diff --git a/app/controllers/access_permissions/experiments_controller.rb b/app/controllers/access_permissions/experiments_controller.rb index 604eff459..2f9daa937 100644 --- a/app/controllers/access_permissions/experiments_controller.rb +++ b/app/controllers/access_permissions/experiments_controller.rb @@ -50,7 +50,7 @@ module AccessPermissions end def check_manage_permissions - render_403 unless can_manage_experiment?(@experiment) + render_403 unless can_manage_experiment_access?(@experiment) end def check_read_permissions diff --git a/app/controllers/access_permissions/my_modules_controller.rb b/app/controllers/access_permissions/my_modules_controller.rb index 314c7f14f..8da6b2755 100644 --- a/app/controllers/access_permissions/my_modules_controller.rb +++ b/app/controllers/access_permissions/my_modules_controller.rb @@ -57,7 +57,7 @@ module AccessPermissions end def check_manage_permissions - render_403 unless can_manage_module?(@my_module) + render_403 unless can_manage_module_access?(@my_module) end def check_read_permissions diff --git a/app/controllers/access_permissions/projects_controller.rb b/app/controllers/access_permissions/projects_controller.rb index ad4dc2646..df0d7ff86 100644 --- a/app/controllers/access_permissions/projects_controller.rb +++ b/app/controllers/access_permissions/projects_controller.rb @@ -94,7 +94,7 @@ module AccessPermissions end def check_manage_permissions - render_403 unless can_manage_project?(@project) + render_403 unless can_manage_project_access?(@project) end def check_read_permissions diff --git a/app/models/concerns/assignable.rb b/app/models/concerns/assignable.rb index 2090cbdc0..471444ad6 100644 --- a/app/models/concerns/assignable.rb +++ b/app/models/concerns/assignable.rb @@ -9,6 +9,12 @@ module Assignable default_scope { includes(user_assignments: :user_role) } after_create_commit do + UserAssignment.create( + user: created_by, + assignable: self, + user_role: UserRole.find_by(name: 'Owner') + ) + UserAssignments::GenerateUserAssignmentsJob.perform_later(self, created_by) end end diff --git a/app/permissions/experiment.rb b/app/permissions/experiment.rb index b539d9d2c..5d9cbcb0d 100644 --- a/app/permissions/experiment.rb +++ b/app/permissions/experiment.rb @@ -3,7 +3,8 @@ Canaid::Permissions.register_for(Experiment) do %i(manage_experiment archive_experiment clone_experiment - move_experiment) + move_experiment + manage_experiment_access) .each do |perm| can perm do |_, experiment| experiment.active? && @@ -37,6 +38,11 @@ Canaid::Permissions.register_for(Experiment) do end end + # experiment: manage access policies + can :manage_experiment_access do |user, experiment| + experiment.permission_granted?(user, ExperimentPermissions::MANAGE_ACCESS) + end + # experiment: archive can :archive_experiment do |user, experiment| experiment.permission_granted?(user, ExperimentPermissions::ARCHIVE) diff --git a/app/permissions/my_module.rb b/app/permissions/my_module.rb index 49321d3ee..7fbe24cf5 100644 --- a/app/permissions/my_module.rb +++ b/app/permissions/my_module.rb @@ -10,7 +10,8 @@ Canaid::Permissions.register_for(MyModule) do create_comments_in_module create_my_module_repository_snapshot manage_my_module_repository_snapshots - change_my_module_flow_status) + change_my_module_flow_status + manage_module_access) .each do |perm| can perm do |_, my_module| my_module.active? && @@ -31,6 +32,11 @@ Canaid::Permissions.register_for(MyModule) do my_module.permission_granted?(user, MyModulePermissions::ARCHIVE) end + # module: manage access policies + can :manage_module_access do |user, my_module| + my_module.permission_granted?(user, MyModulePermissions::MANAGE_ACCESS) + end + # NOTE: Must not be dependent on canaid parmision for which we check if it's # active # module: restore diff --git a/app/permissions/project.rb b/app/permissions/project.rb index 6b904d2d4..1cf02dcd1 100644 --- a/app/permissions/project.rb +++ b/app/permissions/project.rb @@ -8,7 +8,8 @@ Canaid::Permissions.register_for(Project) do archive_project create_experiments create_comments_in_project - manage_tags) + manage_tags + manage_project_access) .each do |perm| can perm do |_, project| project.active? @@ -51,6 +52,11 @@ Canaid::Permissions.register_for(Project) do end end + # project: manage access policies + can :manage_project_access do |user, project| + project.permission_granted?(user, ProjectPermissions::MANAGE_ACCESS) + end + # project: archive can :archive_project do |user, project| project.permission_granted?(user, ProjectPermissions::ARCHIVE) diff --git a/app/views/access_permissions/projects/modals/_show_modal.html.erb b/app/views/access_permissions/projects/modals/_show_modal.html.erb index 4e2aea4ee..e0d245701 100644 --- a/app/views/access_permissions/projects/modals/_show_modal.html.erb +++ b/app/views/access_permissions/projects/modals/_show_modal.html.erb @@ -16,7 +16,7 @@
