %> - <% if can_view_project_samples(@project) then %> + <% if can_read_project?(@project) then %>
  • "> @@ -91,7 +91,7 @@
    • <% end %> - <% if can_view_reports(@project) then %> + <% if can_read_project?(@project) then %>
  • "> "> @@ -99,7 +99,7 @@
    • <% end %> - <% if can_view_project_archive(@project) then %> + <% if can_read_project?(@project) then %>
  • "> "> @@ -128,7 +128,7 @@
    • <% end %> - <% if can_view_reports(@experiment.project) then %> + <% if can_read_project?(@experiment.project) then %>
  • "> "> @@ -184,7 +184,7 @@
    • <% end %> - <% if can_view_reports(@my_module.experiment.project) then %> + <% if can_read_project?(@my_module.experiment.project) then %>
  • "> @@ -246,12 +246,12 @@
    • <% else %>
  • - <% if can_view_project(@project) %> + <% if can_read_project?(@project) %> <% end %> <%= truncate(@project.name, length: Constants::NAME_TRUNCATION_LENGTH) %> - <% if can_view_project(@project) %> + <% if can_read_project?(@project) %> <% end %>
    • diff --git a/app/views/user_projects/_index.html.erb b/app/views/user_projects/_index.html.erb index be9a9f2b7..ffcf03a51 100644 --- a/app/views/user_projects/_index.html.erb +++ b/app/views/user_projects/_index.html.erb @@ -20,7 +20,7 @@ <% end %> <% end %> -<% if can_edit_users_on_project(@project) %> +<% if can_update_project?(@project) %>

    <%= link_to t("projects.index.manage_users"), project_users_edit_path(@project, format: :json), class: "manage-users-link", remote: true %> From d423700e84e10c8f362624fba58a5560f1e7022b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Matej=20Zrim=C5=A1ek?= Date: Mon, 22 Jan 2018 16:25:53 +0100 Subject: [PATCH 02/12] Used permissions where they were missing. --- app/controllers/my_module_tags_controller.rb | 19 ++----- app/controllers/projects_controller.rb | 2 +- app/controllers/reports_controller.rb | 4 +- app/controllers/tags_controller.rb | 23 ++------ app/helpers/permission_helper.rb | 20 ------- app/permissions/project.rb | 2 +- app/views/canvas/_tags.html.erb | 4 +- .../canvas/full_zoom/_my_module.html.erb | 4 +- .../canvas/medium_zoom/_my_module.html.erb | 4 +- app/views/my_module_tags/_index_edit.html.erb | 8 +-- app/views/my_modules/_module_header.html.erb | 4 +- app/views/projects/index.html.erb | 54 ++++++++++--------- app/views/projects/index/_project.html.erb | 44 +++++---------- app/views/reports/index.html.erb | 10 ++-- .../reports/new/_report_navigation.html.erb | 24 +++++---- app/views/users/settings/teams/show.html.erb | 12 +++-- 16 files changed, 87 insertions(+), 151 deletions(-) diff --git a/app/controllers/my_module_tags_controller.rb b/app/controllers/my_module_tags_controller.rb index 7946f36dd..86f230a6c 100644 --- a/app/controllers/my_module_tags_controller.rb +++ b/app/controllers/my_module_tags_controller.rb @@ -1,8 +1,7 @@ class MyModuleTagsController < ApplicationController before_action :load_vars before_action :check_view_permissions, only: [:index_edit, :index] - before_action :check_create_permissions, only: [:create] - before_action :check_destroy_permissions, only: [:destroy] + before_action :check_manage_permissions, only: %i(create destroy) def index_edit @my_module_tags = @my_module.my_module_tags @@ -75,21 +74,11 @@ class MyModuleTagsController < ApplicationController end def check_view_permissions - unless can_edit_tags_for_module(@my_module) - render_403 - end + render_403 unless can_read_project?(@my_module.experiment.project) end - def check_create_permissions - unless can_add_tag_to_module(@my_module) - render_403 - end - end - - def check_destroy_permissions - unless can_remove_tag_from_module(@my_module) - render_403 - end + def check_manage_permissions + render_403 unless can_manage_tags?