Updated project permission helpers [SCI-6041]

app/controllers/access_permissions/projects_controller.rb

@@ -94,7 +94,7 @@ module AccessPermissions
     end
 
     def check_manage_permissions
-      render_403 unless can_manage_project_access?(@project)
+      render_403 unless can_manage_project_users?(@project)
     end
 
     def check_read_permissions

app/controllers/api/v1/experiments_controller.rb

@@ -22,7 +22,7 @@ module Api
       end
 
       def create
-        raise PermissionError.new(Experiment, :create) unless can_create_experiments?(@project)
+        raise PermissionError.new(Experiment, :create) unless can_create_project_experiments?(@project)
 
         experiment = @project.experiments.create!(experiment_params.merge!(created_by: current_user,
                                                                            last_modified_by: current_user))

app/controllers/comments_controller.rb

@@ -89,7 +89,7 @@ class CommentsController < ApplicationController
   def check_create_permissions
     case @commentable
     when Project
-      render_403 and return unless can_create_comments_in_project?(@commentable)
+      render_403 and return unless can_create_project_comments?(@commentable)
     when MyModule
       render_403 and return unless can_create_comments_in_module?(@commentable)
     when Step

app/controllers/dashboard/quick_start_controller.rb

@@ -70,7 +70,7 @@ module Dashboard
       end
 
       unless @experiment
-        render_403 unless can_create_experiments?(current_user, @project)
+        render_403 unless can_create_project_experiments?(current_user, @project)
         return
       end
 

app/controllers/experiments_controller.rb

@@ -314,7 +314,7 @@ class ExperimentsController < ApplicationController
   end
 
   def check_create_permissions
-    render_403 unless can_create_experiments?(@project)
+    render_403 unless can_create_project_experiments?(@project)
   end
 
   def check_manage_permissions

app/controllers/project_comments_controller.rb

@@ -51,7 +51,7 @@ class ProjectCommentsController < ApplicationController
   end
 
   def check_create_permissions
-    render_403 unless can_create_comments_in_project?(@project)
+    render_403 unless can_create_project_comments?(@project)
   end
 
   def check_manage_permissions

app/controllers/tags_controller.rb

@@ -161,7 +161,7 @@ class TagsController < ApplicationController
   end
 
   def check_manage_permissions
-    render_403 unless can_manage_tags?(@project)
+    render_403 unless can_manage_project?(@project)
   end
 
   def tag_params

app/helpers/comment_helper.rb

@@ -63,7 +63,7 @@ module CommentHelper
     when 'Step', 'Result'
       can_create_comments_in_module?(object.my_module)
     when 'Project'
-      can_create_comments_in_project?(object)
+      can_create_project_comments?(object)
     else
       false
     end

app/models/user_role.rb

@@ -32,8 +32,8 @@ class UserRole < ApplicationRecord
       permissions:
       [
         ProjectPermissions::READ,
-        ProjectPermissions::CREATE_EXPERIMENTS,
+        ProjectPermissions::EXPERIMENTS_CREATE,
-        ProjectPermissions::CREATE_COMMENTS,
+        ProjectPermissions::COMMENTS_CREATE,
         ExperimentPermissions::READ,
         ExperimentPermissions::MANAGE,
         ExperimentPermissions::ARCHIVE,
@@ -57,7 +57,7 @@ class UserRole < ApplicationRecord
       permissions:
       [
         ProjectPermissions::READ,
-        ProjectPermissions::CREATE_COMMENTS,
+        ProjectPermissions::COMMENTS_CREATE,
         ExperimentPermissions::READ,
         MyModulePermissions::READ,
         MyModulePermissions::CREATE_COMMENTS,

app/permissions/project.rb

@@ -6,10 +6,10 @@ Canaid::Permissions.register_for(Project) do
   # Project must be active for all the specified permissions
   %i(manage_project
      archive_project
-     create_experiments
+     create_project_experiments
-     create_comments_in_project
+     create_project_comments
-     manage_tags
+     manage_project_tags
-     manage_project_access)
+     manage_project_users)
     .each do |perm|
     can perm do |_, project|
       project.active?
@@ -23,21 +23,7 @@ Canaid::Permissions.register_for(Project) do
       project.permission_granted?(user, ProjectPermissions::READ)
     end
   end
-  # project: read, read activities, read comments, read users, read archive,
-  #          read notifications
-  # reports: read
-  can :read_project do |_, _|
-    # Already checked by the wrapper
-    true
-  end
 
