diff --git a/Gemfile b/Gemfile index e7e923aa1..b5bf73214 100644 --- a/Gemfile +++ b/Gemfile @@ -17,6 +17,7 @@ gem 'font-awesome-rails', '~> 4.7.0.2' gem 'recaptcha', require: 'recaptcha/rails' gem 'sanitize', '~> 4.4' gem 'omniauth' +gem 'omniauth-linkedin-oauth2' # Gems for API implementation gem 'jwt', '~> 1.5' diff --git a/Gemfile.lock b/Gemfile.lock index c489a646d..8708cab95 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -215,6 +215,8 @@ GEM railties (>= 3.0.0) faker (1.8.7) i18n (>= 0.7) + faraday (0.12.2) + multipart-post (>= 1.2, < 3) ffi (1.9.18) figaro (1.1.1) thor (~> 0.14) @@ -289,6 +291,8 @@ GEM railties (>= 3.1) multi_json (1.13.1) multi_test (0.1.2) + multi_xml (0.6.0) + multipart-post (2.0.0) nested_form_fields (0.8.2) coffee-rails (>= 3.2.1) jquery-rails @@ -299,10 +303,22 @@ GEM mini_portile2 (~> 2.3.0) nokogumbo (1.4.13) nokogiri + oauth2 (1.4.0) + faraday (>= 0.8, < 0.13) + jwt (~> 1.0) + multi_json (~> 1.3) + multi_xml (~> 0.5) + rack (>= 1.2, < 3) oj (3.3.10) omniauth (1.8.1) hashie (>= 3.4.6, < 3.6.0) rack (>= 1.6.2, < 3) + omniauth-linkedin-oauth2 (0.2.5) + omniauth (~> 1.0) + omniauth-oauth2 + omniauth-oauth2 (1.5.0) + oauth2 (~> 1.1) + omniauth (~> 1.2) orm_adapter (0.5.0) paperclip (5.2.1) activemodel (>= 4.2.0) @@ -559,6 +575,7 @@ DEPENDENCIES newrelic_rpm nokogiri (~> 1.8.1) omniauth + omniauth-linkedin-oauth2 paperclip (~> 5.1) pg (~> 0.18) phantomjs diff --git a/VERSION b/VERSION index 393ccdb5b..e6e1ff3ac 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -1.12.10 +1.12.11 diff --git a/app/assets/images/linkedin/Sign-in-Small---Active.png b/app/assets/images/linkedin/Sign-in-Small---Active.png new file mode 100644 index 000000000..dea692fd9 Binary files /dev/null and b/app/assets/images/linkedin/Sign-in-Small---Active.png differ diff --git a/app/assets/images/linkedin/Sign-in-Small---Default.png b/app/assets/images/linkedin/Sign-in-Small---Default.png new file mode 100644 index 000000000..f8129afe2 Binary files /dev/null and b/app/assets/images/linkedin/Sign-in-Small---Default.png differ diff --git a/app/assets/images/linkedin/Sign-in-Small---Hover.png b/app/assets/images/linkedin/Sign-in-Small---Hover.png new file mode 100644 index 000000000..643236eec Binary files /dev/null and b/app/assets/images/linkedin/Sign-in-Small---Hover.png differ diff --git a/app/controllers/api/v20170715/core_api_controller.rb b/app/controllers/api/v20170715/core_api_controller.rb index 7c5a61fac..c8a07e8dc 100644 --- a/app/controllers/api/v20170715/core_api_controller.rb +++ b/app/controllers/api/v20170715/core_api_controller.rb @@ -1,8 +1,6 @@ module Api module V20170715 class CoreApiController < ApiController - include PermissionHelper - def tasks_tree teams_json = [] current_user.teams.find_each do |tm| diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb index 3143debb3..ab83e183d 100644 --- a/app/controllers/application_controller.rb +++ b/app/controllers/application_controller.rb @@ -1,5 +1,4 @@ class ApplicationController < ActionController::Base - include PermissionHelper include FirstTimeDataGenerator acts_as_token_authentication_handler_for User diff --git a/app/controllers/assets_controller.rb b/app/controllers/assets_controller.rb index a3b4a04ab..f95b58d81 100644 --- a/app/controllers/assets_controller.rb +++ b/app/controllers/assets_controller.rb @@ -122,9 +122,7 @@ class AssetsController < ApplicationController render_403 && return unless can_read_protocol_in_module?(@protocol) || can_read_protocol_in_repository?(@protocol) elsif @assoc.class == Result - unless can_view_or_download_result_assets(@my_module) - render_403 and return - end + render_403 and return unless can_read_experiment?(@my_module.experiment) elsif @assoc.class == RepositoryCell # TBD end @@ -133,11 +131,9 @@ class AssetsController < ApplicationController def check_edit_permission if @assoc.class == Step render_403 && return unless can_manage_protocol_in_module?(@protocol) || - can_update_protocol_in_repository?(@protocol) + can_manage_protocol_in_repository?(@protocol) elsif @assoc.class == Result - unless can_edit_result_asset_in_module(@my_module) - render_403 and return - end + render_403 and return unless can_manage_module?(@my_module) elsif @assoc.class == RepositoryCell # TBD end diff --git a/app/controllers/canvas_controller.rb b/app/controllers/canvas_controller.rb index d3aa4db32..c055f9199 100644 --- a/app/controllers/canvas_controller.rb +++ b/app/controllers/canvas_controller.rb @@ -45,7 +45,7 @@ class CanvasController < ApplicationController # Make sure connections parameter is valid connections = [] - if can_edit_connections(@experiment) && update_params[:connections].present? + if update_params[:connections].present? conns = update_params[:connections].split(',') if conns.length.even? && conns.all? { |c| c.is_a? String } conns.each_slice(2).each do |c| @@ -58,7 +58,7 @@ class CanvasController < ApplicationController # Make sure positions parameter is valid positions = {} - if can_reposition_modules(@experiment) && update_params[:positions].present? + if update_params[:positions].present? poss = update_params[:positions].split(';') center = '' (poss.collect { |pos| pos.split(',') }).each_with_index do |pos, index| @@ -83,7 +83,7 @@ class CanvasController < ApplicationController # Make sure that to_add is an array of strings, # as well as that positions for newly added modules exist to_add = [] - if can_manage_experiment?(@experiment) && update_params[:add].present? && + if update_params[:add].present? && update_params['add-names'].present? ids = update_params[:add].split(',') names = update_params['add-names'].split('|') @@ -101,16 +101,16 @@ class CanvasController < ApplicationController # Make sure rename parameter is valid to_rename = {} - if can_manage_experiment?(@experiment) && update_params[:rename].present? + if update_params[:rename].present? begin to_rename = JSON.parse(update_params[:rename]) # Okay, JSON parsed! unless to_rename.is_a?(Hash) && - to_rename.keys.all? { |k| k.is_a? String } && - to_rename.values.all? { |k| k.is_a? String } && to_rename.keys.all? do |id| + id.is_a?(String) && can_manage_module?(MyModule.find_by_id(id)) - end + end && + to_rename.values.all? { |new_name| new_name.is_a? String } return render_403 end rescue @@ -125,10 +125,13 @@ class CanvasController < ApplicationController to_move = JSON.parse(update_params[:move]) # Okay, JSON parsed! unless to_move.is_a?(Hash) && - to_move.keys.all? { |k| k.is_a? String } && - to_move.values.all? { |k| k.is_a? String } && - to_rename.keys.all? do |id| - can_manage_module?(MyModule.find_by_id(id)) + to_move.keys.all? do |id| + id.is_a?(String) && + (!is_int?(id) || can_manage_module?(MyModule.find_by_id(id))) + end && + to_move.values.all? do |exp_id| + exp_id.is_a?(String) && + can_manage_experiment?(Experiment.find_by_id(exp_id)) end return render_403 end @@ -149,7 +152,7 @@ class CanvasController < ApplicationController # Make sure that to_clone is an array of pairs, # as well as that all IDs exist to_clone = {} - if can_clone_modules(@experiment) && update_params[:cloned].present? + if update_params[:cloned].present? clones = update_params[:cloned].split(';') (clones.collect { |v| v.split(',') }).each do |val| if val.length == 2 && is_int?(val[0]) && val[1].is_a?(String) && diff --git a/app/controllers/concerns/sample_actions.rb b/app/controllers/concerns/sample_actions.rb index 5b97544eb..0edb9166c 100644 --- a/app/controllers/concerns/sample_actions.rb +++ b/app/controllers/concerns/sample_actions.rb @@ -1,9 +1,7 @@ module SampleActions extend ActiveSupport::Concern - include PermissionHelper def delete_samples - check_destroy_samples_permissions if params[:sample_ids].present? counter_user = 0 @@ -11,7 +9,7 @@ module SampleActions params[:sample_ids].each do |id| sample = Sample.find_by_id(id) - if sample && can_update_or_delete_sample?(sample) + if sample && can_manage_sample?(sample) sample.destroy counter_user += 1 else @@ -43,8 +41,4 @@ module SampleActions redirect_to samples_experiment_path(@experiment) end end - - def check_destroy_samples_permissions - render_403 unless can_manage_samples?(@project.team) - end end diff --git a/app/controllers/custom_fields_controller.rb b/app/controllers/custom_fields_controller.rb index 56f738bb6..014caab75 100644 --- a/app/controllers/custom_fields_controller.rb +++ b/app/controllers/custom_fields_controller.rb @@ -4,7 +4,7 @@ class CustomFieldsController < ApplicationController before_action :load_vars, except: :create before_action :load_vars_nested, only: [:create, :destroy_html] before_action :check_create_permissions, only: :create - before_action :check_update_and_delete_permissions, except: :create + before_action :check_manage_permissions, except: :create def create @custom_field = CustomField.new(custom_field_params) @@ -105,11 +105,11 @@ class CustomFieldsController < ApplicationController end def check_create_permissions - render_403 unless can_manage_sample_columns?(@team) + render_403 unless can_create_sample_columns?(@team) end - def check_update_and_delete_permissions - render_403 unless can_update_or_delete_custom_field?