(@my_module.experiment.project) end def init_gui diff --git a/app/controllers/projects_controller.rb b/app/controllers/projects_controller.rb index 2ed6cc89b..0fea7561f 100644 --- a/app/controllers/projects_controller.rb +++ b/app/controllers/projects_controller.rb @@ -334,7 +334,7 @@ class ProjectsController < ApplicationController end def check_edit_permissions - unless can_edit_project(@project) + unless can_update_project?(@project) render_403 end end diff --git a/app/controllers/reports_controller.rb b/app/controllers/reports_controller.rb index 7944d6884..c8d4baae4 100644 --- a/app/controllers/reports_controller.rb +++ b/app/controllers/reports_controller.rb @@ -47,7 +47,7 @@ class ReportsController < ApplicationController :step_contents, :result_contents ] - before_action :check_destroy_permissions, only: :destroy + before_action :check_manage_permissions, only: %i(edit update destroy) layout 'fluid' @@ -454,7 +454,7 @@ class ReportsController < ApplicationController render_403 unless can_manage_reports?(@project) end - def check_destroy_permissions + def check_manage_permissions render_403 unless can_manage_reports?(@project) render_404 unless params.include? :report_ids end diff --git a/app/controllers/tags_controller.rb b/app/controllers/tags_controller.rb index 720681c2c..2cdab52e4 100644 --- a/app/controllers/tags_controller.rb +++ b/app/controllers/tags_controller.rb @@ -1,9 +1,7 @@ class TagsController < ApplicationController before_action :load_vars, only: [:create, :update, :destroy] before_action :load_vars_nested, only: [:update, :destroy] - before_action :check_create_permissions, only: [:create] - before_action :check_update_permissions, only: [:update] - before_action :check_destroy_permissions, only: [:destroy] + before_action :check_manage_permissions, only: %i(create update destroy) def create @tag = Tag.new(tag_params) @@ -142,23 +140,8 @@ class TagsController < ApplicationController end end - # Currently unimplemented - def check_create_permissions - unless can_manage_tags?(@project) - render_403 - end - end - - def check_update_permissions - unless can_manage_tags?(@project) - render_403 - end - end - - def check_destroy_permissions - unless can_manage_tags?(@project) - render_403 - end + def check_manage_permissions + render_403 unless can_manage_tags?(@project) end def tag_params diff --git a/app/helpers/permission_helper.rb b/app/helpers/permission_helper.rb index 4b8c4c847..25f9f2007 100644 --- a/app/helpers/permission_helper.rb +++ b/app/helpers/permission_helper.rb @@ -43,7 +43,6 @@ module PermissionHelper # ---- Almost everything is disabled for archived projects ---- around [ :can_view_project, - :can_edit_project, :can_restore_archived_modules, :can_edit_canvas, :can_reposition_modules, @@ -69,9 +68,6 @@ module PermissionHelper # commented out or that functionality will not work any more. #:can_edit_module, :can_archive_module, - :can_edit_tags_for_module, - :can_add_tag_to_module, - :can_remove_tag_from_module, :can_view_module_info, :can_view_module_users, :can_edit_users_on_module, @@ -249,10 +245,6 @@ module PermissionHelper (project.visible? and is_member_of_team(project.team)) end - def can_edit_project(project) - is_owner_of_project(project) - end - def can_restore_archived_modules(project) is_user_or_higher_of_project(project) end @@ -350,18 +342,6 @@ module PermissionHelper is_user_or_higher_of_project(my_module.experiment.project) end - def can_edit_tags_for_module(my_module) - is_user_or_higher_of_project(my_module.experiment.project) - end - - def