Updated project permission helpers [SCI-6041]

2025-11-10 08:21:37 +08:00 · 2021-09-07 11:27:52 +02:00 · 2021-09-07 11:27:52 +02:00 · 975a8910a8
commit 975a8910a8
parent 7e6ca3be8a
17 changed files with 74 additions and 91 deletions
--- a/app/controllers/access_permissions/projects_controller.rb
+++ b/app/controllers/access_permissions/projects_controller.rb
@ -94,7 +94,7 @@ module AccessPermissions
    end
    def check_manage_permissions
-      render_403 unless can_manage_project_access?(@project)
+      render_403 unless can_manage_project_users?(@project)
    end
    def check_read_permissions
--- a/app/controllers/api/v1/experiments_controller.rb
+++ b/app/controllers/api/v1/experiments_controller.rb
@ -22,7 +22,7 @@ module Api
      end
      def create
-        raise PermissionError.new(Experiment, :create) unless can_create_experiments?(@project)
+        raise PermissionError.new(Experiment, :create) unless can_create_project_experiments?(@project)
        experiment = @project.experiments.create!(experiment_params.merge!(created_by: current_user,
                                                                           last_modified_by: current_user))
--- a/app/controllers/comments_controller.rb
+++ b/app/controllers/comments_controller.rb
@ -89,7 +89,7 @@ class CommentsController < ApplicationController
  def check_create_permissions
    case @commentable
    when Project
-      render_403 and return unless can_create_comments_in_project?(@commentable)
+      render_403 and return unless can_create_project_comments?(@commentable)
    when MyModule
      render_403 and return unless can_create_comments_in_module?(@commentable)
    when Step
--- a/app/controllers/dashboard/quick_start_controller.rb
+++ b/app/controllers/dashboard/quick_start_controller.rb
@ -70,7 +70,7 @@ module Dashboard
      end
      unless @experiment
-        render_403 unless can_create_experiments?(current_user, @project)
+        render_403 unless can_create_project_experiments?(current_user, @project)
        return
      end
--- a/app/controllers/experiments_controller.rb
+++ b/app/controllers/experiments_controller.rb
@ -314,7 +314,7 @@ class ExperimentsController < ApplicationController
  end
  def check_create_permissions
-    render_403 unless can_create_experiments?(@project)
+    render_403 unless can_create_project_experiments?(@project)
  end
  def check_manage_permissions
--- a/app/controllers/project_comments_controller.rb
+++ b/app/controllers/project_comments_controller.rb
@ -51,7 +51,7 @@ class ProjectCommentsController < ApplicationController
  end
  def check_create_permissions
-    render_403 unless can_create_comments_in_project?(@project)
+    render_403 unless can_create_project_comments?(@project)
  end
  def check_manage_permissions
--- a/app/controllers/tags_controller.rb
+++ b/app/controllers/tags_controller.rb
@ -161,7 +161,7 @@ class TagsController < ApplicationController
  end
  def check_manage_permissions
-    render_403 unless can_manage_tags?(@project)
+    render_403 unless can_manage_project?(@project)
  end
  def tag_params
--- a/app/helpers/comment_helper.rb
+++ b/app/helpers/comment_helper.rb
@ -63,7 +63,7 @@ module CommentHelper
    when 'Step', 'Result'
      can_create_comments_in_module?(object.my_module)
    when 'Project'
-      can_create_comments_in_project?(object)
+      can_create_project_comments?(object)
    else
      false
    end
--- a/app/models/user_role.rb
+++ b/app/models/user_role.rb
@ -32,8 +32,8 @@ class UserRole < ApplicationRecord
      permissions:
      [
        ProjectPermissions::READ,
-        ProjectPermissions::CREATE_EXPERIMENTS,
+        ProjectPermissions::EXPERIMENTS_CREATE,
-        ProjectPermissions::CREATE_COMMENTS,
+        ProjectPermissions::COMMENTS_CREATE,
        ExperimentPermissions::READ,
        ExperimentPermissions::MANAGE,
        ExperimentPermissions::ARCHIVE,
@ -57,7 +57,7 @@ class UserRole < ApplicationRecord
      permissions:
      [
        ProjectPermissions::READ,
-        ProjectPermissions::CREATE_COMMENTS,
+        ProjectPermissions::COMMENTS_CREATE,
        ExperimentPermissions::READ,
        MyModulePermissions::READ,
        MyModulePermissions::CREATE_COMMENTS,
--- a/app/permissions/project.rb
+++ b/app/permissions/project.rb
@ -6,10 +6,10 @@ Canaid::Permissions.register_for(Project) do
  # Project must be active for all the specified permissions
  %i(manage_project
     archive_project
-     create_experiments
+     create_project_experiments
-     create_comments_in_project
+     create_project_comments
-     manage_tags
+     manage_project_tags
-     manage_project_access)
+     manage_project_users)
    .each do |perm|
    can perm do |_, project|
      project.active?