(@custom_field) + def check_manage_permissions + render_403 unless can_manage_sample_column?(@custom_field) end def custom_field_params diff --git a/app/controllers/experiments_controller.rb b/app/controllers/experiments_controller.rb index ecd95c95d..f2134209b 100644 --- a/app/controllers/experiments_controller.rb +++ b/app/controllers/experiments_controller.rb @@ -1,6 +1,5 @@ class ExperimentsController < ApplicationController include SampleActions - include PermissionHelper include TeamsHelper include InputSanitizeHelper include ActionView::Helpers::TextHelper @@ -14,6 +13,8 @@ class ExperimentsController < ApplicationController :clone_modal, :move_modal, :delete_samples] before_action :check_view_permissions, only: [:canvas, :module_archive] + before_action :check_manage_permissions, only: :edit + before_action :check_archive_permissions, only: :archive before_action :check_clone_permissions, only: %i(clone_modal clone) before_action :check_move_permissions, only: %i(move_modal move) @@ -91,9 +92,16 @@ class ExperimentsController < ApplicationController end def update + render_403 && return unless if experiment_params[:archived] == 'false' + can_restore_experiment?(@experiment) + else + can_manage_experiment?(@experiment) + end + old_text = @experiment.description @experiment.update_attributes(experiment_params) @experiment.last_modified_by = current_user + if @experiment.save experiment_annotation_notification(old_text) @@ -344,6 +352,14 @@ class ExperimentsController < ApplicationController render_403 unless can_read_experiment?(@experiment) end + def check_manage_permissions + render_403 unless can_manage_experiment?(@experiment) + end + + def check_archive_permissions + render_403 unless can_archive_experiment?(@experiment) + end + def check_clone_permissions render_403 unless can_clone_experiment?(@experiment) end diff --git a/app/controllers/my_module_comments_controller.rb b/app/controllers/my_module_comments_controller.rb index fdf5021ce..2a0251384 100644 --- a/app/controllers/my_module_comments_controller.rb +++ b/app/controllers/my_module_comments_controller.rb @@ -7,8 +7,7 @@ class MyModuleCommentsController < ApplicationController before_action :load_vars before_action :check_view_permissions, only: :index before_action :check_add_permissions, only: [:create] - before_action :check_edit_permissions, only: [:edit, :update] - before_action :check_destroy_permissions, only: [:destroy] + before_action :check_manage_permissions, only: %i(edit update destroy) def index @comments = @my_module.last_comments(@last_comment_id, @per_page) @@ -184,19 +183,13 @@ class MyModuleCommentsController < ApplicationController end def check_add_permissions - unless can_add_comment_to_module(@my_module) - render_403 - end + render_403 unless can_create_comments_in_module?(@my_module) end - def check_edit_permissions + def check_manage_permissions @comment = TaskComment.find_by_id(params[:id]) - render_403 unless @comment.present? && can_edit_module_comment(@comment) - end - - def check_destroy_permissions - @comment = TaskComment.find_by_id(params[:id]) - render_403 unless @comment.present? && can_delete_module_comment(@comment) + render_403 unless @comment.present? && + can_manage_comment_in_module?(@comment.becomes(Comment)) end def comment_params diff --git a/app/controllers/my_module_tags_controller.rb b/app/controllers/my_module_tags_controller.rb index 2ce5a0170..79ff20cb5 100644 --- a/app/controllers/my_module_tags_controller.rb +++ b/app/controllers/my_module_tags_controller.rb @@ -1,7 +1,7 @@ class MyModuleTagsController < ApplicationController before_action :load_vars - before_action :check_view_permissions, only: [:index_edit, :index] - before_action :check_manage_permissions, only: %i(create destroy) + before_action :check_view_permissions, only: :index + before_action :check_manage_permissions, only: %i(create index_edit destroy) def index_edit @my_module_tags = @my_module.my_module_tags @@ -74,11 +74,11 @@ class MyModuleTagsController < ApplicationController end def check_view_permissions - render_403 unless can_read_project?(@my_module.experiment.project) + render_403 unless can_read_experiment?(@my_module.experiment) end def check_manage_permissions - render_403 unless can_create_or_manage_tags?(@my_module.experiment.project) + render_403 unless can_manage_tags?(@my_module.experiment.project) end def init_gui diff --git a/app/controllers/my_modules_controller.rb b/app/controllers/my_modules_controller.rb index 50b71be62..9a64108f4 100644 --- a/app/controllers/my_modules_controller.rb +++ b/app/controllers/my_modules_controller.rb @@ -4,30 +4,21 @@ class MyModulesController < ApplicationController include InputSanitizeHelper include Rails.application.routes.url_helpers include ActionView::Helpers::UrlHelper + include ApplicationHelper - before_action :load_vars, - only: %I[show update destroy description due_date protocols - results samples activities activities_tab - assign_samples unassign_samples delete_samples - toggle_task_state samples_index archive - complete_my_module repository repository_index - assign_repository_records unassign_repository_records] + before_action :load_vars before_action :load_vars_nested, only: %I[new create] before_action :load_repository, only: %I[assign_repository_records unassign_repository_records] - before_action :check_manage_permissions, - only: %i(update destroy description due_date) - before_action :check_view_info_permissions, only: :show + before_action :check_manage_permissions, only: + %i(destroy description due_date) before_action :check_view_permissions, only: - %i(activities activities_tab protocols results samples samples_index) - before_action :check_view_archive_permissions, only: :archive - before_action :check_assign_samples_permissions, only: :assign_samples - before_action :check_unassign_samples_permissions, only: :unassign_samples - before_action :check_complete_my_module_perimission, only: :complete_my_module - before_action :check_assign_repository_records_permissions, - only: :assign_repository_records - before_action :check_unassign_repository_records_permissions, - only: :unassign_repository_records + %i(show activities activities_tab protocols results samples samples_index + archive) + before_action :check_complete_module_permission, only: :complete_my_module + before_action :check_assign_repository_records_permissions, only: + %i(assign_repository_records unassign_repository_records assign_samples + unassign_samples) layout 'fluid'.freeze @@ -136,13 +127,18 @@ class MyModulesController < ApplicationController end def update + render_403 && return unless if my_module_params[:archived] == 'false' + can_restore_module?(@my_module) + else + can_manage_module?(@my_module) + end + @my_module.assign_attributes(my_module_params) @my_module.last_modified_by = current_user - description_changed = @my_module.description_changed? - restored = false if @my_module.archived_changed?(from: false, to: true) + saved = @my_module.archive(current_user) if saved # Currently not in use @@ -160,6 +156,7 @@ class MyModulesController < ApplicationController ) end elsif @my_module.archived_changed?(from: true, to: false) + saved = @my_module.restore(current_user) if saved restored = true @@ -177,8 +174,8 @@ class MyModulesController < ApplicationController ) end else - saved = @my_module.save + saved = @my_module.save if saved and description_changed then Activity.create( type_of: :change_module_description, @@ -480,7 +477,7 @@ class MyModulesController < ApplicationController # Complete/uncomplete task def toggle_task_state respond_to do |format| - if can_complete_module(@my_module) + if can_complete_module?(@my_module) @my_module.completed? ? @my_module.uncomplete : @my_module.complete completed = @my_module.completed? if @my_module.save @@ -605,44 +602,17 @@ class MyModulesController < ApplicationController render_403 unless can_manage_module?(@my_module) end - def check_view_info_permissions - unless can_view_module_info(@my_module) - render_403 - end - end - def check_view_permissions render_403 unless can_read_experiment?(@my_module.experiment) end - def check_view_archive_permissions - unless can_view_module_archive(@my_module) - render_403 - end - end - - def check_assign_samples_permissions - unless can_add_samples_to_module(@my_module) - render_403 - end - end - - def check_unassign_samples_permissions - unless can_delete_samples_from_module(@my_module) - render_403 - end - end - def check_assign_repository_records_permissions - render_403 unless can_assign_repository_records(@my_module, @repository) + render_403 unless module_page? && + can_assign_repository_rows_to_module?(@my_module) end - def check_unassign_repository_records_permissions - render_403 unless can_unassign_repository_records(@my_module, @repository) - end - - def check_complete_my_module_perimission - render_403 unless can_complete_module(@my_module) + def check_complete_module_permission + render_403 unless can_complete_module?