-  # team: export projects
-  can :export_project do |_, _|
-    # Already checked by the wrapper
-    true
-  end
-
-  # project: update/delete, assign/reassign/unassign users
   can :manage_project do |user, project|
     project.permission_granted?(user, ProjectPermissions::MANAGE) &&
       MyModule.joins(experiment: :project)
@@ -52,64 +38,55 @@ Canaid::Permissions.register_for(Project) do
       end
   end
 
-  # project: manage access policies
+  can :read_project_folders do |user, project|
-  can :manage_project_access do |user, project|
+    project.permission_granted?(user, ProjectPermissions::FOLDERS_READ)
-    project.permission_granted?(user, ProjectPermissions::MANAGE_ACCESS)
+  end
+
+  can :manage_project_users do |user, project|
+    project.permission_granted?(user, ProjectPermissions::USERS_MANAGE)
   end
 
-  # project: archive
   can :archive_project do |user, project|
-    project.permission_granted?(user, ProjectPermissions::ARCHIVE)
+    project.permission_granted?(user, ProjectPermissions::MANAGE)
   end
 
-  # NOTE: Must not be dependent on canaid parmision for which we check if it's
-  # active
-  # project: restore
   can :restore_project do |user, project|
-    project.archived? && project.permission_granted?(user, ProjectPermissions::RESTORE)
+    project.archived? && project.permission_granted?(user, ProjectPermissions::MANAGE)
   end
 
-  # experiment: create
+  can :create_project_experiments do |user, project|
-
+    project.permission_granted?(user, ProjectPermissions::EXPERIMENTS_CREATE)
-  can :create_experiments do |user, project|
-    project.permission_granted?(user, ProjectPermissions::CREATE_EXPERIMENTS)
   end
 
-  can :manage_experiments do |user, project|
+  can :read_project_experiments do |user, project|
-    project.permission_granted?(user, ProjectPermissions::CREATE_EXPERIMENTS)
+    project.permission_granted?(user, ProjectPermissions::EXPERIMENTS_READ)
   end
 
-  # project: create comment
+  can :read_archived_project_experiments do |user, project|
-  can :create_comments_in_project do |user, project|
+    project.permission_granted?(user, ProjectPermissions::EXPERIMENTS_READ_ARCHIVED)
-    project.permission_granted?(user, ProjectPermissions::CREATE_COMMENTS)
   end
 
-  # project: create/update/delete tag
+  can :read_canvas_of_project_experiments do |user, project|
-  # module: assign/reassign/unassign tag
+    project.permission_granted?(user, ProjectPermissions::EXPERIMENTS_READ_CANVAS)
-  can :manage_tags do |user, project|
+  end
-    project.permission_granted?(user, ProjectPermissions::MANAGE_TAGS)
+
-  end
+  can :read_activities_of_project_experiments do |user, project|
-end
+    project.permission_granted?(user, ProjectPermissions::EXPERIMENTS_ACTIVITIES_READ)
-
+  end
-Canaid::Permissions.register_for(ProjectComment) do
+
-  # Project must be active for all the specified permissions
+  can :read_users_of_project_experiments do |user, project|
-  %i(manage_comment_in_project)
+    project.permission_granted?(user, ProjectPermissions::EXPERIMENTS_USERS_READ)
-    .each do |perm|
+  end
-    can perm do |_, project_comment|
+
-      project_comment.project.active?
+  can :create_project_comments do |user, project|
-    end
+    project.permission_granted?(user, ProjectPermissions::COMMENTS_CREATE)
-  end
+  end
-
+
-  # project: update/delete comment
+  can :manage_project_comments do |user, project|
-  can :manage_comment_in_project do |user, project_comment|
+    project.permission_granted?(user, ProjectPermissions::COMMENTS_MANAGE)
-    project_comment.project.present? && (project_comment.user == user ||
+  end
-      project.permission_granted?(user, ProjectPermissions::MANAGE_COMMENTS))
+
-  end
+  can :manage_project_tags do |user, project|
-end
+    project.permission_granted?(user, ProjectPermissions::MANAGE)
-
-Canaid::Permissions.register_for(ProjectFolder) do
-  # ProjectFolder: delete
-  can :delete_project_folder do |_, project_folder|
-    !project_folder.projects.exists? && !project_folder.project_folders.exists?
   end
 end

