diff --git a/app/controllers/result_assets_controller.rb b/app/controllers/result_assets_controller.rb index c3cbea3e9..e8aa200e5 100644 --- a/app/controllers/result_assets_controller.rb +++ b/app/controllers/result_assets_controller.rb @@ -1,10 +1,11 @@ class ResultAssetsController < ApplicationController include ResultsHelper - before_action :load_vars, only: [:edit, :update, :download] - before_action :load_vars_nested, only: [:new, :create] + before_action :load_vars, only: %i(edit update) + before_action :load_vars_nested, only: %i(new create) - before_action :check_manage_permissions, only: %i(new create edit update) + before_action :check_manage_permissions, only: %i(edit update) + before_action :check_create_permissions, only: %i(new create) before_action :check_archive_permissions, only: [:update] def new @@ -142,8 +143,12 @@ class ResultAssetsController < ApplicationController render_404 unless @my_module end + def check_create_permissions + render_403 unless can_create_results?(@my_module) + end + def check_manage_permissions - render_403 unless can_manage_my_module?(@my_module) + render_403 unless can_manage_result?(@result) end def check_archive_permissions diff --git a/app/controllers/result_comments_controller.rb b/app/controllers/result_comments_controller.rb index 0d0e2b72f..e0d81d10f 100644 --- a/app/controllers/result_comments_controller.rb +++ b/app/controllers/result_comments_controller.rb @@ -49,17 +49,17 @@ class ResultCommentsController < ApplicationController end def check_view_permissions - render_403 unless can_read_experiment?(@my_module.experiment) + render_403 unless can_read_my_module?(@my_module) end def check_add_permissions - render_403 unless can_create_my_module_comments?(@my_module) + render_403 unless can_create_my_module_result_comments?(@my_module) end def check_manage_permissions @comment = ResultComment.find_by_id(params[:id]) render_403 unless @comment.present? && - can_manage_comment_in_module?(@comment.becomes(Comment)) + can_manage_result_comment?(@comment) end def comment_params diff --git a/app/controllers/result_tables_controller.rb b/app/controllers/result_tables_controller.rb index 07f9d3d95..110a4571b 100644 --- a/app/controllers/result_tables_controller.rb +++ b/app/controllers/result_tables_controller.rb @@ -5,8 +5,10 @@ class ResultTablesController < ApplicationController before_action :load_vars_nested, only: [:new, :create] before_action :convert_contents_to_utf8, only: [:create, :update] - before_action :check_manage_permissions, only: %i(new create edit update) + before_action :check_manage_permissions, only: %i(edit update) + before_action :check_create_permissions, only: %i(new create) before_action :check_archive_permissions, only: [:update] + before_action :check_view_permissions, except: %i(new create edit update) def new @table = Table.new @@ -145,8 +147,12 @@ class ResultTablesController < ApplicationController end end + def check_create_permissions + render_403 unless can_create_results?(@my_module) + end + def check_manage_permissions - render_403 unless can_manage_my_module?(@my_module) + render_403 unless can_manage_result?(@result) end def check_archive_permissions @@ -155,6 +161,10 @@ class ResultTablesController < ApplicationController end end + def check_view_permissions + render_403 unless can_read_result?(@result) + end + def result_params params.require(:result).permit( :name, :archived, diff --git a/app/controllers/result_texts_controller.rb b/app/controllers/result_texts_controller.rb index d4d90e780..280610e43 100644 --- a/app/controllers/result_texts_controller.rb +++ b/app/controllers/result_texts_controller.rb @@ -8,8 +8,10 @@ class ResultTextsController < ApplicationController before_action :load_vars, only: [:edit, :update, :download] before_action :load_vars_nested, only: [:new, :create] - before_action :check_manage_permissions, only: %i(new create edit update) + before_action :check_manage_permissions, only: %i(edit update) + before_action :check_create_permissions, only: %i(new create) before_action :check_archive_permissions, only: [:update] + before_action :check_view_permissions, except: %i(new create edit update) def new @result = Result.new( @@ -149,8 +151,12 @@ class ResultTextsController < ApplicationController end end + def check_create_permissions + render_403 unless can_create_results?(@my_module) + end + def check_manage_permissions - render_403 unless can_manage_my_module?(@my_module) + render_403 unless can_manage_result?(@result) end def check_archive_permissions @@ -159,6 +165,10 @@ class ResultTextsController < ApplicationController end end + def check_view_permissions + render_403 unless can_read_result?