(@my_module) end def my_module_params diff --git a/app/controllers/project_comments_controller.rb b/app/controllers/project_comments_controller.rb index b02490737..9cf099cdc 100644 --- a/app/controllers/project_comments_controller.rb +++ b/app/controllers/project_comments_controller.rb @@ -174,7 +174,7 @@ class ProjectCommentsController < ApplicationController end def check_create_permissions - render_403 unless can_create_comment_in_project?(@project) + render_403 unless can_create_comments_in_project?(@project) end def check_manage_permissions diff --git a/app/controllers/projects_controller.rb b/app/controllers/projects_controller.rb index 96c96c97a..59ab65127 100644 --- a/app/controllers/projects_controller.rb +++ b/app/controllers/projects_controller.rb @@ -12,7 +12,7 @@ class ProjectsController < ApplicationController samples experiment_archive samples_index) before_action :check_create_permissions, only: [ :new, :create ] - before_action :check_manage_permissions, only: %i(edit update) + before_action :check_manage_permissions, only: :edit @filter_by_archived = false @@ -115,13 +115,17 @@ class ProjectsController < ApplicationController flash_error = t('projects.update.error_flash', name: @project.name) # Check archive permissions if archiving/restoring - if project_params.include? :archive - if (project_params[:archive] && !can_archive_project?(@project)) || - (!project_params[:archive] && !can_restore_project?(@project)) + if project_params.include? :archived + if (project_params[:archived] == 'true' && + !can_archive_project?(@project)) || + (project_params[:archived] == 'false' && + !can_restore_project?(@project)) return_error = true is_archive = URI(request.referer).path == projects_archive_path ? "restore" : "archive" flash_error = t("projects.#{is_archive}.error_flash", name: @project.name) end + elsif !can_manage_project?(@project) + render_403 && return end message_renamed = nil diff --git a/app/controllers/protocols_controller.rb b/app/controllers/protocols_controller.rb index 0f110a58b..d22485d96 100644 --- a/app/controllers/protocols_controller.rb +++ b/app/controllers/protocols_controller.rb @@ -18,15 +18,6 @@ class ProtocolsController < ApplicationController linked_children linked_children_datatable ) - before_action :check_edit_permissions, only: %i( - edit - update_metadata - update_keywords - edit_name_modal - edit_keywords_modal - edit_authors_modal - edit_description_modal - ) before_action :check_view_all_permissions, only: %i( index datatable @@ -34,6 +25,13 @@ class ProtocolsController < ApplicationController # For update_from_parent and update_from_parent_modal we don't need to check # read permission for the parent protocol before_action :check_manage_permissions, only: %i( + edit + update_metadata + update_keywords + edit_name_modal + edit_keywords_modal + edit_authors_modal + edit_description_modal unlink unlink_modal revert @@ -41,10 +39,13 @@ class ProtocolsController < ApplicationController update_from_parent update_from_parent_modal ) - before_action :check_update_parent_permissions, only: %i( + before_action :check_manage_parent_in_repository_permissions, only: %i( update_parent update_parent_modal ) + before_action :check_manage_all_in_repository_permissions, only: + %i(make_private publish archive) + before_action :check_restore_all_in_repository_permissions, only: :restore before_action :check_load_from_repository_views_permissions, only: %i( load_from_repository_modal load_from_repository_datatable @@ -59,10 +60,6 @@ class ProtocolsController < ApplicationController copy_to_repository copy_to_repository_modal ) - before_action :check_make_private_permissions, only: [:make_private] - before_action :check_publish_permissions, only: [:publish] - before_action :check_archive_permissions, only: [:archive] - before_action :check_restore_permissions, only: [:restore] before_action :check_import_permissions, only: [:import] before_action :check_export_permissions, only: [:export] @@ -265,8 +262,8 @@ class ProtocolsController < ApplicationController def copy_to_repository link_protocols = params[:link] && - can_manage_protocol_in_module(@protocol) && - can_create_protocols_in_repository(@protocol.team) + can_manage_protocol_in_module?(@protocol) && + can_create_protocols_in_repository?(@protocol.team) respond_to do |format| transaction_error = false Protocol.transaction do @@ -640,10 +637,11 @@ class ProtocolsController < ApplicationController return 0 # return 0 stops the rest of the controller code from executing end @json_object = JSON.parse(json_file_contents) - - @json_object['steps'] = protocols_io_guid_reorder_step_json( - @json_object['steps'] - ) + unless step_hash_null?(@json_object['steps']) + @json_object['steps'] = protocols_io_guid_reorder_step_json( + @json_object['steps'] + ) + end @protocol = Protocol.new respond_to do |format| @@ -658,23 +656,26 @@ class ProtocolsController < ApplicationController @db_json = {} @toolong = false @db_json['name'] = pio_eval_title_len( - sanitize_input(params['protocol']['name']) + sanitize_input(not_null(params['protocol']['name'])) ) # since scinote only has description field, and protocols.io has many others # ,here i am putting everything important from protocols.io into description @db_json['authors'] = pio_eval_title_len( - sanitize_input(params['protocol']['authors']) + sanitize_input(not_null(params['protocol']['authors'])) ) @db_json['created_at'] = pio_eval_title_len( - sanitize_input(params['protocol']['created_at']) + sanitize_input(not_null(params['protocol']['created_at'])) ) @db_json['updated_at'] = pio_eval_title_len( - sanitize_input(params['protocol']['last_modified']) + sanitize_input(not_null(params['protocol']['last_modified'])) ) @db_json['steps'] = {} - @db_json['steps'] = protocols_io_fill_step( - @json_object, @db_json['steps'] - ) + + unless step_hash_null?(@json_object['steps']) + @db_json['steps'] = protocols_io_fill_step( + @json_object, @db_json['steps'] + ) + end protocol = nil respond_to do |format| transaction_error = false @@ -1066,27 +1067,38 @@ class ProtocolsController < ApplicationController end end - def check_edit_permissions - load_team_and_type + def check_manage_permissions @protocol = Protocol.find_by_id(params[:id]) + render_403 unless @protocol.present? && + (can_manage_protocol_in_module?(@protocol) || + can_manage_protocol_in_repository?(@protocol)) + end - unless can_update_protocol_in_repository?(@protocol) - render_403 + def check_manage_parent_in_repository_permissions + @protocol = Protocol.find_by_id(params[:id]) + render_403 unless @protocol.present? && + can_read_protocol_in_module?(@protocol) && + can_manage_protocol_in_repository?(@protocol.parent) + end + + def check_manage_all_in_repository_permissions + @protocols = Protocol.where(id: params[:protocol_ids]) + @protocols.find_each do |protocol| + unless can_manage_protocol_in_repository?(protocol) + respond_to { |f| f.json { render json: {}, status: :unauthorized } } + break + end end end - def check_manage_permissions - @protocol = Protocol.find_by_id(params[:id]) - - render_403 if @protocol.blank? || !can_manage_protocol_in_module?(@protocol) - end - - def check_update_parent_permissions - @protocol = Protocol.find_by_id(params[:id]) - - render_403 unless @protocol.present? && - (can_read_protocol_in_module?(@protocol) || - can_update_protocol_in_repository(@protocol.parent)) + def check_restore_all_in_repository_permissions + @protocols = Protocol.where(id: params[:protocol_ids]) + @protocols.find_each do |protocol| + unless can_restore_protocol_in_repository?(protocol) + respond_to { |f| f.json { render json: {}, status: :unauthorized } } + break + end + end end def check_load_from_repository_views_permissions @@ -1126,50 +1138,6 @@ class ProtocolsController < ApplicationController can_create_protocols_in_repository?(@protocol.team)) end - def check_make_private_permissions - @protocols = Protocol.where(id: params[:protocol_ids]) - @protocols.find_each do |protocol| - if !protocol.in_repository_public? || - !can_update_protocol_type_in_repository?(protocol) - respond_to { |f| f.json { render json: {}, status: :unauthorized } } - return - end - end - end - - def check_publish_permissions - @protocols = Protocol.where(id: params[:protocol_ids]) - @protocols.find_each do |protocol| - if !protocol.in_repository_private? || - !can_update_protocol_type_in_repository?(protocol) - respond_to { |f| f.json { render json: {}, status: :unauthorized } } - return - end - end - end - - def check_archive_permissions - @protocols = Protocol.where(id: params[:protocol_ids]) - @protocols.find_each do |protocol| - if protocol.in_repository_archived? || - !can_update_protocol_type_in_repository?(protocol) - respond_to { |f| f.json { render json: {}, status: :unauthorized } } - return - end - end - end - - def check_restore_permissions - @protocols = Protocol.where(id: params[:protocol_ids]) - @protocols.find_each do |protocol| - if protocol.in_repository_active? || - !can_update_protocol_type_in_repository?