Add permissions checks for results controllers [SCI-6071] (#3555)

* Add permission tests for results controller [SCI-6071] * Update results controllers with new permissions [SCI-6071] * Small fixes to results controllers [SCI-6071] * Update result permission helpers [SCI-6071]
2025-09-06 05:04:35 +08:00 · 2021-09-24 13:11:41 +02:00 · 2021-09-24 13:11:41 +02:00 · c248e87adb
commit c248e87adb
parent 19bac6ce68
14 changed files with 318 additions and 20 deletions
--- a/app/controllers/result_assets_controller.rb
+++ b/app/controllers/result_assets_controller.rb
@ -1,10 +1,11 @@
 class ResultAssetsController < ApplicationController
  include ResultsHelper

-  before_action :load_vars, only: [:edit, :update, :download]
-  before_action :load_vars_nested, only: [:new, :create]
+  before_action :load_vars, only: %i(edit update)
+  before_action :load_vars_nested, only: %i(new create)

-  before_action :check_manage_permissions, only: %i(new create edit update)
+  before_action :check_manage_permissions, only: %i(edit update)
+  before_action :check_create_permissions, only: %i(new create)
  before_action :check_archive_permissions, only: [:update]

  def new
@ -142,8 +143,12 @@ class ResultAssetsController < ApplicationController
    render_404 unless @my_module
  end

+  def check_create_permissions
+    render_403 unless can_create_results?(@my_module)
+  end
+
  def check_manage_permissions
-    render_403 unless can_manage_my_module?(@my_module)
+    render_403 unless can_manage_result?(@result)
  end

  def check_archive_permissions
--- a/app/controllers/result_comments_controller.rb
+++ b/app/controllers/result_comments_controller.rb
@ -49,17 +49,17 @@ class ResultCommentsController < ApplicationController
  end

  def check_view_permissions
-    render_403 unless can_read_experiment?(@my_module.experiment)
+    render_403 unless can_read_my_module?(@my_module)
  end

  def check_add_permissions
-    render_403 unless can_create_my_module_comments?(@my_module)
+    render_403 unless can_create_my_module_result_comments?(@my_module)
  end

  def check_manage_permissions
    @comment = ResultComment.find_by_id(params[:id])
    render_403 unless @comment.present? &&
-                      can_manage_comment_in_module?(@comment.becomes(Comment))
+                      can_manage_result_comment?(@comment)
  end

  def comment_params
--- a/app/controllers/result_tables_controller.rb
+++ b/app/controllers/result_tables_controller.rb
@ -5,8 +5,10 @@ class ResultTablesController < ApplicationController
  before_action :load_vars_nested, only: [:new, :create]
  before_action :convert_contents_to_utf8, only: [:create, :update]

-  before_action :check_manage_permissions, only: %i(new create edit update)
+  before_action :check_manage_permissions, only: %i(edit update)
+  before_action :check_create_permissions, only: %i(new create)
  before_action :check_archive_permissions, only: [:update]
+  before_action :check_view_permissions, except: %i(new create edit update)

  def new
    @table = Table.new
@ -145,8 +147,12 @@ class ResultTablesController < ApplicationController
    end
  end

+  def check_create_permissions
+    render_403 unless can_create_results?(@my_module)
+  end
+
  def check_manage_permissions
-    render_403 unless can_manage_my_module?(@my_module)
+    render_403 unless can_manage_result?(@result)
  end

  def check_archive_permissions
@ -155,6 +161,10 @@ class ResultTablesController < ApplicationController
    end
  end

+  def check_view_permissions
+    render_403 unless can_read_result?(@result)
+  end
+
  def result_params
    params.require(:result).permit(
      :name, :archived,
--- a/app/controllers/result_texts_controller.rb
+++ b/app/controllers/result_texts_controller.rb
@ -8,8 +8,10 @@ class ResultTextsController < ApplicationController
  before_action :load_vars, only: [:edit, :update, :download]
  before_action :load_vars_nested, only: [:new, :create]

-  before_action :check_manage_permissions, only: %i(new create edit update)
+  before_action :check_manage_permissions, only: %i(edit update)
+  before_action :check_create_permissions, only: %i(new create)
  before_action :check_archive_permissions, only: [:update]
+  before_action :check_view_permissions, except: %i(new create edit update)

  def new
    @result = Result.new(
@ -149,8 +151,12 @@ class ResultTextsController < ApplicationController
    end
  end

+  def check_create_permissions
+    render_403 unless can_create_results?(@my_module)
+  end
+
  def check_manage_permissions
-    render_403 unless can_manage_my_module?(@my_module)
+    render_403 unless can_manage_result?(@result)
  end

  def check_archive_permissions
@ -159,6 +165,10 @@ class ResultTextsController < ApplicationController
    end
  end