(@result) + end + def result_params params.require(:result).permit( :name, :archived, diff --git a/app/helpers/comment_helper.rb b/app/helpers/comment_helper.rb index 7686fede1..0dd6f23fc 100644 --- a/app/helpers/comment_helper.rb +++ b/app/helpers/comment_helper.rb @@ -60,7 +60,9 @@ module CommentHelper case object.class.name when 'MyModule' can_create_my_module_comments?(object) - when 'Step', 'Result' + when 'Step' + can_create_my_module_comments?(object.my_module) + when 'Result' can_create_my_module_comments?(object.my_module) when 'Project' can_create_project_comments?(object) @@ -73,8 +75,10 @@ module CommentHelper case comment.type when 'TaskComment' can_manage_my_module_comment?(comment) - when 'StepComment', 'ResultComment' + when 'StepComment' can_manage_comment_in_module?(comment.becomes(Comment)) + when 'ResultComment' + can_manage_result_comment?(comment.becomes(Comment)) when 'ProjectComment' can_manage_comment_in_project?(comment) else diff --git a/app/permissions/my_module.rb b/app/permissions/my_module.rb index 9f1f8f2c8..06f0da0c8 100644 --- a/app/permissions/my_module.rb +++ b/app/permissions/my_module.rb @@ -67,12 +67,12 @@ Canaid::Permissions.register_for(MyModule) do my_module.permission_granted?(user, MyModulePermissions::REPOSITORY_ROWS_MANAGE) end - can :manage_my_module_results do |user, my_module| + can :create_results do |user, my_module| my_module.permission_granted?(user, MyModulePermissions::RESULTS_MANAGE) end - can :delete_my_module_archived_results do |user, my_module| - my_module.permission_granted?(user, MyModulePermissions::RESULTS_DELETE_ARCHIVED) + can :create_my_module_result_comments do |user, my_module| + my_module.permission_granted?(user, MyModulePermissions::RESULTS_COMMENTS_CREATE) end can :manage_my_module_protocol do |user, my_module| diff --git a/app/permissions/result.rb b/app/permissions/result.rb index 0fcb1592b..b684545db 100644 --- a/app/permissions/result.rb +++ b/app/permissions/result.rb @@ -2,14 +2,39 @@ Canaid::Permissions.register_for(Result) do can :read_result do |user, result| - can_read_experiment?(user, result.my_module.experiment) + can_read_my_module?(user, result.my_module) end can :manage_result do |user, result| - can_manage_my_module?(user, result.my_module) && result.active? && result.unlocked?(result) + !result.archived? && + result.unlocked?(result) && + result.my_module.permission_granted?(user, MyModulePermissions::RESULTS_MANAGE) end can :delete_result do |user, result| - can_manage_my_module?(user, result.my_module) && result.archived? && result.unlocked?(result) + result.archived? && + result.unlocked?(result) && + result.my_module.permission_granted?(user, MyModulePermissions::RESULTS_DELETE_ARCHIVED) + end +end + +Canaid::Permissions.register_for(ResultComment) do + # Module, its experiment and its project must be active for all the specified + # permissions + %i(manage_result_comment) + .each do |perm| + can perm do |_, comment| + my_module = ::PermissionsUtil.get_comment_module(comment) + !my_module.archived_branch? + end + end + + # module: update/delete comment + # result: update/delete comment + # step: update/delete comment + can :manage_result_comment do |user, comment| + my_module = ::PermissionsUtil.get_comment_module(comment) + (comment.user == user && my_module.permission_granted?(user, MyModulePermissions::RESULTS_COMMENTS_MANAGE_OWN)) || + my_module.permission_granted?(user, MyModulePermissions::RESULTS_COMMENTS_MANAGE) end end diff --git a/app/views/result_comments/_index.html.erb b/app/views/result_comments/_index.html.erb index 978d9c302..cd011d54a 100644 --- a/app/views/result_comments/_index.html.erb +++ b/app/views/result_comments/_index.html.erb @@ -10,7 +10,7 @@ <%= render partial: 'shared/comments/comments.html.erb', locals: { object: result, comments: comments, - can_create_comments: can_create_my_module_comments?(@my_module), + can_create_comments: can_create_my_module_result_comments?