(protocol) - respond_to { |f| f.json { render json: {}, status: :unauthorized } } - return - end - end - end - def check_import_permissions @protocol_json = params[:protocol] @team = Team.find(params[:team_id]) diff --git a/app/controllers/reports_controller.rb b/app/controllers/reports_controller.rb index 79504d9af..83cd7850e 100644 --- a/app/controllers/reports_controller.rb +++ b/app/controllers/reports_controller.rb @@ -30,23 +30,24 @@ class ReportsController < ApplicationController ] before_action :check_view_permissions, only: :index - before_action :check_create_permissions, only: [ - :new, - :create, - :generate, - :save_modal, - :project_contents_modal, - :experiment_contents_modal, - :module_contents_modal, - :step_contents_modal, - :result_contents_modal, - :project_contents, - :module_contents, - :step_contents, - :result_contents - ] - before_action :check_manage_permissions, only: %i(edit update - destroy) + before_action :check_manage_permissions, only: %i( + new + create + edit + update + destroy + generate + save_modal + project_contents_modal + experiment_contents_modal + module_contents_modal + step_contents_modal + result_contents_modal + project_contents + module_contents + step_contents + result_contents + ) layout 'fluid' @@ -449,13 +450,8 @@ class ReportsController < ApplicationController render_403 unless can_read_project?(@project) end - def check_create_permissions - render_403 unless can_create_or_manage_reports?(@project) - end - def check_manage_permissions - render_403 unless can_create_or_manage_reports?(@project) - render_404 unless params.include? :report_ids + render_403 unless can_manage_reports?(@project) end def report_params diff --git a/app/controllers/repositories_controller.rb b/app/controllers/repositories_controller.rb index 82a5a4390..53b84ccd0 100644 --- a/app/controllers/repositories_controller.rb +++ b/app/controllers/repositories_controller.rb @@ -6,7 +6,7 @@ class RepositoriesController < ApplicationController before_action :check_team, only: %i(parse_sheet import_records) before_action :check_view_all_permissions, only: :index before_action :check_view_permissions, only: :export_repository - before_action :check_edit_and_destroy_permissions, only: + before_action :check_manage_permissions, only: %i(destroy destroy_modal rename_modal update) before_action :check_create_permissions, only: %i(create_new_modal create copy_modal copy) @@ -309,8 +309,8 @@ class RepositoriesController < ApplicationController @team.repositories.count < Constants::REPOSITORIES_LIMIT end - def check_edit_and_destroy_permissions - render_403 unless can_update_or_delete_repository?(@repository) + def check_manage_permissions + render_403 unless can_manage_repository?(@repository) end def repository_params diff --git a/app/controllers/repository_columns_controller.rb b/app/controllers/repository_columns_controller.rb index a98f38d89..e67dda400 100644 --- a/app/controllers/repository_columns_controller.rb +++ b/app/controllers/repository_columns_controller.rb @@ -4,7 +4,7 @@ class RepositoryColumnsController < ApplicationController before_action :load_vars, except: :create before_action :load_vars_nested, only: :create before_action :check_create_permissions, only: :create - before_action :check_update_and_delete_permissions, except: :create + before_action :check_manage_permissions, except: :create def create @repository_column = RepositoryColumn.new(repository_column_params) @@ -111,8 +111,8 @@ class RepositoryColumnsController < ApplicationController render_403 unless can_create_repository_columns?(@repository.team) end - def check_update_and_delete_permissions - render_403 unless can_update_or_delete_repository_column?(@repository_column) + def check_manage_permissions + render_403 unless can_manage_repository_column?(@repository_column) end def repository_column_params diff --git a/app/controllers/repository_rows_controller.rb b/app/controllers/repository_rows_controller.rb index cb34496f3..730e8572e 100644 --- a/app/controllers/repository_rows_controller.rb +++ b/app/controllers/repository_rows_controller.rb @@ -7,8 +7,7 @@ class RepositoryRowsController < ApplicationController before_action :load_vars, only: %i(edit update) before_action :load_repository, only: %i(create delete_records) before_action :check_create_permissions, only: :create - before_action :check_edit_permissions, only: %i(edit update) - before_action :check_destroy_permissions, only: :delete_records + before_action :check_manage_permissions, only: %i(edit update delete_records) def create record = RepositoryRow.new(repository: @repository, @@ -184,7 +183,7 @@ class RepositoryRowsController < ApplicationController if selected_params selected_params.each do |row_id| row = @repository.repository_rows.find_by_id(row_id) - if row && can_update_or_delete_repository_row?(row) + if row && can_manage_repository_row?(row) row.destroy && deleted_count += 1 end end @@ -241,15 +240,13 @@ class RepositoryRowsController < ApplicationController end def check_create_permissions - render_403 unless can_manage_repository_rows?(@repository.team) + render_403 unless can_create_repository_rows?(@repository.team) end - def check_edit_permissions - render_403 unless can_update_or_delete_repository_row?(@record) - end - - def check_destroy_permissions - render_403 unless can_manage_repository_rows?(@repository.team) + def check_manage_permissions + render_403 unless @repository.repository_rows.all? do |row| + can_manage_repository_row?(row) + end end def record_params diff --git a/app/controllers/result_assets_controller.rb b/app/controllers/result_assets_controller.rb index 46bd2c994..7b958bb15 100644 --- a/app/controllers/result_assets_controller.rb +++ b/app/controllers/result_assets_controller.rb @@ -4,8 +4,7 @@ class ResultAssetsController < ApplicationController before_action :load_vars, only: [:edit, :update, :download] before_action :load_vars_nested, only: [:new, :create] - before_action :check_create_permissions, only: [:new, :create] - before_action :check_edit_permissions, only: [:edit, :update] + before_action :check_manage_permissions, only: %i(new create edit update) before_action :check_archive_permissions, only: [:update] def new @@ -191,17 +190,12 @@ class ResultAssetsController < ApplicationController render_404 unless @my_module end - def check_create_permissions - render_403 unless can_create_result_asset_in_module(@my_module) - end - - def check_edit_permissions - render_403 unless can_edit_result_asset_in_module(@my_module) + def check_manage_permissions + render_403 unless can_manage_module?(@my_module) end def check_archive_permissions - if result_params[:archived].to_s != '' and - not can_archive_result(@result) + if result_params[:archived].to_s != '' && !can_manage_result?(@result) render_403 end end diff --git a/app/controllers/result_comments_controller.rb b/app/controllers/result_comments_controller.rb index d65a03dc2..6d4c48544 100644 --- a/app/controllers/result_comments_controller.rb +++ b/app/controllers/result_comments_controller.rb @@ -7,8 +7,7 @@ class ResultCommentsController < ApplicationController before_action :check_view_permissions, only: [:index] before_action :check_add_permissions, only: [:create] - before_action :check_edit_permissions, only: [:edit, :update] - before_action :check_destroy_permissions, only: [:destroy] + before_action :check_manage_permissions, only: %i(edit update destroy) def index @comments = @result.last_comments(@last_comment_id, @per_page) @@ -172,27 +171,17 @@ class ResultCommentsController < ApplicationController end def check_view_permissions - unless can_view_result_comments(@my_module) - render_403 - end + render_403 unless can_read_experiment?(@my_module.experiment) end def check_add_permissions - unless can_add_result_comment_in_module(@my_module) - render_403 - end + render_403 unless can_create_comments_in_module?(@my_module) end - def check_edit_permissions + def check_manage_permissions @comment = ResultComment.find_by_id(params[:id]) render_403 unless @comment.present? && - can_edit_result_comment_in_module(@comment) - end - - def check_destroy_permissions - @comment = ResultComment.find_by_id(params[:id]) - render_403 unless @comment.present? && - can_delete_result_comment_in_module(@comment) + can_manage_comment_in_module?(@comment.becomes(Comment)) end def comment_params diff --git a/app/controllers/result_tables_controller.rb b/app/controllers/result_tables_controller.rb index 4fefe1701..9485c6728 100644 --- a/app/controllers/result_tables_controller.rb +++ b/app/controllers/result_tables_controller.rb @@ -5,8 +5,7 @@ class ResultTablesController < ApplicationController before_action :load_vars_nested, only: [:new, :create] before_action :convert_contents_to_utf8, only: [:create, :update] - before_action :check_create_permissions, only: [:new, :create] - before_action :check_edit_permissions, only: [:edit, :update] + before_action :check_manage_permissions, only: %i(new create edit update) before_action :check_archive_permissions, only: [:update] def new @@ -196,21 +195,12 @@ class ResultTablesController < ApplicationController end end - def check_create_permissions - unless can_create_result_table_in_module(@my_module) - render_403 - end - end - - def check_edit_permissions - unless can_edit_result_table_in_module(@my_module) - render_403 - end + def check_manage_permissions + render_403 unless can_manage_module?