+  def check_view_permissions
+    render_403 unless can_read_result?(@result)
+  end
+
  def result_params
    params.require(:result).permit(
      :name, :archived,
--- a/app/helpers/comment_helper.rb
+++ b/app/helpers/comment_helper.rb
@ -60,7 +60,9 @@ module CommentHelper
    case object.class.name
    when 'MyModule'
      can_create_my_module_comments?(object)
-    when 'Step', 'Result'
+    when 'Step'
+      can_create_my_module_comments?(object.my_module)
+    when 'Result'
      can_create_my_module_comments?(object.my_module)
    when 'Project'
      can_create_project_comments?(object)
@ -73,8 +75,10 @@ module CommentHelper
    case comment.type
    when 'TaskComment'
      can_manage_my_module_comment?(comment)
-    when 'StepComment', 'ResultComment'
+    when 'StepComment'
      can_manage_comment_in_module?(comment.becomes(Comment))
+    when 'ResultComment'
+      can_manage_result_comment?(comment.becomes(Comment))
    when 'ProjectComment'
      can_manage_comment_in_project?(comment)
    else
--- a/app/permissions/my_module.rb
+++ b/app/permissions/my_module.rb
@ -67,12 +67,12 @@ Canaid::Permissions.register_for(MyModule) do
    my_module.permission_granted?(user, MyModulePermissions::REPOSITORY_ROWS_MANAGE)
  end

-  can :manage_my_module_results do |user, my_module|
+  can :create_results do |user, my_module|
    my_module.permission_granted?(user, MyModulePermissions::RESULTS_MANAGE)
  end

-  can :delete_my_module_archived_results do |user, my_module|
-    my_module.permission_granted?(user, MyModulePermissions::RESULTS_DELETE_ARCHIVED)
+  can :create_my_module_result_comments do |user, my_module|
+    my_module.permission_granted?(user, MyModulePermissions::RESULTS_COMMENTS_CREATE)
  end

  can :manage_my_module_protocol do |user, my_module|
--- a/app/permissions/result.rb
+++ b/app/permissions/result.rb
@ -2,14 +2,39 @@

 Canaid::Permissions.register_for(Result) do
  can :read_result do |user, result|
-    can_read_experiment?(user, result.my_module.experiment)
+    can_read_my_module?(user, result.my_module)
  end

  can :manage_result do |user, result|
-    can_manage_my_module?(user, result.my_module) && result.active? && result.unlocked?(result)
+    !result.archived? &&
+      result.unlocked?(result) &&
+      result.my_module.permission_granted?(user, MyModulePermissions::RESULTS_MANAGE)
  end