can_add_tag_to_module(my_module) - is_user_or_higher_of_project(my_module.experiment.project) - end - - def can_remove_tag_from_module(my_module) - is_user_or_higher_of_project(my_module.experiment.project) - end - def can_view_module_info(my_module) can_view_project(my_module.experiment.project) end diff --git a/app/permissions/project.rb b/app/permissions/project.rb index ca88a8a63..865f06315 100644 --- a/app/permissions/project.rb +++ b/app/permissions/project.rb @@ -35,6 +35,6 @@ end Canaid::Permissions.register_for(Comment) do can :update_or_delete_project_comment do |user, comment| comment.project.present? && (comment.user == user || - can_update_project?(user, comment.project)) + user.is_owner_of_project?(project)) end end diff --git a/app/views/canvas/_tags.html.erb b/app/views/canvas/_tags.html.erb index dfc6d1ade..f6a57528b 100644 --- a/app/views/canvas/_tags.html.erb +++ b/app/views/canvas/_tags.html.erb @@ -13,8 +13,8 @@ <%= my_module.tags.count %> <% else %> - "> + "> + <% end %> -
    \ No newline at end of file +
    diff --git a/app/views/canvas/full_zoom/_my_module.html.erb b/app/views/canvas/full_zoom/_my_module.html.erb index 3a3fcbdc0..01ba64362 100644 --- a/app/views/canvas/full_zoom/_my_module.html.erb +++ b/app/views/canvas/full_zoom/_my_module.html.erb @@ -12,13 +12,13 @@ data-module-tags-url="<%= my_module_my_module_tags_url(my_module, format: :json) %>" data-module-users-tab-url="<%= my_module_user_my_modules_url(my_module_id: my_module.id, format: :json) %>"> - <% if can_edit_tags_for_module(my_module) %> + <% if can_manage_tags?(my_module.experiment.project) %> <% else %> <% end %> <%= render partial: "canvas/tags.html.erb", locals: { my_module: my_module } %> - <% if can_edit_tags_for_module(my_module) %> + <% if can_manage_tags?(my_module.experiment.project) %> <% else %> diff --git a/app/views/canvas/medium_zoom/_my_module.html.erb b/app/views/canvas/medium_zoom/_my_module.html.erb index c043ee39c..6fb01d258 100644 --- a/app/views/canvas/medium_zoom/_my_module.html.erb +++ b/app/views/canvas/medium_zoom/_my_module.html.erb @@ -11,13 +11,13 @@ data-module-conns="<%= construct_module_connections(my_module) %>" data-module-tags-url="<%= my_module_my_module_tags_url(my_module, format: :json) %>"> - <% if can_edit_tags_for_module(my_module) %> + <% if can_manage_tags?(my_module.experiment.project) %> <% else %> <% end %> <%= render partial: "canvas/tags.html.erb", locals: { my_module: my_module } %> - <% if can_edit_tags_for_module(my_module) %> + <% if can_manage_tags?(my_module.experiment.project) %> <% else %> diff --git a/app/views/my_module_tags/_index_edit.html.erb b/app/views/my_module_tags/_index_edit.html.erb index 0a33a6ff9..edd3507bc 100644 --- a/app/views/my_module_tags/_index_edit.html.erb +++ b/app/views/my_module_tags/_index_edit.html.erb @@ -15,13 +15,9 @@ <%= link_to "", remote: true, class: 'btn btn-link edit-tag-link', title: t("experiments.canvas.modal_manage_tags.edit_tag") do %> <% end %> - <% end %> - <% if can_remove_tag_from_module(@my_module) then %> <%= link_to my_module_my_module_tag_path(@my_module, mmt, format: :json), method: :delete, remote: true, class: 'btn btn-link remove-tag-link', title: t("experiments.canvas.modal_manage_tags.remove_tag", module: @my_module.name) do %> <% end %> - <% end %> - <% if can_manage_tags?(@my_module.experiment.project) then %> <%= bootstrap_form_for tag, remote: true, url: project_tag_path(@my_module.experiment.project, tag, format: :json), method: :delete, html: { class: "delete-tag-form"} do |f| %> <%= hidden_field_tag :my_module_id, @my_module.id %> <%= f.button class: 'btn btn-link delete-tag-link', title: t("experiments.canvas.modal_manage_tags.delete_tag") do %> @@ -59,7 +55,7 @@