(@my_module) end def check_archive_permissions - if result_params[:archived].to_s != '' and - not can_archive_result(@result) + if result_params[:archived].to_s != '' && !can_manage_result?(@result) render_403 end end diff --git a/app/controllers/result_texts_controller.rb b/app/controllers/result_texts_controller.rb index a71317c8b..95bf3ac48 100644 --- a/app/controllers/result_texts_controller.rb +++ b/app/controllers/result_texts_controller.rb @@ -9,8 +9,7 @@ class ResultTextsController < ApplicationController before_action :load_vars, only: [:edit, :update, :download] before_action :load_vars_nested, only: [:new, :create] - before_action :check_create_permissions, only: [:new, :create] - before_action :check_edit_permissions, only: [:edit, :update] + before_action :check_manage_permissions, only: %i(new create edit update) before_action :check_archive_permissions, only: [:update] def new @@ -202,21 +201,12 @@ class ResultTextsController < ApplicationController end end - def check_create_permissions - unless can_create_result_text_in_module(@my_module) - render_403 - end - end - - def check_edit_permissions - unless can_edit_result_text_in_module(@my_module) - render_403 - end + def check_manage_permissions + render_403 unless can_manage_module?(@my_module) end def check_archive_permissions - if result_params[:archived].to_s != '' and - not can_archive_result(@result) + if result_params[:archived].to_s != '' && !can_manage_result?(@result) render_403 end end diff --git a/app/controllers/results_controller.rb b/app/controllers/results_controller.rb index fbff11215..ae9dd51f2 100644 --- a/app/controllers/results_controller.rb +++ b/app/controllers/results_controller.rb @@ -1,6 +1,6 @@ class ResultsController < ApplicationController before_action :load_vars - before_action :can_destroy_result_permission + before_action :check_destroy_permissions def destroy act_log = t('my_modules.module_archive.table_log', @@ -39,7 +39,7 @@ class ResultsController < ApplicationController @my_module = @result.my_module end - def can_destroy_result_permission - render_403 unless can_delete_module_result(@result) + def check_destroy_permissions + render_403 unless can_manage_result?(@result) end end diff --git a/app/controllers/sample_groups_controller.rb b/app/controllers/sample_groups_controller.rb index e5f3d09dd..ff6e49e84 100644 --- a/app/controllers/sample_groups_controller.rb +++ b/app/controllers/sample_groups_controller.rb @@ -1,6 +1,8 @@ class SampleGroupsController < ApplicationController before_action :load_vars_nested - before_action :check_permissions, except: %i(index sample_group_element) + before_action :check_view_permissions, only: %i(index sample_group_element) + before_action :check_manage_permissions, only: %i(create edit update destroy + destroy_confirmation) before_action :set_sample_group, except: %i(create index) before_action :set_project_my_module, only: :index layout 'fluid' @@ -133,8 +135,12 @@ class SampleGroupsController < ApplicationController render_404 unless @team end - def check_permissions - render_403 unless can_manage_sample_columns?(@team) + def check_view_permissions + render_403 unless can_read_team?(@team) + end + + def check_manage_permissions + render_403 unless can_manage_sample_types_and_groups?(@team) end def sample_group_params diff --git a/app/controllers/sample_types_controller.rb b/app/controllers/sample_types_controller.rb index 0b499bd66..cefbd9ee1 100644 --- a/app/controllers/sample_types_controller.rb +++ b/app/controllers/sample_types_controller.rb @@ -1,6 +1,8 @@ class SampleTypesController < ApplicationController before_action :load_vars_nested - before_action :check_permissions, except: %i(index sample_type_element) + before_action :check_view_permissions, only: %i(index sample_type_element) + before_action :check_manage_permissions, only: %i(create edit update destroy + destroy_confirmation) before_action :set_sample_type, except: %i(create index) before_action :set_project_my_module, only: :index layout 'fluid' @@ -129,8 +131,12 @@ class SampleTypesController < ApplicationController render_404 unless @team end - def check_permissions - render_403 unless can_manage_sample_columns?(@team) + def check_view_permissions + render_403 unless can_read_team?(@team) + end + + def check_manage_permissions + render_403 unless can_manage_sample_types_and_groups?(@team) end def set_sample_type diff --git a/app/controllers/samples_controller.rb b/app/controllers/samples_controller.rb index 94684f2ff..2871b73d3 100644 --- a/app/controllers/samples_controller.rb +++ b/app/controllers/samples_controller.rb @@ -7,8 +7,7 @@ class SamplesController < ApplicationController before_action :load_vars_nested, only: [:new, :create] before_action :check_create_permissions, only: %i(new create) - before_action :check_update_and_delete_permissions, - only: %i(edit update destroy) + before_action :check_manage_permissions, only: %i(edit update destroy) def new respond_to do |format| @@ -69,7 +68,7 @@ class SamplesController < ApplicationController errors[:init_fields] = sample.errors.messages else # Sample was saved, we can add all newly added sample fields - params[:custom_fields].to_a.each do |id, val| + custom_fields_params.to_a.each do |id, val| scf = SampleCustomField.new( custom_field_id: id, sample_id: sample.id, @@ -308,11 +307,11 @@ class SamplesController < ApplicationController end def check_create_permissions - render_403 unless can_manage_samples?(@team) + render_403 unless can_create_samples?(@team) end - def check_update_and_delete_permissions - render_403 unless can_update_or_delete_sample?(@sample) + def check_manage_permissions + render_403 unless can_manage_sample?(@sample) end def sample_params diff --git a/app/controllers/step_comments_controller.rb b/app/controllers/step_comments_controller.rb index 3f210e0bd..713592122 100644 --- a/app/controllers/step_comments_controller.rb +++ b/app/controllers/step_comments_controller.rb @@ -8,8 +8,7 @@ class StepCommentsController < ApplicationController before_action :check_view_permissions, only: [:index] before_action :check_add_permissions, only: [:create] - before_action :check_edit_permissions, only: [:edit, :update] - before_action :check_destroy_permissions, only: [:destroy] + before_action :check_manage_permissions, only: %i(edit update destroy) def index @comments = @step.last_comments(@last_comment_id, @per_page) @@ -52,21 +51,19 @@ class StepCommentsController < ApplicationController step_comment_annotation_notification # Generate activity (this can only occur in module, # but nonetheless check if my module is not nil) - if @protocol.in_module? - Activity.create( - type_of: :add_comment_to_step, - user: current_user, - project: @step.my_module.experiment.project, - experiment: @step.my_module.experiment, - my_module: @step.my_module, - message: t( - "activities.add_comment_to_step", - user: current_user.full_name, - step: @step.position + 1, - step_name: @step.name - ) + Activity.create( + type_of: :add_comment_to_step, + user: current_user, + project: @step.my_module.experiment.project, + experiment: @step.my_module.experiment, + my_module: @step.my_module, + message: t( + "activities.add_comment_to_step", + user: current_user.full_name, + step: @step.position + 1, + step_name: @step.name ) - end + ) format.json { render json: { @@ -113,21 +110,19 @@ class StepCommentsController < ApplicationController step_comment_annotation_notification(old_text) # Generate activity - if @protocol.in_module? - Activity.create( - type_of: :edit_step_comment, - user: current_user, - project: @step.my_module.experiment.project, - experiment: @step.my_module.experiment, - my_module: @step.my_module, - message: t( - 'activities.edit_step_comment', - user: current_user.full_name, - step: @step.position + 1, - step_name: @step.name - ) + Activity.create( + type_of: :edit_step_comment, + user: current_user, + project: @step.my_module.experiment.project, + experiment: @step.my_module.experiment, + my_module: @step.my_module, + message: t( + 'activities.edit_step_comment', + user: current_user.full_name, + step: @step.position + 1, + step_name: @step.name ) - end + ) message = custom_auto_link(@comment.message) render json: { comment: message }, status: :ok else @@ -143,21 +138,19 @@ class StepCommentsController < ApplicationController format.json do if @comment.destroy # Generate activity - if @protocol.in_module? - Activity.create( - type_of: :delete_step_comment, - user: current_user, - project: @step.my_module.experiment.project, - experiment: @step.my_module.experiment, - my_module: @step.my_module, - message: t( - 'activities.delete_step_comment', - user: current_user.full_name, - step: @step.position + 1, - step_name: @step.name - ) + Activity.create( + type_of: :delete_step_comment, + user: current_user, + project: @step.my_module.experiment.project, + experiment: @step.my_module.experiment, + my_module: @step.my_module, + message: t( + 'activities.delete_step_comment', + user: current_user.full_name, + step: @step.position + 1, + step_name: @step.name ) - end + ) render json: {}, status: :ok else render json: { message: I18n.t('comments.delete_error') }, @@ -185,21 +178,13 @@ class StepCommentsController < ApplicationController end def check_add_permissions - unless can_add_step_comment_in_protocol(@protocol) - render_403 - end + render_403 unless can_create_comments_in_module?