@ -23,21 +23,7 @@ Canaid::Permissions.register_for(Project) do
      project.permission_granted?(user, ProjectPermissions::READ)
    end
  end
  # project: read, read activities, read comments, read users, read archive,
  #          read notifications
  # reports: read
  can :read_project do |_, _|
    # Already checked by the wrapper
    true
  end
  # team: export projects
  can :export_project do |_, _|
    # Already checked by the wrapper
    true
  end
  # project: update/delete, assign/reassign/unassign users
  can :manage_project do |user, project|
    project.permission_granted?(user, ProjectPermissions::MANAGE) &&
      MyModule.joins(experiment: :project)
@ -52,64 +38,55 @@ Canaid::Permissions.register_for(Project) do
      end
  end
-  # project: manage access policies
+  can :read_project_folders do |user, project|
-  can :manage_project_access do |user, project|
+    project.permission_granted?(user, ProjectPermissions::FOLDERS_READ)
-    project.permission_granted?(user, ProjectPermissions::MANAGE_ACCESS)
+  end
  can :manage_project_users do |user, project|
    project.permission_granted?(user, ProjectPermissions::USERS_MANAGE)
  end
  # project: archive
  can :archive_project do |user, project|
-    project.permission_granted?(user, ProjectPermissions::ARCHIVE)
+    project.permission_granted?(user, ProjectPermissions::MANAGE)
  end
  # NOTE: Must not be dependent on canaid parmision for which we check if it's
  # active
  # project: restore
  can :restore_project do |user, project|
-    project.archived? && project.permission_granted?(user, ProjectPermissions::RESTORE)
+    project.archived? && project.permission_granted?(user, ProjectPermissions::MANAGE)
  end
-  # experiment: create
+  can :create_project_experiments do |user, project|
-
+    project.permission_granted?(user, ProjectPermissions::EXPERIMENTS_CREATE)
  can :create_experiments do |user, project|
    project.permission_granted?(user, ProjectPermissions::CREATE_EXPERIMENTS)
  end
-  can :manage_experiments do |user, project|
+  can :read_project_experiments do |user, project|
-    project.permission_granted?(user, ProjectPermissions::CREATE_EXPERIMENTS)
+    project.permission_granted?(user, ProjectPermissions::EXPERIMENTS_READ)
  end
-  # project: create comment
+  can :read_archived_project_experiments do |user, project|
-  can :create_comments_in_project do |user, project|
+    project.permission_granted?(user, ProjectPermissions::EXPERIMENTS_READ_ARCHIVED)
    project.permission_granted?(user, ProjectPermissions::CREATE_COMMENTS)
  end
-  # project: create/update/delete tag
+  can :read_canvas_of_project_experiments do |user, project|
-  # module: assign/reassign/unassign tag
+    project.permission_granted?(user, ProjectPermissions::EXPERIMENTS_READ_CANVAS)
-  can :manage_tags do |user, project|
+  end
-    project.permission_granted?(user, ProjectPermissions::MANAGE_TAGS)
+
-  end
+  can :read_activities_of_project_experiments do |user, project|
-end
+    project.permission_granted?(user, ProjectPermissions::EXPERIMENTS_ACTIVITIES_READ)
-
+  end
-Canaid::Permissions.register_for(ProjectComment) do
+
-  # Project must be active for all the specified permissions
+  can :read_users_of_project_experiments do |user, project|
-  %i(manage_comment_in_project)
+    project.permission_granted?(user, ProjectPermissions::EXPERIMENTS_USERS_READ)
-    .each do |perm|
+  end
-    can perm do |_, project_comment|
+
-      project_comment.project.active?
+  can :create_project_comments do |user, project|
-    end
+    project.permission_granted?(user, ProjectPermissions::COMMENTS_CREATE)
-  end
+  end
-
+
-  # project: update/delete comment
+  can :manage_project_comments do |user, project|
-  can :manage_comment_in_project do |user, project_comment|
+    project.permission_granted?(user, ProjectPermissions::COMMENTS_MANAGE)
-    project_comment.project.present? && (project_comment.user == user ||
+  end
-      project.permission_granted?(user, ProjectPermissions::MANAGE_COMMENTS))
+
-  end
+  can :manage_project_tags do |user, project|
-end
+    project.permission_granted?(user, ProjectPermissions::MANAGE)
 Canaid::Permissions.register_for(ProjectFolder) do
  # ProjectFolder: delete
  can :delete_project_folder do |_, project_folder|
    !project_folder.projects.exists? && !project_folder.project_folders.exists?