    - <% if can_add_tag_to_module(@my_module) then %> + <% if can_manage_tags?(@my_module.experiment.project) then %> <%= bootstrap_form_for [@my_module, @new_mmt], remote: true, format: :json, html: { class: 'add-tag-form' } do |f| %>
    @@ -77,8 +73,6 @@
    <% end %> - <% end %> - <% if can_manage_tags?(@my_module.experiment.project) then %>
    <%= bootstrap_form_for [@my_module.experiment.project, @new_tag], remote: true, format: :json, html: { class: 'add-tag-form' } do |f| %> <%= hidden_field_tag :my_module_id, @my_module.id %> diff --git a/app/views/my_modules/_module_header.html.erb b/app/views/my_modules/_module_header.html.erb index d8a07bf98..139f38865 100644 --- a/app/views/my_modules/_module_header.html.erb +++ b/app/views/my_modules/_module_header.html.erb @@ -52,11 +52,11 @@
    - <% if can_edit_tags_for_module(@my_module) %> + <% if can_manage_tags?(@my_module.experiment.project) %> <% end %> - <% if can_edit_tags_for_module(@my_module) %> + <% if can_manage_tags?(@my_module.experiment.project) %> <% end %>
    diff --git a/app/views/projects/index.html.erb b/app/views/projects/index.html.erb index fd4eb4afc..070312944 100644 --- a/app/views/projects/index.html.erb +++ b/app/views/projects/index.html.erb @@ -1,43 +1,47 @@ <% provide(:head_title, t("projects.index.head_title")) %> - - @@ -80,8 +75,6 @@ - <% end %> - <% if can_read_project?(@project) then %>
  • "> @@ -90,16 +83,12 @@
    • - <% end %> - <% if can_read_project?(@project) then %>
  • "> ">
    • - <% end %> - <% if can_read_project?(@project) then %>
  • "> "> @@ -232,11 +221,12 @@
  • <% if can_read_team?(@project.team) %> - <% end %> - <%= truncate(@project.team.name, - length: Constants::NAME_TRUNCATION_LENGTH) %> - <% if can_read_team?(@project.team) %> + <%= truncate(@project.team.name, + length: Constants::NAME_TRUNCATION_LENGTH) %> + <% else %> + <%= truncate(@project.team.name, + length: Constants::NAME_TRUNCATION_LENGTH) %> <% end %>
    • <% if project_page? %> @@ -248,11 +238,12 @@
  • <% if can_read_project?(@project) %> - <% end %> - <%= truncate(@project.name, - length: Constants::NAME_TRUNCATION_LENGTH) %> - <% if can_read_project?(@project) %> + <%= truncate(@project.name, + length: Constants::NAME_TRUNCATION_LENGTH) %> + <% else %> + <%= truncate(@project.name, + length: Constants::NAME_TRUNCATION_LENGTH) %> <% end %>
    • <% end %> From 93536afcd58e52da469a9599d91e98b98aaa864d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Matej=20Zrim=C5=A1ek?= Date: Fri, 2 Feb 2018 18:48:55 +0100 Subject: [PATCH 07/12] Renamed permission 'update_project' to 'manage_project'. Some permissions fixes; added them in some places where they were missing. --- app/controllers/projects_controller.rb | 8 +++---- app/controllers/user_projects_controller.rb | 10 ++++---- app/permissions/project.rb | 22 ++++++++--------- app/views/projects/index.html.erb | 26 ++++++++++----------- app/views/projects/index/_project.html.erb | 2 +- app/views/user_projects/_index.html.erb | 4 ++-- 6 files changed, 36 insertions(+), 36 deletions(-) diff --git a/app/controllers/projects_controller.rb b/app/controllers/projects_controller.rb index 33a9d2ef5..e04f74f7c 100644 --- a/app/controllers/projects_controller.rb +++ b/app/controllers/projects_controller.rb @@ -12,7 +12,7 @@ class ProjectsController < ApplicationController samples experiment_archive samples_index) before_action :check_create_permissions, only: [ :new, :create ] - before_action :check_edit_permissions, only: [ :edit ] + before_action :check_manage_permissions, only: %i(edit update) @filter_by_archived = false @@ -116,7 +116,7 @@ class ProjectsController < ApplicationController # Check archive permissions if archiving/restoring if project_params.include? :archive - if (project_params[:archive] && !can_update_project?