(@protocol.my_module) end - def check_edit_permissions + def check_manage_permissions @comment = StepComment.find_by_id(params[:id]) render_403 unless @comment.present? && - can_edit_step_comment_in_protocol(@comment) - end - - def check_destroy_permissions - @comment = StepComment.find_by_id(params[:id]) - render_403 unless @comment.present? && - can_delete_step_comment_in_protocol(@comment) + can_manage_comment_in_module?(@comment.becomes(Comment)) end def comment_params diff --git a/app/controllers/steps_controller.rb b/app/controllers/steps_controller.rb index 90f82e65e..85fa0daa3 100644 --- a/app/controllers/steps_controller.rb +++ b/app/controllers/steps_controller.rb @@ -4,13 +4,16 @@ class StepsController < ApplicationController include TinyMceHelper include StepsActions - before_action :load_vars, only: [:edit, :update, :destroy, :show] + before_action :load_vars, only: %i(edit update destroy show toggle_step_state + checklistitem_state) before_action :load_vars_nested, only: [:new, :create] before_action :convert_table_contents_to_utf8, only: [:create, :update] before_action :check_view_permissions, only: [:show] before_action :check_manage_permissions, only: %i(new create edit update destroy) + before_action :check_complete_and_checkbox_permissions, only: + %i(toggle_step_state checklistitem_state) before_action :update_checklist_item_positions, only: [:create, :update] @@ -263,162 +266,125 @@ class StepsController < ApplicationController # Responds to checkbox toggling in steps view def checklistitem_state - chkItem = ChecklistItem.find_by_id(params["checklistitem_id"]) - respond_to do |format| - if chkItem - checked = params[:checked] == "true" - protocol = chkItem.checklist.step.protocol + checked = params[:checked] == 'true' + changed = @chk_item.checked != checked + @chk_item.checked = checked - authorized = ((checked and can_check_checkbox(protocol)) or (!checked and can_uncheck_checkbox(protocol))) + if @chk_item.save + format.json { render json: {}, status: :accepted } - if authorized - changed = chkItem.checked != checked - chkItem.checked = checked + # Create activity + if changed + str = if checked + 'activities.check_step_checklist_item' + else + 'activities.uncheck_step_checklist_item' + end + completed_items = @chk_item.checklist.checklist_items + .where(checked: true).count + all_items = @chk_item.checklist.checklist_items.count + text_activity = smart_annotation_parser(@chk_item.text) + .gsub(/\s+/, ' ') + message = t( + str, + user: current_user.full_name, + checkbox: text_activity, + step: @chk_item.checklist.step.position + 1, + step_name: @chk_item.checklist.step.name, + completed: completed_items, + all: all_items + ) - if chkItem.save - format.json { - render json: {}, status: :accepted - } - - # Create activity - if changed - str = checked ? "activities.check_step_checklist_item" : - "activities.uncheck_step_checklist_item" - completed_items = chkItem.checklist.checklist_items.where(checked: true).count - all_items = chkItem.checklist.checklist_items.count - text_activity = smart_annotation_parser(chkItem.text) - .gsub(/\s+/, ' ') - message = t( - str, - user: current_user.full_name, - checkbox: text_activity, - step: chkItem.checklist.step.position + 1, - step_name: chkItem.checklist.step.name, - completed: completed_items, - all: all_items - ) - - # This should always hold true (only in module can - # check items be checked, but still check just in case) - if protocol.in_module? - Activity.create( - user: current_user, - project: protocol.my_module.experiment.project, - experiment: protocol.my_module.experiment, - my_module: protocol.my_module, - message: message, - type_of: checked ? :check_step_checklist_item : :uncheck_step_checklist_item - ) - end - end - else - format.json { - render json: {}, status: :unprocessable_entity - } + # This should always hold true (only in module can + # check items be checked, but still check just in case) + if @protocol.in_module? + Activity.create( + user: current_user, + project: @protocol.my_module.experiment.project, + experiment: @protocol.my_module.experiment, + my_module: @protocol.my_module, + message: message, + type_of: if checked + :check_step_checklist_item + else + :uncheck_step_checklist_item + end + ) end - else - format.json { - render json: {}, status: :unauthorized - } end else - format.json { - render json: {}, status: :not_found - } + format.json { render json: {}, status: :unprocessable_entity } end end end # Complete/uncomplete step def toggle_step_state - step = Step.find_by_id(params[:id]) - respond_to do |format| - if step - completed = params[:completed] == 'true' - protocol = step.protocol + completed = params[:completed] == 'true' + changed = @step.completed != completed + @step.completed = completed - authorized = ( - (completed and can_complete_step_in_protocol(protocol)) || - (!completed and can_uncomplete_step_in_protocol(protocol)) - ) + # Update completed_on + if changed + @step.completed_on = completed ? Time.current : nil + end - if authorized - changed = step.completed != completed - step.completed = completed + if @step.save + if @protocol.in_module? + ready_to_complete = @protocol.my_module.check_completness_status + end - # Update completed_on - if changed - step.completed_on = completed ? Time.current : nil + # Create activity + if changed + completed_steps = @protocol.steps.where(completed: true).count + all_steps = @protocol.steps.count + str = 'activities.uncomplete_step' + str = 'activities.complete_step' if completed + + message = t( + str, + user: current_user.full_name, + step: @step.position + 1, + step_name: @step.name, + completed: completed_steps, + all: all_steps + ) + + # Toggling step state can only occur in + # module protocols, so my_module is always + # not nil; nonetheless, check if my_module is present + if @protocol.in_module? + Activity.create( + user: current_user, + project: @protocol.my_module.experiment.project, + experiment: @protocol.my_module.experiment, + my_module: @protocol.my_module, + message: message, + type_of: completed ? :complete_step : :uncomplete_step + ) end + end - if step.save - if protocol.in_module? - ready_to_complete = protocol.my_module.check_completness_status - end - - # Create activity - if changed - completed_steps = protocol.steps.where(completed: true).count - all_steps = protocol.steps.count - str = 'activities.uncomplete_step' - str = 'activities.complete_step' if completed - - message = t( - str, - user: current_user.full_name, - step: step.position + 1, - step_name: step.name, - completed: completed_steps, - all: all_steps - ) - - # Toggling step state can only occur in - # module protocols, so my_module is always - # not nil; nonetheless, check if my_module is present - if protocol.in_module? - Activity.create( - user: current_user, - project: protocol.my_module.experiment.project, - experiment: protocol.my_module.experiment, - my_module: protocol.my_module, - message: message, - type_of: completed ? :complete_step : :uncomplete_step - ) - end - end - - # Create localized title for complete/uncomplete button - localized_title = if !completed - t('protocols.steps.options.complete_title') - else - t('protocols.steps.options.uncomplete_title') - end - format.json do - if ready_to_complete && protocol.my_module.uncompleted? - render json: { - task_ready_to_complete: true, - new_title: localized_title - }, status: :ok - else - render json: { new_title: localized_title }, status: :ok - end - end + # Create localized title for complete/uncomplete button + localized_title = if !completed + t('protocols.steps.options.complete_title') + else + t('protocols.steps.options.uncomplete_title') + end + format.json do + if ready_to_complete && @protocol.my_module.uncompleted? + render json: { + task_ready_to_complete: true, + new_title: localized_title + }, status: :ok else - format.json { - render json: {}, status: :unprocessable_entity - } + render json: { new_title: localized_title }, status: :ok end - else - format.json { - render json: {}, status: :unauthorized - } end else - format.json { - render json: {}, status: :not_found - } + format.json { render json: {}, status: :unprocessable_entity } end end end @@ -430,7 +396,7 @@ class StepsController < ApplicationController if step protocol = step.protocol if can_manage_protocol_in_module?(protocol) || - can_update_protocol_in_repository?(protocol) + can_manage_protocol_in_repository?(protocol) if step.position > 0 step_down = step.protocol.steps.where(position: step.position - 1).first step.position -= 1 @@ -477,7 +443,7 @@ class StepsController < ApplicationController if step protocol = step.protocol if can_manage_protocol_in_module?