  can :delete_result do |user, result|
-    can_manage_my_module?(user, result.my_module) && result.archived? && result.unlocked?(result)
+    result.archived? &&
+      result.unlocked?(result) &&
+      result.my_module.permission_granted?(user, MyModulePermissions::RESULTS_DELETE_ARCHIVED)
+  end
+end
+
+Canaid::Permissions.register_for(ResultComment) do
+  # Module, its experiment and its project must be active for all the specified
+  # permissions
+  %i(manage_result_comment)
+    .each do |perm|
+    can perm do |_, comment|
+      my_module = ::PermissionsUtil.get_comment_module(comment)
+      !my_module.archived_branch?
+    end
+  end
+
+  # module: update/delete comment
+  # result: update/delete comment
+  # step: update/delete comment
+  can :manage_result_comment do |user, comment|
+    my_module = ::PermissionsUtil.get_comment_module(comment)
+    (comment.user == user && my_module.permission_granted?(user, MyModulePermissions::RESULTS_COMMENTS_MANAGE_OWN)) ||
+      my_module.permission_granted?(user, MyModulePermissions::RESULTS_COMMENTS_MANAGE)
  end
 end
--- a/app/views/result_comments/_index.html.erb
+++ b/app/views/result_comments/_index.html.erb
@ -10,7 +10,7 @@
  <%= render partial: 'shared/comments/comments.html.erb', locals: {
    object: result,
    comments: comments,
-    can_create_comments: can_create_my_module_comments?(@my_module),
+    can_create_comments: can_create_my_module_result_comments?(@my_module),
    create_url: result_result_comments_path(result, format: :json),
    more_url: result_result_comments_path(result, format: :json, from: comments.first&.id)
  } %>
--- a/config/initializers/extends/permission_extends.rb
+++ b/config/initializers/extends/permission_extends.rb
@ -40,6 +40,9 @@ module PermissionExtends
      COMMENTS_MANAGE_OWN
      RESULTS_MANAGE
      RESULTS_DELETE_ARCHIVED
+      RESULTS_COMMENTS_MANAGE
+      RESULTS_COMMENTS_MANAGE_OWN
+      RESULTS_COMMENTS_CREATE
      TAGS_MANAGE
      PROTOCOL_MANAGE
      COMPLETE
--- a/spec/permissions/controllers/result_assets_controller_spec.rb
+++ b/spec/permissions/controllers/result_assets_controller_spec.rb
@ -0,0 +1,49 @@
+# frozen_string_literal: true
+
+require 'rails_helper'
+
+describe ResultAssetsController, type: :controller do
+  include PermissionExtends
+
+  it_behaves_like "a controller with authentication", {
+    new: { my_module_id: 1 },
+    create: { my_module_id: 1 },
+    edit: { id: 1 },
+    update: { id: 1 }
+  }
+
+  login_user
+
+  describe 'permissions checking' do
+    include_context 'reference_project_structure', {
+      team_role: :normal_user,
+      result_asset: true
+    }
+
+    it_behaves_like "a controller action with permissions checking", :get, :new do
+      let(:testable) { my_module }
+      let(:permissions) { [MyModulePermissions::RESULTS_MANAGE] }
+      let(:action_params) { { my_module_id: my_module.id, format: :json } }
+    end
+
+    it_behaves_like "a controller action with permissions checking", :post, :create do
+      let(:testable) { my_module }
+      let(:permissions) { [MyModulePermissions::RESULTS_MANAGE] }
+      let(:action_params) {
+        { my_module_id: my_module.id, result: { name: 'test', asset_attributes: 'new_signed_blob_id' } }
+      }
+    end
+
+    it_behaves_like "a controller action with permissions checking", :get, :edit do
+      let(:testable) { my_module }
+      let(:permissions) { [MyModulePermissions::RESULTS_MANAGE] }
+      let(:action_params) { { id: result_asset.id, format: :json } }
+    end
+
+    it_behaves_like "a controller action with permissions checking", :patch, :update do
+      let(:testable) { my_module }
+      let(:permissions) { [MyModulePermissions::RESULTS_MANAGE] }
+      let(:action_params) { { id: result_asset.id, result: { asset_attributes: 'new_signed_blob_id' } } }
+    end
+  end
+end
--- a/spec/permissions/controllers/result_comments_controller_spec.rb
+++ b/spec/permissions/controllers/result_comments_controller_spec.rb
@ -0,0 +1,48 @@
+# frozen_string_literal: true
+
+require 'rails_helper'
+
+describe ResultCommentsController, type: :controller do
+  include PermissionExtends
+
+  it_behaves_like "a controller with authentication", {
+    index: { result_id: 1 },
+    create: { result_id: 1 },
+    update: { result_id: 1, id: 1 },
+    destroy: { result_id: 1, id: 1 }
+  }, []
+
+  login_user
+
+  describe 'permissions checking' do
+    include_context 'reference_project_structure', {
+      team_role: :normal_user,
+      result_text: true,
+      result_comment: true,
+    }
+
+    it_behaves_like "a controller action with permissions checking", :get, :index do
+      let(:testable) { project }
+      let(:permissions) { [MyModulePermissions::READ] }
+      let(:action_params) { { result_id: result_text.result.id } }
+    end
+
+    it_behaves_like "a controller action with permissions checking", :post, :create do
+      let(:testable) { project }
+      let(:permissions) { [MyModulePermissions::RESULTS_COMMENTS_CREATE] }
+      let(:action_params) { { result_id: result_text.result.id, comment: { message: 'Test' } } }
+    end
+
+    it_behaves_like "a controller action with permissions checking", :put, :update do
+      let(:testable) { project }
+      let(:permissions) { [MyModulePermissions::RESULTS_COMMENTS_MANAGE_OWN, MyModulePermissions::RESULTS_COMMENTS_MANAGE] }
+      let(:action_params) { { result_id: result_text.result.id, id: result_text_comment.id, comment: { message: 'Test1' } } }
+    end
+