(@project)) || + if (project_params[:archive] && !can_manage_project?(@project)) || (!project_params[:archive] && !can_restore_project?(@project)) return_error = true is_archive = URI(request.referer).path == projects_archive_path ? "restore" : "archive" @@ -322,8 +322,8 @@ class ProjectsController < ApplicationController render_403 unless can_create_projects?(current_team) end - def check_edit_permissions - render_403 unless can_update_project?(@project) + def check_manage_permissions + render_403 unless can_manage_project?(@project) end def choose_layout diff --git a/app/controllers/user_projects_controller.rb b/app/controllers/user_projects_controller.rb index 508d38884..507c98da2 100644 --- a/app/controllers/user_projects_controller.rb +++ b/app/controllers/user_projects_controller.rb @@ -6,7 +6,7 @@ class UserProjectsController < ApplicationController before_action :check_view_permissions, only: :index before_action :check_manage_users_permissions, only: :index_edit before_action :check_create_permissions, only: :create - before_action :check_update_permisisons, only: %i(update destroy) + before_action :check_manage_permisisons, only: %i(update destroy) def index @users = @project.user_projects @@ -183,16 +183,16 @@ class UserProjectsController < ApplicationController end def check_manage_users_permissions - render_403 unless can_update_project?(@project) + render_403 unless can_manage_project?(@project) end def check_create_permissions render_403 unless can_create_projects?(current_team) end - def check_update_permisisons - render_403 unless can_update_project?(@project) || - params[:id] != current_user.id + def check_manage_permisisons + render_403 unless can_manage_project?(@project) && + params[:id] == current_user.id end def init_gui diff --git a/app/permissions/project.rb b/app/permissions/project.rb index 84b463e4e..8fb5d3e20 100644 --- a/app/permissions/project.rb +++ b/app/permissions/project.rb @@ -5,12 +5,12 @@ Canaid::Permissions.register_for(Project) do (project.visible? && user.is_member_of_team?(project.team)) end - can :update_project do |user, project| + can :manage_project do |user, project| user.is_owner_of_project?(project) end can :restore_project do |user, project| - can_update_project?(user, project) && project.archived? + can_manage_project?(user, project) && project.archived? end can :create_experiment do |user, project| @@ -31,12 +31,12 @@ Canaid::Permissions.register_for(Project) do user.is_technician_or_higher_of_project?(project) end - %(read_project - update_project - create_experiment - add_comment_to_project - manage_tags - manage_reports) + %i(read_project + update_project + create_experiment + add_comment_to_project + manage_tags + manage_reports) .each do |perm| can perm do |_, project| project.active? @@ -50,10 +50,10 @@ Canaid::Permissions.register_for(Comment) do user.is_owner_of_project?(project)) end - %(update_or_delete_project_comment) + %i(update_or_delete_project_comment) .each do |perm| - can perm do |_, project| - project.active? + can perm do |_, comment| + comment.project.active? end end end diff --git a/app/views/projects/index.html.erb b/app/views/projects/index.html.erb index b8c82eec7..c9d02378a 100644 --- a/app/views/projects/index.html.erb +++ b/app/views/projects/index.html.erb @@ -23,7 +23,7 @@
    <% end %> -<% if can_update_project?(@project) %> +<% if can_manage_project?(@project) %>
    -<% end %> - -