Preven removing last user manager for protocols/projects [SCI-8131]

2024-09-20 14:45:56 +08:00 · 2023-03-24 13:32:38 +01:00 · 2023-03-24 13:32:38 +01:00 · b1cce70cc6
parent 5016034189
commit b1cce70cc6
4 changed files with 35 additions and 0 deletions
--- a/app/controllers/access_permissions/projects_controller.rb
+++ b/app/controllers/access_permissions/projects_controller.rb
@ -37,6 +37,14 @@ module AccessPermissions
        user_id: permitted_update_params[:user_id],
        team: current_team
      )
+
+      # prevent role change if it would result in no users having the user management permission
+      new_user_role = UserRole.find(permitted_update_params[:user_role_id])
+      if !new_user_role.has_permission?(ProjectPermissions::USERS_MANAGE) &&
+         @user_assignment.last_with_permission?(ProjectPermissions::USERS_MANAGE)
+        raise ActiveRecord::RecordInvalid
+      end
+
      @user_assignment.update!(permitted_update_params)

      log_activity(:change_user_role_on_project, @user_assignment)
@ -103,6 +111,9 @@ module AccessPermissions
      user = @project.assigned_users.find(params[:user_id])
      user_assignment = @project.user_assignments.find_by(user: user, team: current_team)

+      # prevent deletion of last user that can manage users
+      raise ActiveRecord::RecordInvalid if user_assignment.last_with_permission?(ProjectPermissions::USERS_MANAGE)
+
      if @project.visible?
        user_assignment.update!(
          user_role: @project.default_public_user_role,
--- a/app/controllers/access_permissions/protocols_controller.rb
+++ b/app/controllers/access_permissions/protocols_controller.rb
@ -35,6 +35,14 @@ module AccessPermissions
        user_id: permitted_update_params[:user_id],
        team: current_team
      )
+
+      # prevent role change if it would result in no users having the user management permission
+      new_user_role = UserRole.find(permitted_update_params[:user_role_id])
+      if !new_user_role.has_permission?(ProtocolPermissions::USERS_MANAGE) &&
+         @user_assignment.last_with_permission?(ProtocolPermissions::USERS_MANAGE)
+        raise ActiveRecord::RecordInvalid
+      end
+
      @user_assignment.update!(permitted_update_params)
      log_activity(:protocol_template_access_changed, @user_assignment)

@ -88,6 +96,9 @@ module AccessPermissions
      user = @protocol.assigned_users.find(params[:user_id])
      user_assignment = @protocol.user_assignments.find_by(user: user, team: current_team)

+      # prevent deletion of last user that can manage users
+      raise ActiveRecord::RecordInvalid if user_assignment.last_with_permission?(ProtocolPermissions::USERS_MANAGE)
+
      Protocol.transaction do
        if @protocol.visible?
          user_assignment.update!(
--- a/app/models/user_assignment.rb
+++ b/app/models/user_assignment.rb
@ -24,6 +24,15 @@ class UserAssignment < ApplicationRecord
    assignable_owners.count == 1 && user_role.owner?
  end

+  def last_with_permission?(permission)
+    return false if user_role.permissions.exclude?(permission)
+
+    assignable.user_assignments.joins(:user_role)
+              .where.not(user: user)
+              .where('? = ANY(user_roles.permissions)', permission)
+              .none?
+  end
+
  private

  def call_user_assignment_changed_hook
--- a/app/models/user_role.rb
+++ b/app/models/user_role.rb
@ -61,6 +61,10 @@ class UserRole < ApplicationRecord
    predefined.find_by(name: UserRole.public_send('viewer_role').name)
  end

+  def has_permission?(permission)
+    permissions.include?(permission)
+  end
+
  def owner?
    predefined? && name == I18n.t('user_roles.predefined.owner')
  end