<% if can_manage_resource %> - <%= link_to new_resource_path, class: 'btn btn-default pull-left', data: { action: 'swap-remote-container', target: '#user_assignments_modal' } do %> + <%= link_to new_access_permissions_project_path, class: 'btn btn-default pull-left', data: { action: 'swap-remote-container', target: '#user_assignments_modal' } do %> <%= t '.new_resource_assignments', resource: resource.model_name.human.downcase %> <% end %> diff --git a/app/views/access_permissions/projects/show.json.jbuilder b/app/views/access_permissions/projects/show.json.jbuilder index cff383aa2..6cd404159 100644 --- a/app/views/access_permissions/projects/show.json.jbuilder +++ b/app/views/access_permissions/projects/show.json.jbuilder @@ -5,7 +5,7 @@ json.modal controller.render_to_string( formats: [:html], locals: { resource: @project, - can_manage_resource: can_manage_project?(@project) + can_manage_resource: can_manage_project_access?(@project) }, layout: false ) diff --git a/app/views/canvas/edit/_my_module.html.erb b/app/views/canvas/edit/_my_module.html.erb index 07b42d72f..aaffc50af 100644 --- a/app/views/canvas/edit/_my_module.html.erb +++ b/app/views/canvas/edit/_my_module.html.erb @@ -35,13 +35,11 @@ <%= t('experiments.canvas.edit.move_module') %> <% end %> - <% if %> -
  • - <%= link_to t('experiments.canvas.edit.task_access'), - can_manage_module?(my_module) ? edit_access_permissions_project_experiment_my_module_path(my_module.experiment.project, my_module.experiment, my_module) : access_permissions_project_experiment_my_module_path(my_module.experiment.project, my_module.experiment, my_module), - data: { action: 'remote-modal'} %> -
    • - <% end %> +
  • + <%= link_to t('experiments.canvas.edit.task_access'), + can_manage_module_access?(my_module) ? edit_access_permissions_project_experiment_my_module_path(my_module.experiment.project, my_module.experiment, my_module) : access_permissions_project_experiment_my_module_path(my_module.experiment.project, my_module.experiment, my_module), + data: { action: 'remote-modal'} %> +
    • <% if module_group&.my_modules&.all? { |my_module| can_move_module?(my_module) } %>
  • <%= t('experiments.canvas.edit.move_module_group') %> diff --git a/app/views/projects/index/_project_actions_dropdown.html.erb b/app/views/projects/index/_project_actions_dropdown.html.erb index f7a63ea06..3ca3f7616 100644 --- a/app/views/projects/index/_project_actions_dropdown.html.erb +++ b/app/views/projects/index/_project_actions_dropdown.html.erb @@ -51,7 +51,7 @@ <% if can_read_project?(project) %>
  • - <%= link_to can_manage_project?(project) ? edit_access_permissions_project_path(project, format: :json) : access_permissions_project_path(project, format: :json), + <%= link_to can_manage_project_access?(project) ? edit_access_permissions_project_path(project, format: :json) : access_permissions_project_path(project, format: :json), class: 'btn btn-light', data: { action: 'remote-modal'} do %> diff --git a/app/views/projects/index/_project_card.html.erb b/app/views/projects/index/_project_card.html.erb index f091dccd2..7a26cc9f5 100644 --- a/app/views/projects/index/_project_card.html.erb +++ b/app/views/projects/index/_project_card.html.erb @@ -50,7 +50,7 @@
    <%= t('projects.index.card.users') %>
    - <% if can_manage_project?(project) %> + <% if can_manage_project_access?(project) %> <%= link_to edit_access_permissions_project_path(project, format: :json), class: 'project-users-link', data: { action: 'remote-modal' } do %> <%= render partial: 'projects/index/users_list.html.erb', locals: { project: project } %> diff --git a/app/views/projects/show/_experiment_actions_dropdown.html.erb b/app/views/projects/show/_experiment_actions_dropdown.html.erb index 8ce728c7d..07036f77c 100644 --- a/app/views/projects/show/_experiment_actions_dropdown.html.erb +++ b/app/views/projects/show/_experiment_actions_dropdown.html.erb @@ -64,7 +64,7 @@
    • <% end %> - <% if can_manage_experiment?(experiment) %> + <% if can_manage_experiment_access?(experiment) %>
  • <%= link_to edit_access_permissions_project_experiment_path(project, experiment), data: { action: 'remote-modal'} do %> diff --git a/config/initializers/extends/permission_extends.rb b/config/initializers/extends/permission_extends.rb index d5418cae6..2aa3a3a42 100644 --- a/config/initializers/extends/permission_extends.rb +++ b/config/initializers/extends/permission_extends.rb @@ -12,6 +12,7 @@ module PermissionExtends CREATE_COMMENTS MANAGE_COMMENTS MANAGE_TAGS + MANAGE_ACCESS ).each { |permission| const_set(permission, "project_#{permission.underscore}") } end @@ -24,6 +25,7 @@ module PermissionExtends CLONE MOVE CREATE_TASKS + MANAGE_ACCESS ).each { |permission| const_set(permission, "experiment_#{permission.underscore}") } end @@ -41,6 +43,7 @@ module PermissionExtends MANAGE_COMMENTS CREATE_REPOSITORY_SNAPSHOT MANAGE_REPOSITORY_SNAPSHOT + MANAGE_ACCESS ).each { |permission| const_set(permission, "task_#{permission.underscore}") } end