From abced181d50263dccd137a531d494267f68f3814 Mon Sep 17 00:00:00 2001 From: mlorb Date: Thu, 4 Jan 2018 11:53:58 +0100 Subject: [PATCH] refactor manage repository rows permissions again because of addons --- app/controllers/repository_rows_controller.rb | 20 +++++++++++++++---- app/permissions/team.rb | 11 ++++++++-- app/views/repositories/_repository.html.erb | 6 +++--- 3 files changed, 28 insertions(+), 9 deletions(-) diff --git a/app/controllers/repository_rows_controller.rb b/app/controllers/repository_rows_controller.rb index 9c9d875fb..f2f243fe9 100644 --- a/app/controllers/repository_rows_controller.rb +++ b/app/controllers/repository_rows_controller.rb @@ -5,7 +5,9 @@ class RepositoryRowsController < ApplicationController before_action :load_vars, only: %i(edit update) before_action :load_repository, only: %i(create delete_records) - before_action :check_permissions + before_action :check_create_permissions, only: :create + before_action :check_edit_permissions, only: %i(edit update) + before_action :check_destroy_permissions, only: :delete_records def create record = RepositoryRow.new(repository: @repository, @@ -169,7 +171,9 @@ class RepositoryRowsController < ApplicationController if params[:selected_rows] params[:selected_rows].each do |row_id| row = @repository.repository_rows.find_by_id(row_id) - row.destroy && deleted_count += 1 if row + if row && can_update_or_delete_repository_row?(row) + row.destroy && deleted_count += 1 + end end if deleted_count.zero? flash = t('repositories.destroy.no_deleted_records_flash', @@ -213,8 +217,16 @@ class RepositoryRowsController < ApplicationController render_404 unless @repository end - def check_permissions - render_403 unless can_manage_repository_row?(@repository.team) + def check_create_permissions + render_403 unless can_manage_repository_rows?(@repository.team) + end + + def check_edit_permissions + render_403 unless can_update_or_delete_repository_row?(@record) + end + + def check_destroy_permissions + render_403 unless can_manage_repository_rows?(@repository.team) end def record_params diff --git a/app/permissions/team.rb b/app/permissions/team.rb index e9757d892..ba542b496 100644 --- a/app/permissions/team.rb +++ b/app/permissions/team.rb @@ -43,8 +43,8 @@ Canaid::Permissions.register_for(Team) do user.is_admin_of_team?(team) end - # create, import, edit, delete repository record - can :manage_repository_row do |user, team| + # create, import, edit, delete repository records + can :manage_repository_rows do |user, team| user.is_normal_user_or_admin_of_team?(team) end @@ -96,3 +96,10 @@ Canaid::Permissions.register_for(CustomField) do can_manage_sample_elements?(user, custom_field.team) end end + +Canaid::Permissions.register_for(RepositoryRow) do + # update, delete specific repository record + can :update_or_delete_repository_row do |user, repository_row| + can_manage_repository_rows?(user, repository_row.repository.team) + end +end diff --git a/app/views/repositories/_repository.html.erb b/app/views/repositories/_repository.html.erb index 85e9e9335..c7f01d418 100644 --- a/app/views/repositories/_repository.html.erb +++ b/app/views/repositories/_repository.html.erb @@ -7,13 +7,13 @@
- <% if can_manage_repository_row?(repository.team) %> + <% if can_manage_repository_rows?(repository.team) %> <% end %> - <% if can_manage_repository_row?(repository.team) %> + <% if can_manage_repository_rows?(repository.team) %> - <% if can_manage_repository_row?(repository.team) %> + <% if can_manage_repository_rows?(repository.team) %>