scinote-eln/scinote-web
1
1
Fork 0
mirror of https://github.com/scinote-eln/scinote-web.git synced 2025-10-09 21:36:44 +08:00
Code Issues Projects Releases Packages Wiki Activity

Merge pull request #8650 from artoscinote/ma_SCI_11953

Browse source 
Permission fixes [SCI-11953]
This commit is contained in:
Martin Artnik 2025-07-09 11:32:13 +02:00 committed by GitHub
commit b18ceeb31e
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
8 changed files with 21 additions and 19 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
app/controllers/access_permissions/base_controller.rb
View file

@ -117,11 +117,11 @@ module AccessPermissions
private private
def model_parameter def model_parameter
@model.class.name.parameterize.to_sym @model.class.permission_class.name.parameterize.to_sym
end end
def manage_permission_constant def manage_permission_constant
"#{@model.class.name}Permissions::USERS_MANAGE".constantize "#{@model.class.permission_class.name}Permissions::USERS_MANAGE".constantize
end end
def permitted_default_public_user_role_params def permitted_default_public_user_role_params
@ -181,7 +181,7 @@ module AccessPermissions
when :team when :team
@assignment = @assignment =
@model.team_assignments @model.team_assignments
.find_or_initialize_by(team: current_team, assignable_id: @model.id, assignable_type: @model.class.name) .find_or_initialize_by(team: current_team, assignable: @model)
end end
end end

11
app/models/concerns/permission_checkable_model.rb
View file

@ -6,9 +6,9 @@ module PermissionCheckableModel
included do included do
include PermissionExtends include PermissionExtends
scope :with_granted_permissions, lambda { |user, permissions| scope :with_granted_permissions, lambda { |user, permissions, teams = user.permission_team|
with_user_assignments = joins(user_assignments: :user_role) with_user_assignments = joins(user_assignments: :user_role)
.where(user_assignments: { user: user, team: user.permission_team }) .where(user_assignments: { user: user, team: teams })
# direct user assignments take precedence over group assignments, thus skipping objects that already have user assignments. # direct user assignments take precedence over group assignments, thus skipping objects that already have user assignments.
with_group_assignments = left_outer_joins(user_group_assignments: [:user_role, { user_group: :users }], team_assignments: :user_role) with_group_assignments = left_outer_joins(user_group_assignments: [:user_role, { user_group: :users }], team_assignments: :user_role)
.where.not(id: with_user_assignments) .where.not(id: with_user_assignments)
@ -19,15 +19,20 @@ module PermissionCheckableModel
.where('user_roles.permissions @> ARRAY[?]::varchar[]', permissions) .where('user_roles.permissions @> ARRAY[?]::varchar[]', permissions)
.or( .or(
with_group_assignments with_group_assignments
.where(team_assignments: { assignable: self, team: user.permission_team }) .where(team_assignments: { assignable: self, team: teams })
.where('user_roles_team_assignments.permissions @> ARRAY[?]::varchar[]', permissions) .where('user_roles_team_assignments.permissions @> ARRAY[?]::varchar[]', permissions)
) )
.distinct .distinct
where(id: with_granted_user_permissions.select(:id)) where(id: with_granted_user_permissions.select(:id))
.or(where(id: with_granted_group_permissions.select(:id))) .or(where(id: with_granted_group_permissions.select(:id)))
} }
end end
def self.permission_class
self
end
def permission_granted?(user, permission) def permission_granted?(user, permission)
return true if user_assignments.joins(:user_role) return true if user_assignments.joins(:user_role)
.where(user: user, team: user.permission_team) .where(user: user, team: user.permission_team)

2
app/models/concerns/shareable.rb
View file

@ -27,7 +27,7 @@ module Shareable
end end
scope :viewable_by_user, lambda { |user, teams = user.current_team| scope :viewable_by_user, lambda { |user, teams = user.current_team|
readable_ids = readable_by_user(user).where(team: teams).pluck(:id) readable_ids = with_granted_permissions(user, "#{permission_class.name}Permissions::READ".constantize, teams).pluck(:id)
shared_with_team_ids = joins(:team_shared_objects, :team).where(team_shared_objects: { team: teams }).pluck(:id) shared_with_team_ids = joins(:team_shared_objects, :team).where(team_shared_objects: { team: teams }).pluck(:id)
globally_shared_ids = globally_shared_ids =
if column_names.include?('permission_level') if column_names.include?('permission_level')

3
app/models/experiment.rb
View file

@ -82,8 +82,7 @@ class Experiment < ApplicationRecord
end end
def self.viewable_by_user(user, teams) def self.viewable_by_user(user, teams)
joins(:user_assignments).with_granted_permissions(user, ExperimentPermissions::READ) with_granted_permissions(user, ExperimentPermissions::READ, teams)
.where(user_assignments: { team: teams })
end end
def self.with_children_viewable_by_user(user) def self.with_children_viewable_by_user(user)

3
app/models/my_module.rb
View file

@ -130,8 +130,7 @@ class MyModule < ApplicationRecord
end end
def self.viewable_by_user(user, teams) def self.viewable_by_user(user, teams)
with_granted_permissions(user, MyModulePermissions::READ) with_granted_permissions(user, MyModulePermissions::READ, teams)
.where(user_assignments: { team: teams })
end end
def self.filter_by_teams(teams = []) def self.filter_by_teams(teams = [])

9
app/models/project.rb
View file

@ -77,10 +77,7 @@ class Project < ApplicationRecord
if team.permission_granted?(user, TeamPermissions::MANAGE) if team.permission_granted?(user, TeamPermissions::MANAGE)
where(team: team) where(team: team)
else else
where(team: team) viewable_by_user(user, team)
.left_outer_joins(user_assignments: :user_role)
.where(user_assignments: { user: user })
.where('? = ANY(user_roles.permissions)', ProjectPermissions::READ)
end end
end) end)
@ -104,9 +101,7 @@ class Project < ApplicationRecord
end end
def self.viewable_by_user(user, teams) def self.viewable_by_user(user, teams)
joins(user_assignments: :user_role) with_granted_permissions(user, ProjectPermissions::READ, teams)
.where(team: teams)
.with_granted_permissions(user, ProjectPermissions::READ)
.distinct .distinct
end end

4
app/models/repository_base.rb
View file

@ -27,6 +27,10 @@ class RepositoryBase < ApplicationRecord
# Not discarded # Not discarded
default_scope -> { kept } default_scope -> { kept }
def self.permission_class
Repository
end
def self.stock_management_enabled? def self.stock_management_enabled?
ApplicationSettings.instance.values['stock_management_enabled'] ApplicationSettings.instance.values['stock_management_enabled']
end end

2
app/serializers/lists/repository_serializer.rb
View file

@ -7,7 +7,7 @@ module Lists
include ShareableSerializer include ShareableSerializer
attributes :name, :code, :nr_of_rows, :team, :created_at, :created_by, :archived_on, :archived_by, attributes :name, :code, :nr_of_rows, :team, :created_at, :created_by, :archived_on, :archived_by,
:urls, :top_level_assignable, :assigned_users, :permissions :urls, :top_level_assignable, :default_public_user_role_id, :assigned_users, :permissions
def nr_of_rows def nr_of_rows
object[:repository_rows_count] object[:repository_rows_count]