refactor manage repository rows permissions again because of addons

app/controllers/repository_rows_controller.rb

@@ -5,7 +5,9 @@ class RepositoryRowsController < ApplicationController
 
   before_action :load_vars, only: %i(edit update)
   before_action :load_repository, only: %i(create delete_records)
-  before_action :check_permissions
+  before_action :check_create_permissions, only: :create
+  before_action :check_edit_permissions, only: %i(edit update)
+  before_action :check_destroy_permissions, only: :delete_records
 
   def create
     record = RepositoryRow.new(repository: @repository,
@@ -169,7 +171,9 @@ class RepositoryRowsController < ApplicationController
     if params[:selected_rows]
       params[:selected_rows].each do |row_id|
         row = @repository.repository_rows.find_by_id(row_id)
-        row.destroy && deleted_count += 1 if row
+        if row && can_update_or_delete_repository_row?(row)
+          row.destroy && deleted_count += 1
+        end
       end
       if deleted_count.zero?
         flash = t('repositories.destroy.no_deleted_records_flash',
@@ -213,8 +217,16 @@ class RepositoryRowsController < ApplicationController
     render_404 unless @repository
   end
 
-  def check_permissions
-    render_403 unless can_manage_repository_row?(@repository.team)
+  def check_create_permissions
+    render_403 unless can_manage_repository_rows?(@repository.team)
+  end
+
+  def check_edit_permissions
+    render_403 unless can_update_or_delete_repository_row?(@record)
+  end
+
+  def check_destroy_permissions
+    render_403 unless can_manage_repository_rows?(@repository.team)
   end
 
   def record_params

app/permissions/team.rb

@@ -43,8 +43,8 @@ Canaid::Permissions.register_for(Team) do
     user.is_admin_of_team?(team)
   end
 
-  # create, import, edit, delete repository record
-  can :manage_repository_row do |user, team|
+  # create, import, edit, delete repository records
+  can :manage_repository_rows do |user, team|
     user.is_normal_user_or_admin_of_team?(team)
   end
 
@@ -96,3 +96,10 @@ Canaid::Permissions.register_for(CustomField) do
     can_manage_sample_elements?(user, custom_field.team)
   end
 end
+
+Canaid::Permissions.register_for(RepositoryRow) do
+  # update, delete specific repository record
+  can :update_or_delete_repository_row do |user, repository_row|
+    can_manage_repository_rows?(user, repository_row.repository.team)
+  end
+end

app/views/repositories/_repository.html.erb

@@ -7,13 +7,13 @@
 
 <div id="repository-toolbar">
 
-  <% if can_manage_repository_row?(repository.team) %>
+  <% if can_manage_repository_rows?(repository.team) %>
     <button type="button" class="btn btn-default editAdd" id="addRepositoryRecord" onclick="onClickAddRecord()">
       <span class="glyphicon glyphicon-plus"></span>
       <span class="hidden-xs"><%= t("repositories.add_new_record") %></span>
     </button>
   <% end %>
-  <% if can_manage_repository_row?(repository.team) %>
+  <% if can_manage_repository_rows?(repository.team) %>
     <button type="button" class="btn btn-default" id="importRecordsButton">
       <span class="glyphicon glyphicon-cloud-upload"></span>
       <span class="hidden-xs"><%= t('repositories.import_records.import') %></span>
@@ -113,7 +113,7 @@
     <span class="hidden-xs-custom"><%= t("repositories.edit_record") %></span>
   </button>
 
-  <% if can_manage_repository_row?(repository.team) %>
+  <% if can_manage_repository_rows?(repository.team) %>
     <button type="button" class="btn btn-default"
       id="deleteRepositoryRecordsButton" data-target="#deleteRepositoryRecord" data-toggle="modal" disabled>
       <span class="glyphicon glyphicon-trash"></span>