Merge pull request #2001 from aignatov-bio/ai-sci-3794-share-button-not-visible-for-locked-items

Add new permission check for share button [SCI-3794]
2024-09-21 23:46:21 +08:00 · 2019-08-21 09:05:00 +02:00 · 2019-08-21 09:05:00 +02:00 · da4a9b2ad4
parent cd962ad815 ed8ef7aa8f
commit da4a9b2ad4
4 changed files with 13 additions and 3 deletions
--- a/app/controllers/repositories_controller.rb
+++ b/app/controllers/repositories_controller.rb
@ -9,7 +9,8 @@ class RepositoriesController < ApplicationController
  before_action :check_view_all_permissions, only: :index
  before_action :check_view_permissions, only: %i(export_repository show)
  before_action :check_manage_permissions, only:
-    %i(destroy destroy_modal rename_modal update share_modal)
+    %i(destroy destroy_modal rename_modal update)
+  before_action :check_share_permissions, only: :share_modal
  before_action :check_create_permissions, only:
    %i(create_modal create copy_modal copy)
  before_action :set_inline_name_editing, only: %i(show)
@ -345,6 +346,10 @@ class RepositoriesController < ApplicationController
    render_403 unless can_manage_repository?(@repository)
  end

+  def check_share_permissions
+    render_403 unless can_share_repository?(@repository)
+  end
+
  def repository_params
    params.require(:repository).permit(:name)
  end
--- a/app/controllers/team_repositories_controller.rb
+++ b/app/controllers/team_repositories_controller.rb
@ -70,7 +70,7 @@ class TeamRepositoriesController < ApplicationController
  end

  def check_sharing_permissions
-    render_403 unless can_manage_repository?(@repository)
+    render_403 unless can_share_repository?(@repository)
  end

  def teams_to_share
--- a/app/permissions/repository.rb
+++ b/app/permissions/repository.rb
@ -13,6 +13,11 @@ Canaid::Permissions.register_for(Repository) do
    user.is_admin_of_team?(repository.team)
  end

+  # repository: share
+  can :share_repository do |user, repository|
+    user.is_admin_of_team?(repository.team)
+  end
+
  # repository: create/import record
  can :create_repository_rows do |user, repository|
    if user.teams.include?(repository.team)
--- a/app/views/repositories/show.html.erb
+++ b/app/views/repositories/show.html.erb
@ -36,7 +36,7 @@

    <div id="datatables-buttons" class="datatables-buttons" style="display: inline;">
      <div class="new-repository-button">
-        <% if can_manage_repository?(@repository) %>
+        <% if can_share_repository?(@repository) %>
          <%= link_to team_repository_share_modal_path(current_team, repository_id: @repository),
                      class: 'btn btn-default share-repo-option', remote: true, id: 'shareRepoBtn' do %>
            <span class="fas fa-user-plus"></span>