  end
 end
--- a/app/views/access_permissions/projects/show.json.jbuilder
+++ b/app/views/access_permissions/projects/show.json.jbuilder
@ -5,7 +5,7 @@ json.modal controller.render_to_string(
  formats: [:html],
  locals: {
    resource: @project,
-    can_manage_resource: can_manage_project_access?(@project)
+    can_manage_resource: can_manage_project_users?(@project)
  },
  layout: false
 )
--- a/app/views/project_comments/_index.html.erb
+++ b/app/views/project_comments/_index.html.erb
@ -2,8 +2,8 @@
 <hr>
  <%= render partial: 'shared/comments/comments.html.erb', locals: {
    object: @project,
-    comments: comments, 
+    comments: comments,
-    can_create_comments: can_create_comments_in_project?(@project), 
+    can_create_comments: can_create_project_comments?(@project),
    create_url: project_project_comments_path(@project, format: :json),
    more_url: project_project_comments_path(@project, format: :json, from: comments.first&.id)
  } %>
--- a/app/views/projects/index/_project_actions_dropdown.html.erb
+++ b/app/views/projects/index/_project_actions_dropdown.html.erb
@ -51,7 +51,7 @@
      <!-- Project members access -->
      <% if can_read_project?(project) %>
        <li class="form-dropdown-item">
-          <%= link_to can_manage_project_access?(project) ? edit_access_permissions_project_path(project) : access_permissions_project_path(project),
+          <%= link_to can_manage_project_users?(project) ? edit_access_permissions_project_path(project) : access_permissions_project_path(project),
                      class: 'btn btn-light',
                      data: { action: 'remote-modal'} do %>
            <i class="fas fa-door-open"></i>
--- a/app/views/projects/index/_project_card.html.erb
+++ b/app/views/projects/index/_project_card.html.erb
@ -50,7 +50,7 @@
  <div class="data-row user-cell table-cell">
    <span class="card-label"><%= t('projects.index.card.users') %></span>
    <div class="value">
-      <% if can_manage_project_access?(project) %>
+      <% if can_manage_project_users?(project) %>
        <%= link_to edit_access_permissions_project_path(project), class: 'project-users-link', data: { action: 'remote-modal' } do %>
          <%= render partial: 'projects/index/users_list.html.erb', locals: { project: project } %>
          <span class="new-user global-avatar-container">
--- a/app/views/projects/show/_toolbar.html.erb
+++ b/app/views/projects/show/_toolbar.html.erb
@ -1,6 +1,6 @@
 <div id="projectShowToolbar" class="project-show-toolbar">
  <!-- new experiment button -->
-  <% if can_create_experiments?(@project) %>
+  <% if can_create_project_experiments?(@project) %>
    <%= button_to new_project_experiment_url(@project),
                  remote: true,
                  form_class: 'new-experiment-form',
--- a/config/initializers/extends/permission_extends.rb
+++ b/config/initializers/extends/permission_extends.rb
@ -4,15 +4,21 @@ module PermissionExtends
  module ProjectPermissions
    %w(
      READ
-      EXPORT
+      READ_ARCHIVED
      MANAGE
-      ARCHIVE
+      FOLDERS_READ
-      RESTORE
+      ACTIVITIES_READ
-      CREATE_EXPERIMENTS
+      USERS_READ
-      CREATE_COMMENTS
+      USERS_MANAGE
-      MANAGE_COMMENTS
+      COMMENTS_READ
-      MANAGE_TAGS
+      COMMENTS_CREATE
-      MANAGE_ACCESS
+      COMMENTS_MANAGE
      EXPERIMENTS_READ
      EXPERIMENTS_READ_ARCHIVED
      EXPERIMENTS_CREATE
      EXPERIMENTS_READ_CANVAS
      EXPERIMENTS_ACTIVITIES_READ
      EXPERIMENTS_USERS_READ
    ).each { |permission| const_set(permission, "project_#{permission.underscore}") }
  end
--- a/spec/factories/user_roles.rb
+++ b/spec/factories/user_roles.rb
@ -13,8 +13,8 @@ FactoryBot.define do
      permissions {
        [
          ProjectPermissions::READ,
-          ProjectPermissions::CREATE_EXPERIMENTS,
+          ProjectPermissions::EXPERIMENTS_CREATE,
-          ProjectPermissions::CREATE_COMMENTS,
+          ProjectPermissions::COMMENTS_CREATE,
          ExperimentPermissions::READ,
          ExperimentPermissions::MANAGE,
          ExperimentPermissions::ARCHIVE,
@ -37,7 +37,7 @@ FactoryBot.define do
      permissions {
        [
          ProjectPermissions::READ,
-          ProjectPermissions::CREATE_COMMENTS,
+          ProjectPermissions::COMMENTS_CREATE,
          ExperimentPermissions::READ,
          MyModulePermissions::READ,
          MyModulePermissions::CREATE_COMMENTS,