(@my_module), create_url: result_result_comments_path(result, format: :json), more_url: result_result_comments_path(result, format: :json, from: comments.first&.id) } %> diff --git a/config/initializers/extends/permission_extends.rb b/config/initializers/extends/permission_extends.rb index 774768c2b..649df3dcc 100644 --- a/config/initializers/extends/permission_extends.rb +++ b/config/initializers/extends/permission_extends.rb @@ -40,6 +40,9 @@ module PermissionExtends COMMENTS_MANAGE_OWN RESULTS_MANAGE RESULTS_DELETE_ARCHIVED + RESULTS_COMMENTS_MANAGE + RESULTS_COMMENTS_MANAGE_OWN + RESULTS_COMMENTS_CREATE TAGS_MANAGE PROTOCOL_MANAGE COMPLETE diff --git a/spec/permissions/controllers/result_assets_controller_spec.rb b/spec/permissions/controllers/result_assets_controller_spec.rb new file mode 100644 index 000000000..19f8a33e7 --- /dev/null +++ b/spec/permissions/controllers/result_assets_controller_spec.rb @@ -0,0 +1,49 @@ +# frozen_string_literal: true + +require 'rails_helper' + +describe ResultAssetsController, type: :controller do + include PermissionExtends + + it_behaves_like "a controller with authentication", { + new: { my_module_id: 1 }, + create: { my_module_id: 1 }, + edit: { id: 1 }, + update: { id: 1 } + } + + login_user + + describe 'permissions checking' do + include_context 'reference_project_structure', { + team_role: :normal_user, + result_asset: true + } + + it_behaves_like "a controller action with permissions checking", :get, :new do + let(:testable) { my_module } + let(:permissions) { [MyModulePermissions::RESULTS_MANAGE] } + let(:action_params) { { my_module_id: my_module.id, format: :json } } + end + + it_behaves_like "a controller action with permissions checking", :post, :create do + let(:testable) { my_module } + let(:permissions) { [MyModulePermissions::RESULTS_MANAGE] } + let(:action_params) { + { my_module_id: my_module.id, result: { name: 'test', asset_attributes: 'new_signed_blob_id' } } + } + end + + it_behaves_like "a controller action with permissions checking", :get, :edit do + let(:testable) { my_module } + let(:permissions) { [MyModulePermissions::RESULTS_MANAGE] } + let(:action_params) { { id: result_asset.id, format: :json } } + end + + it_behaves_like "a controller action with permissions checking", :patch, :update do + let(:testable) { my_module } + let(:permissions) { [MyModulePermissions::RESULTS_MANAGE] } + let(:action_params) { { id: result_asset.id, result: { asset_attributes: 'new_signed_blob_id' } } } + end + end +end diff --git a/spec/permissions/controllers/result_comments_controller_spec.rb b/spec/permissions/controllers/result_comments_controller_spec.rb new file mode 100644 index 000000000..4fd3dffc2 --- /dev/null +++ b/spec/permissions/controllers/result_comments_controller_spec.rb @@ -0,0 +1,48 @@ +# frozen_string_literal: true + +require 'rails_helper' + +describe ResultCommentsController, type: :controller do + include PermissionExtends + + it_behaves_like "a controller with authentication", { + index: { result_id: 1 }, + create: { result_id: 1 }, + update: { result_id: 1, id: 1 }, + destroy: { result_id: 1, id: 1 } + }, [] + + login_user + + describe 'permissions checking' do + include_context 'reference_project_structure', { + team_role: :normal_user, + result_text: true, + result_comment: true, + } + + it_behaves_like "a controller action with permissions checking", :get, :index do + let(:testable) { project } + let(:permissions) { [MyModulePermissions::READ] } + let(:action_params) { { result_id: result_text.result.id } } + end + + it_behaves_like "a controller action with permissions checking", :post, :create do + let(:testable) { project } + let(:permissions) { [MyModulePermissions::RESULTS_COMMENTS_CREATE] } + let(:action_params) { { result_id: result_text.result.id, comment: { message: 'Test' } } } + end + + it_behaves_like "a controller action with permissions checking", :put, :update do + let(:testable) { project } + let(:permissions) { [MyModulePermissions::RESULTS_COMMENTS_MANAGE_OWN, MyModulePermissions::RESULTS_COMMENTS_MANAGE] } + let(:action_params) { { result_id: result_text.result.id, id: result_text_comment.id, comment: { message: 'Test1' } } } + end + + it_behaves_like "a controller action with permissions checking", :post, :destroy do + let(:testable) { project } + let(:permissions) { [MyModulePermissions::RESULTS_COMMENTS_MANAGE_OWN, MyModulePermissions::RESULTS_COMMENTS_MANAGE] } + let(:action_params) { { result_id: result_text.result.id, id: result_text_comment.id } } + end + end +end diff --git a/spec/permissions/controllers/result_tables_controller_spec.rb b/spec/permissions/controllers/result_tables_controller_spec.rb new file mode 100644 index 000000000..99af42ae6 --- /dev/null +++ b/spec/permissions/controllers/result_tables_controller_spec.rb @@ -0,0 +1,56 @@ +# frozen_string_literal: true + +require 'rails_helper' + +describe ResultTablesController, type: :controller do + include PermissionExtends + + it_behaves_like "a controller with authentication", { + new: { my_module_id: 1 }, + create: { my_module_id: 1 }, + edit: { id: 1 }, + update: { id: 1 }, + download: { id: 1 } + } + + login_user + + describe 'permissions checking' do + include_context 'reference_project_structure', { + team_role: :normal_user, + result_table: true + } + + it_behaves_like "a controller action with permissions checking", :get, :new do + let(:testable) { my_module } + let(:permissions) { [MyModulePermissions::RESULTS_MANAGE] } + let(:action_params) { { my_module_id: my_module.id, format: :json } } + end + + it_behaves_like "a controller action with permissions checking", :post, :create do + let(:testable) { my_module } + let(:permissions) { [MyModulePermissions::RESULTS_MANAGE] } + let(:action_params) { + { my_module_id: my_module.id, result: { name: 'test', table_attributes: { content: 'test' } } } + } + end + + it_behaves_like "a controller action with permissions checking", :get, :edit do + let(:testable) { my_module } + let(:permissions) { [MyModulePermissions::RESULTS_MANAGE] } + let(:action_params) { { id: result_table.id, format: :json } } + end + + it_behaves_like "a controller action with permissions checking", :get, :download do + let(:testable) { my_module } + let(:permissions) { [MyModulePermissions::READ] } + let(:action_params) { { id: result_table.id } } + end + + it_behaves_like "a controller action with permissions checking", :patch, :update do + let(:testable) { my_module } + let(:permissions) { [MyModulePermissions::RESULTS_MANAGE] } + let(:action_params) { { id: result_table.id, result: { table_attributes: { content: 'test1' } } } } + end + end +end diff --git a/spec/permissions/controllers/result_texts_controller_spec.rb b/spec/permissions/controllers/result_texts_controller_spec.rb new file mode 100644 index 000000000..35496c568 --- /dev/null +++ b/spec/permissions/controllers/result_texts_controller_spec.rb @@ -0,0 +1,56 @@ +# frozen_string_literal: true + +require 'rails_helper' + +describe ResultTextsController, type: :controller do + include PermissionExtends + + it_behaves_like "a controller with authentication", { + new: { my_module_id: 1 }, + create: { my_module_id: 1 }, + edit: { id: 1 }, + update: { id: 1 }, + download: { id: 1 } + } + + login_user + + describe 'permissions checking' do + include_context 'reference_project_structure', { + team_role: :normal_user, + result_text: true + } + + it_behaves_like "a controller action with permissions checking", :get, :new do + let(:testable) { my_module } + let(:permissions) { [MyModulePermissions::RESULTS_MANAGE] } + let(:action_params) { { my_module_id: my_module.id, format: :json } } + end + + it_behaves_like "a controller action with permissions checking", :post, :create do + let(:testable) { my_module } + let(:permissions) { [MyModulePermissions::RESULTS_MANAGE] } + let(:action_params) { + { my_module_id: my_module.id, result: { name: 'test', result_text_attributes: { text: 'test' } } } + } + end + + it_behaves_like "a controller action with permissions checking", :get, :edit do + let(:testable) { my_module } + let(:permissions) { [MyModulePermissions::RESULTS_MANAGE] } + let(:action_params) { { id:result_text.id, format: :json } } + end + + it_behaves_like "a controller action with permissions checking", :get, :download do + let(:testable) { my_module } + let(:permissions) { [MyModulePermissions::READ] } + let(:action_params) { { id:result_text.id } } + end + + it_behaves_like "a controller action with permissions checking", :patch, :update do + let(:testable) { my_module } + let(:permissions) { [MyModulePermissions::RESULTS_MANAGE] } + let(:action_params) { { id:result_text.id, result: { result_text_attributes: { text: 'test1' } } } } + end + end +end diff --git a/spec/permissions/controllers/results_controller_spec.rb b/spec/permissions/controllers/results_controller_spec.rb new file mode 100644 index 000000000..e44693c5e --- /dev/null +++ b/spec/permissions/controllers/results_controller_spec.rb @@ -0,0 +1,32 @@ +# frozen_string_literal: true + +require 'rails_helper' + +describe ResultsController, type: :controller do + include PermissionExtends + + it_behaves_like "a controller with authentication", { + destroy: { id: 1 } + } + + login_user + + describe 'permissions checking' do + include_context 'reference_project_structure', { + team_role: :normal_user, + result_text: true + + } + let!(:result) { result_text.result } + + before do + result.archive!(user) + end + + it_behaves_like "a controller action with permissions checking", :delete, :destroy do + let(:testable) { my_module } + let(:permissions) { [MyModulePermissions::RESULTS_DELETE_ARCHIVED] } + let(:action_params) { { id: result.id } } + end + end +end