(protocol) || - can_update_protocol_in_repository?(protocol) + can_manage_protocol_in_repository?(protocol) if step.position < step.protocol.steps.count - 1 step_up = step.protocol.steps.where(position: step.position + 1).first step.position += 1 @@ -601,6 +567,9 @@ class StepsController < ApplicationController def load_vars @step = Step.find_by_id(params[:id]) @protocol = @step.protocol + if params[:checklistitem_id] + @chk_item = ChecklistItem.find_by_id(params[:checklistitem_id]) + end unless @protocol render_404 @@ -640,13 +609,17 @@ class StepsController < ApplicationController end def check_view_permissions - render_403 unless can_read_protocol_in_module(@protocol) || + render_403 unless can_read_protocol_in_module?(@protocol) || can_read_protocol_in_repository?(@protocol) end def check_manage_permissions render_403 unless can_manage_protocol_in_module?(@protocol) || - can_update_protocol_in_repository?(@protocol) + can_manage_protocol_in_repository?(@protocol) + end + + def check_complete_and_checkbox_permissions + render_403 unless can_complete_or_checkbox_step?(@protocol) end def step_params diff --git a/app/controllers/tags_controller.rb b/app/controllers/tags_controller.rb index a5194d8db..2cdab52e4 100644 --- a/app/controllers/tags_controller.rb +++ b/app/controllers/tags_controller.rb @@ -141,7 +141,7 @@ class TagsController < ApplicationController end def check_manage_permissions - render_403 unless can_create_or_manage_tags?(@project) + render_403 unless can_manage_tags?(@project) end def tag_params diff --git a/app/controllers/teams_controller.rb b/app/controllers/teams_controller.rb index 14b7a7fce..a910df32a 100644 --- a/app/controllers/teams_controller.rb +++ b/app/controllers/teams_controller.rb @@ -1,7 +1,8 @@ class TeamsController < ApplicationController before_action :load_vars, only: [:parse_sheet, :import_samples, :export_samples] - before_action :check_create_sample_permissions, only: [:parse_sheet, :import_samples] + before_action :check_create_samples_permissions, only: %i(parse_sheet + import_samples) before_action :check_view_samples_permission, only: [:export_samples] def parse_sheet @@ -258,10 +259,8 @@ class TeamsController < ApplicationController params.permit(sample_ids: [], header_ids: []).to_h end - def check_create_sample_permissions - unless can_manage_samples?(@team) - render_403 - end + def check_create_samples_permissions + render_403 unless can_create_samples?(@team) end def check_view_samples_permission diff --git a/app/controllers/user_my_modules_controller.rb b/app/controllers/user_my_modules_controller.rb index 04797669d..de02df711 100644 --- a/app/controllers/user_my_modules_controller.rb +++ b/app/controllers/user_my_modules_controller.rb @@ -1,9 +1,7 @@ class UserMyModulesController < ApplicationController before_action :load_vars before_action :check_view_permissions, only: :index - before_action :check_edit_permissions, only: :index_edit - before_action :check_create_permissions, only: :create - before_action :check_delete_permisisons, only: :destroy + before_action :check_manage_permissions, only: %i(create index_edit destroy) def index @user_my_modules = @my_module.user_my_modules @@ -135,27 +133,11 @@ class UserMyModulesController < ApplicationController end def check_view_permissions - unless can_view_module_users(@my_module) - render_403 - end + render_403 unless can_read_experiment?(@my_module.experiment) end - def check_edit_permissions - unless can_edit_users_on_module(@my_module) - render_403 - end - end - - def check_create_permissions - unless can_add_user_to_module(@my_module) - render_403 - end - end - - def check_delete_permisisons - unless can_remove_user_from_module(@my_module) - render_403 - end + def check_manage_permissions + render_403 unless can_manage_users_in_module?(@my_module) end def init_gui diff --git a/app/controllers/user_projects_controller.rb b/app/controllers/user_projects_controller.rb index 507c98da2..a64fb52af 100644 --- a/app/controllers/user_projects_controller.rb +++ b/app/controllers/user_projects_controller.rb @@ -191,8 +191,8 @@ class UserProjectsController < ApplicationController end def check_manage_permisisons - render_403 unless can_manage_project?(@project) && - params[:id] == current_user.id + render_403 unless can_manage_project?(@project) || + params[:id] != current_user.id end def init_gui diff --git a/app/controllers/user_samples_controller.rb b/app/controllers/user_samples_controller.rb index df8ce9ee8..0aaeeeffc 100644 --- a/app/controllers/user_samples_controller.rb +++ b/app/controllers/user_samples_controller.rb @@ -1,9 +1,9 @@ class UserSamplesController < ApplicationController def save_samples_table_status samples_table = SamplesTable.where(user: @current_user, - team: params[:team]) + team: params[:team]).first if samples_table - samples_table.first.update(status: params[:state]) + samples_table.update(status: params[:state]) else SamplesTable.create(user: @current_user, team: params[:team], @@ -19,14 +19,19 @@ class UserSamplesController < ApplicationController end def load_samples_table_status - @samples_table_state = SamplesTable.find_status(current_user, - current_team).first + samples_table_state = SamplesTable.find_status(current_user, + current_team).first + if samples_table_state.blank? + st = SamplesTable.new(user: current_user, team: current_team) + st.save + samples_table_state = st.status + end respond_to do |format| - if @samples_table_state + if samples_table_state format.json do render json: { - state: @samples_table_state + state: samples_table_state } end end diff --git a/app/controllers/users/omniauth_callbacks_controller.rb b/app/controllers/users/omniauth_callbacks_controller.rb index 27b884710..7b0bff2b9 100644 --- a/app/controllers/users/omniauth_callbacks_controller.rb +++ b/app/controllers/users/omniauth_callbacks_controller.rb @@ -1,6 +1,10 @@ module Users class OmniauthCallbacksController < Devise::OmniauthCallbacksController + include UsersGenerator + skip_before_action :verify_authenticity_token + before_action :sign_up_with_provider_enabled?, + only: :linkedin # You should configure your model like this: # devise :omniauthable, omniauth_providers: [:twitter] @@ -9,6 +13,55 @@ module Users # def twitter # end + def linkedin + auth_hash = request.env['omniauth.auth'] + + @user = User.from_omniauth(auth_hash) + if @user && @user.current_team_id? + # User already exists and has been signed up with LinkedIn; just sign in + set_flash_message(:notice, + :success, + kind: I18n.t('devise.linkedin.provider_name')) + sign_in_and_redirect @user + elsif @user + # User already exists and has started sign up with LinkedIn; + # but doesn't have team (needs to complete sign up - agrees to TOS) + set_flash_message(:alert, + :failure, + kind: I18n.t('devise.linkedin.provider_name'), + reason: I18n.t('devise.linkedin.complete_sign_up')) + redirect_to users_sign_up_provider_path(user: @user) + elsif User.find_by_email(auth_hash['info']['email']) + # email is already taken, so sign up with Linked in is not allowed + set_flash_message(:alert, + :failure, + kind: I18n.t('devise.linkedin.provider_name'), + reason: I18n.t('devise.linkedin.email_already_taken', + email: auth_hash['info']['email'])) + redirect_to after_omniauth_failure_path_for(resource_name) + else + # Create new user and identity; and redirect to complete sign up form + @user = User.new( + full_name: auth_hash['info']['name'], + initials: generate_initials(auth_hash['info']['name']), + email: auth_hash['info']['email'], + password: generate_user_password + ) + @user.avatar_remote_url = (auth_hash['info']['image']) + user_identity = UserIdentity.new(user: @user, + provider: auth_hash['provider'], + uid: auth_hash['uid']) + unless @user.save && user_identity.save + set_flash_message(:alert, + :failure, + kind: I18n.t('devise.linkedin.provider_name'), + reason: I18n.t('devise.linkedin.failed_to_save')) + redirect_to after_omniauth_failure_path_for(resource_name) and return + end + redirect_to users_sign_up_provider_path(user: @user) + end + end + # More info at: # https://github.com/plataformatec/devise#omniauth @@ -28,5 +81,18 @@ module Users # def after_omniauth_failure_path_for(scope) # super(scope) # end + + private + + def sign_up_with_provider_enabled? + render_403 unless Rails.configuration.x.enable_user_registration + render_403 unless Rails.configuration.x.linkedin_signin_enabled + end + + def generate_initials(full_name) + initials = full_name.titleize.scan(/[A-Z]+/).join + initials = initials.strip.empty? ? 