app/views/access_permissions/projects/show.json.jbuilder

@@ -5,7 +5,7 @@ json.modal controller.render_to_string(
   formats: [:html],
   locals: {
     resource: @project,
-    can_manage_resource: can_manage_project_access?(@project)
+    can_manage_resource: can_manage_project_users?(@project)
   },
   layout: false
 )

app/views/project_comments/_index.html.erb

@@ -3,7 +3,7 @@
   <%= render partial: 'shared/comments/comments.html.erb', locals: {
     object: @project,
     comments: comments,
-    can_create_comments: can_create_comments_in_project?(@project), 
+    can_create_comments: can_create_project_comments?(@project),
     create_url: project_project_comments_path(@project, format: :json),
     more_url: project_project_comments_path(@project, format: :json, from: comments.first&.id)
   } %>

app/views/projects/index/_project_actions_dropdown.html.erb

@@ -51,7 +51,7 @@
       <!-- Project members access -->
       <% if can_read_project?(project) %>
         <li class="form-dropdown-item">
-          <%= link_to can_manage_project_access?(project) ? edit_access_permissions_project_path(project) : access_permissions_project_path(project),
+          <%= link_to can_manage_project_users?(project) ? edit_access_permissions_project_path(project) : access_permissions_project_path(project),
                       class: 'btn btn-light',
                       data: { action: 'remote-modal'} do %>
             <i class="fas fa-door-open"></i>

app/views/projects/index/_project_card.html.erb

@@ -50,7 +50,7 @@
   <div class="data-row user-cell table-cell">
     <span class="card-label"><%= t('projects.index.card.users') %></span>
     <div class="value">
-      <% if can_manage_project_access?(project) %>
+      <% if can_manage_project_users?(project) %>
         <%= link_to edit_access_permissions_project_path(project), class: 'project-users-link', data: { action: 'remote-modal' } do %>
           <%= render partial: 'projects/index/users_list.html.erb', locals: { project: project } %>
           <span class="new-user global-avatar-container">

app/views/projects/show/_toolbar.html.erb

@@ -1,6 +1,6 @@
 <div id="projectShowToolbar" class="project-show-toolbar">
   <!-- new experiment button -->
-  <% if can_create_experiments?(@project) %>
+  <% if can_create_project_experiments?(@project) %>
     <%= button_to new_project_experiment_url(@project),
                   remote: true,
                   form_class: 'new-experiment-form',

config/initializers/extends/permission_extends.rb

@@ -4,15 +4,21 @@ module PermissionExtends
   module ProjectPermissions
     %w(
       READ
-      EXPORT
+      READ_ARCHIVED
       MANAGE
-      ARCHIVE
+      FOLDERS_READ
-      RESTORE
+      ACTIVITIES_READ
-      CREATE_EXPERIMENTS
+      USERS_READ
-      CREATE_COMMENTS
+      USERS_MANAGE
-      MANAGE_COMMENTS
+      COMMENTS_READ
-      MANAGE_TAGS
+      COMMENTS_CREATE
-      MANAGE_ACCESS
+      COMMENTS_MANAGE
+      EXPERIMENTS_READ
+      EXPERIMENTS_READ_ARCHIVED
+      EXPERIMENTS_CREATE
+      EXPERIMENTS_READ_CANVAS
+      EXPERIMENTS_ACTIVITIES_READ
+      EXPERIMENTS_USERS_READ
     ).each { |permission| const_set(permission, "project_#{permission.underscore}") }
   end
 

spec/factories/user_roles.rb

@@ -13,8 +13,8 @@ FactoryBot.define do
       permissions {
         [
           ProjectPermissions::READ,
-          ProjectPermissions::CREATE_EXPERIMENTS,
+          ProjectPermissions::EXPERIMENTS_CREATE,
-          ProjectPermissions::CREATE_COMMENTS,
+          ProjectPermissions::COMMENTS_CREATE,
           ExperimentPermissions::READ,
           ExperimentPermissions::MANAGE,
           ExperimentPermissions::ARCHIVE,
@@ -37,7 +37,7 @@ FactoryBot.define do
       permissions {
         [
           ProjectPermissions::READ,
-          ProjectPermissions::CREATE_COMMENTS,
+          ProjectPermissions::COMMENTS_CREATE,
           ExperimentPermissions::READ,
           MyModulePermissions::READ,
           MyModulePermissions::CREATE_COMMENTS,