+    it_behaves_like "a controller action with permissions checking", :post, :destroy do
+      let(:testable) { project }
+      let(:permissions) { [MyModulePermissions::RESULTS_COMMENTS_MANAGE_OWN, MyModulePermissions::RESULTS_COMMENTS_MANAGE] }
+      let(:action_params) { { result_id: result_text.result.id, id: result_text_comment.id } }
+    end
+  end
+end
--- a/spec/permissions/controllers/result_tables_controller_spec.rb
+++ b/spec/permissions/controllers/result_tables_controller_spec.rb
@ -0,0 +1,56 @@
+# frozen_string_literal: true
+
+require 'rails_helper'
+
+describe ResultTablesController, type: :controller do
+  include PermissionExtends
+
+  it_behaves_like "a controller with authentication", {
+    new: { my_module_id: 1 },
+    create: { my_module_id: 1 },
+    edit: { id: 1 },
+    update: { id: 1 },
+    download: { id: 1 }
+  }
+
+  login_user
+
+  describe 'permissions checking' do
+    include_context 'reference_project_structure', {
+      team_role: :normal_user,
+      result_table: true
+    }
+
+    it_behaves_like "a controller action with permissions checking", :get, :new do
+      let(:testable) { my_module }
+      let(:permissions) { [MyModulePermissions::RESULTS_MANAGE] }
+      let(:action_params) { { my_module_id: my_module.id, format: :json } }
+    end
+
+    it_behaves_like "a controller action with permissions checking", :post, :create do
+      let(:testable) { my_module }
+      let(:permissions) { [MyModulePermissions::RESULTS_MANAGE] }
+      let(:action_params) {
+        { my_module_id: my_module.id, result: { name: 'test', table_attributes: { content: 'test' } } }
+      }
+    end
+
+    it_behaves_like "a controller action with permissions checking", :get, :edit do
+      let(:testable) { my_module }
+      let(:permissions) { [MyModulePermissions::RESULTS_MANAGE] }
+      let(:action_params) { { id: result_table.id, format: :json } }
+    end
+
+    it_behaves_like "a controller action with permissions checking", :get, :download do
+      let(:testable) { my_module }
+      let(:permissions) { [MyModulePermissions::READ] }
+      let(:action_params) { { id: result_table.id } }
+    end
+
+    it_behaves_like "a controller action with permissions checking", :patch, :update do
+      let(:testable) { my_module }
+      let(:permissions) { [MyModulePermissions::RESULTS_MANAGE] }
+      let(:action_params) { { id: result_table.id, result: { table_attributes: { content: 'test1' } } } }
+    end
+  end
+end
--- a/spec/permissions/controllers/result_texts_controller_spec.rb
+++ b/spec/permissions/controllers/result_texts_controller_spec.rb
@ -0,0 +1,56 @@
+# frozen_string_literal: true
+
+require 'rails_helper'
+
+describe ResultTextsController, type: :controller do
+  include PermissionExtends
+
+  it_behaves_like "a controller with authentication", {
+    new: { my_module_id: 1 },
+    create: { my_module_id: 1 },
+    edit: { id: 1 },
+    update: { id: 1 },
+    download: { id: 1 }
+  }
+
+  login_user
+
+  describe 'permissions checking' do
+    include_context 'reference_project_structure', {
+      team_role: :normal_user,
+      result_text: true
+    }
+
+    it_behaves_like "a controller action with permissions checking", :get, :new do
+      let(:testable) { my_module }
+      let(:permissions) { [MyModulePermissions::RESULTS_MANAGE] }
+      let(:action_params) { { my_module_id: my_module.id, format: :json } }
+    end
+
+    it_behaves_like "a controller action with permissions checking", :post, :create do
+      let(:testable) { my_module }
+      let(:permissions) { [MyModulePermissions::RESULTS_MANAGE] }
+      let(:action_params) {
+        { my_module_id: my_module.id, result: { name: 'test', result_text_attributes: { text: 'test' } } }
+      }
+    end
+
+    it_behaves_like "a controller action with permissions checking", :get, :edit do
+      let(:testable) { my_module }
+      let(:permissions) { [MyModulePermissions::RESULTS_MANAGE] }
+      let(:action_params) { { id:result_text.id, format: :json } }
+    end
+
+    it_behaves_like "a controller action with permissions checking", :get, :download do
+      let(:testable) { my_module }
+      let(:permissions) { [MyModulePermissions::READ] }
+      let(:action_params) { { id:result_text.id } }
+    end
+
+    it_behaves_like "a controller action with permissions checking", :patch, :update do
+      let(:testable) { my_module }
+      let(:permissions) { [MyModulePermissions::RESULTS_MANAGE] }
+      let(:action_params) { { id:result_text.id, result: { result_text_attributes: { text: 'test1' } } } }
+    end
+  end
+end
--- a/spec/permissions/controllers/results_controller_spec.rb
+++ b/spec/permissions/controllers/results_controller_spec.rb
@ -0,0 +1,32 @@
+# frozen_string_literal: true
+
+require 'rails_helper'
+
+describe ResultsController, type: :controller do
+  include PermissionExtends
+
+  it_behaves_like "a controller with authentication", {
+    destroy: { id: 1 }
+  }
+
+  login_user
+
+  describe 'permissions checking' do
+    include_context 'reference_project_structure', {
+      team_role: :normal_user,
+      result_text: true
+
+    }
+    let!(:result) { result_text.result }
+
+    before do
+      result.archive!(user)
+    end
+
+    it_behaves_like "a controller action with permissions checking", :delete, :destroy do
+      let(:testable) { my_module }
+      let(:permissions) { [MyModulePermissions::RESULTS_DELETE_ARCHIVED] }
+      let(:action_params) { { id: result.id } }
+    end
+  end
+end