'PLCH' : initials[0..3] + initials + end end end diff --git a/app/controllers/users/registrations_controller.rb b/app/controllers/users/registrations_controller.rb index dbda51b4a..9adfc5e6c 100644 --- a/app/controllers/users/registrations_controller.rb +++ b/app/controllers/users/registrations_controller.rb @@ -1,5 +1,9 @@ class Users::RegistrationsController < Devise::RegistrationsController prepend_before_action :check_captcha, only: [:create] + before_action :registration_enabled?, + only: %i(new create new_with_provider create_with_provider) + before_action :sign_up_with_provider_enabled?, + only: %i(new_with_provider create_with_provider) def avatar user = User.find_by_id(params[:id]) || current_user @@ -122,12 +126,9 @@ class Users::RegistrationsController < Devise::RegistrationsController end end - def new - render_403 && return unless Rails.configuration.x.enable_user_registration - end + def new; end def create - render_403 && return unless Rails.configuration.x.enable_user_registration build_resource(sign_up_params) valid_resource = resource.valid? # ugly checking if new team on sign up is enabled :( @@ -174,6 +175,35 @@ class Users::RegistrationsController < Devise::RegistrationsController end end + def new_with_provider; end + + def create_with_provider + @user = User.find_by_id(user_provider_params['user']) + # Create new team for the new user + @team = Team.new(team_provider_params) + + if @team.valid? && @user && Rails.configuration.x.new_team_on_signup + # Set the confirmed_at == created_at IF not using email confirmations + unless Rails.configuration.x.enable_email_confirmations + @user.update!(confirmed_at: @user.created_at) + end + + @team.created_by = @user # set created_by for team + @team.save! + + # Add this user to the team as owner + UserTeam.create(user: @user, team: @team, role: :admin) + + # set current team to new user + @user.current_team_id = @team.id + @user.save! + + sign_in_and_redirect @user + else + render :new_with_provider + end + end + protected # Called upon creating User (before .save). Permits parameters and extracts @@ -191,6 +221,14 @@ class Users::RegistrationsController < Devise::RegistrationsController tmp.merge(:initials => initials) end + def team_provider_params + params.require(:team).permit(:name) + end + + def user_provider_params + params.permit(:user) + end + def account_update_params params.require(:user).permit( :full_name, @@ -268,6 +306,14 @@ class Users::RegistrationsController < Devise::RegistrationsController end end + def registration_enabled? + render_403 unless Rails.configuration.x.enable_user_registration + end + + def sign_up_with_provider_enabled? + render_403 unless Rails.configuration.x.linkedin_signin_enabled + end + # Redirect to login page after signing up def after_sign_up_path_for(resource) new_user_session_path diff --git a/app/controllers/users/settings/user_teams_controller.rb b/app/controllers/users/settings/user_teams_controller.rb index 34ecb4dfb..f3abab97b 100644 --- a/app/controllers/users/settings/user_teams_controller.rb +++ b/app/controllers/users/settings/user_teams_controller.rb @@ -123,7 +123,7 @@ module Users ) flash.keep(:notice) end - generate_notification(@user_t.user, + generate_notification(current_user, @user_t.user, @user_t.team, false, diff --git a/app/controllers/wopi_controller.rb b/app/controllers/wopi_controller.rb index 3a8daa590..53762849d 100644 --- a/app/controllers/wopi_controller.rb +++ b/app/controllers/wopi_controller.rb @@ -1,6 +1,5 @@ class WopiController < ActionController::Base include WopiUtil - include PermissionHelper before_action :load_vars, :authenticate_user_from_token! before_action :verify_proof! @@ -295,7 +294,7 @@ class WopiController < ActionController::Base @breadcrumb_folder_name = @protocol.my_module.name else @can_read = can_read_protocol_in_repository?(@protocol) - @can_write = can_update_protocol_in_repository?(@protocol) + @can_write = can_manage_protocol_in_repository?(@protocol) @close_url = protocols_url(only_path: false, host: ENV['WOPI_USER_HOST']) @@ -306,8 +305,8 @@ class WopiController < ActionController::Base end @breadcrumb_folder_url = @close_url else - @can_read = can_view_or_download_result_assets(@my_module) - @can_write = can_edit_result_asset_in_module(@my_module) + @can_read = can_read_experiment?(@my_module.experiment) + @can_write = can_manage_module?(@my_module) @close_url = results_my_module_url(@my_module, only_path: false, diff --git a/app/datatables/protocols_datatable.rb b/app/datatables/protocols_datatable.rb index 21a3f213d..89818b11a 100644 --- a/app/datatables/protocols_datatable.rb +++ b/app/datatables/protocols_datatable.rb @@ -3,12 +3,12 @@ class ProtocolsDatatable < CustomDatatable include ActiveRecord::Sanitization::ClassMethods include InputSanitizeHelper - def_delegator :@view, :can_update_protocol_in_repository? + def_delegator :@view, :can_read_protocol_in_repository? + def_delegator :@view, :can_manage_protocol_in_repository? def_delegator :@view, :edit_protocol_path + def_delegator :@view, :can_restore_protocol_in_repository? def_delegator :@view, :can_clone_protocol_in_repository? def_delegator :@view, :clone_protocol_path - def_delegator :@view, :can_update_protocol_type_in_repository? - def_delegator :@view, :can_read_protocol_in_repository? def_delegator :@view, :linked_children_protocol_path def_delegator :@view, :preview_protocol_path @@ -82,8 +82,8 @@ class ProtocolsDatatable < CustomDatatable protocol = Protocol.find(record.id) result_data << { 'DT_RowId': record.id, - 'DT_CanEdit': can_update_protocol_in_repository?(protocol), - 'DT_EditUrl': if can_update_protocol_in_repository?(protocol) + 'DT_CanEdit': can_manage_protocol_in_repository?(protocol), + 'DT_EditUrl': if can_manage_protocol_in_repository?(protocol) edit_protocol_path(protocol, team: @team, type: @type) @@ -94,14 +94,10 @@ class ProtocolsDatatable < CustomDatatable team: @team, type: @type) end, - 'DT_CanMakePrivate': protocol.in_repository_public? && - can_update_protocol_type_in_repository?(protocol), - 'DT_CanPublish': protocol.in_repository_private? && - can_update_protocol_type_in_repository?(protocol), - 'DT_CanArchive': protocol.in_repository_active? && - can_update_protocol_type_in_repository?(protocol), - 'DT_CanRestore': protocol.in_repository_archived? && - can_update_protocol_type_in_repository?(protocol), + 'DT_CanMakePrivate': can_manage_protocol_in_repository?(protocol), + 'DT_CanPublish': can_manage_protocol_in_repository?(protocol), + 'DT_CanArchive': can_manage_protocol_in_repository?(protocol), + 'DT_CanRestore': can_restore_protocol_in_repository?(protocol), 'DT_CanExport': can_read_protocol_in_repository?(protocol), '1': if protocol.in_repository_archived? escape_input(record.name) diff --git a/app/helpers/file_icons_helper.rb b/app/helpers/file_icons_helper.rb index e12c51fd7..877248220 100644 --- a/app/helpers/file_icons_helper.rb +++ b/app/helpers/file_icons_helper.rb @@ -15,6 +15,11 @@ module FileIconsHelper image_link = 'office/PowerPoint-pptx_20x20x32.png' end + # Now check for custom mappings or possible overrides + if Extends::FILE_ICON_MAPPINGS[file_ext] + image_link = Extends::FILE_ICON_MAPPINGS[file_ext] + end + if image_link image_tag image_link else diff --git a/app/helpers/permission_helper.rb b/app/helpers/permission_helper.rb deleted file mode 100644 index 6de3be6c3..000000000 --- a/app/helpers/permission_helper.rb +++ /dev/null @@ -1,648 +0,0 @@ -require "aspector" - -module PermissionHelper - - ####################################################### - # SOME REFLECTION MAGIC - ####################################################### - aspector do - # ---- TEAM ROLES DEFINITIONS ---- - around [ - :is_member_of_team, - :is_admin_of_team, - :is_normal_user_of_team, - :is_normal_user_or_admin_of_team, - :is_guest_of_team - ] do |proxy, *args, &block| - if args[0] - @user_team = current_user.user_teams.where(team: args[0]).take - @user_team ? proxy.call(*args, &block) : false - else - false - end - end - - # ---- PROJECT ROLES DEFINITIONS ---- - around [ - :is_member_of_project, - :is_owner_of_project, - :is_user_of_project, - :is_user_or_higher_of_project, - :is_technician_of_project, - :is_technician_or_higher_of_project, - :is_viewer_of_project - ] do |proxy, *args, &block| - if args[0] - @user_project = current_user.user_projects.where(project: args[0]).take - @user_project ? proxy.call(*args, &block) : false - else - false - end - end - - # ---- Almost everything is disabled for archived projects ---- - around [ - :can_view_project, - :can_restore_archived_modules, - :can_reposition_modules, - :can_edit_connections, - :can_clone_modules, - ] do |proxy, *args, &block| - if args[0] - project = args[0] - project.active? ? proxy.call(*args, &block) : false - else - false - end - end - - # ---- Almost everything is disabled for archived modules ---- - around [ - # TODO: Because module restoring is made via updating module attributes, - # (and that action checks if module is editable) this needs to be - # commented out or that functionality will not work any more. - :can_view_module_info, - :can_view_module_users, - :can_edit_users_on_module, - :can_add_user_to_module, - :can_remove_user_from_module, - :can_add_comment_to_module, - :can_view_module_archive, - :can_view_or_download_result_assets, - :can_view_result_comments, - :can_add_result_comment_in_module, - :can_create_result_text_in_module, - :can_edit_result_text_in_module, - :can_archive_result_text_in_module, - :can_create_result_table_in_module, - :can_edit_result_table_in_module, - :can_archive_result_table_in_module, - :can_create_result_asset_in_module, - :can_edit_result_asset_in_module, - :can_archive_result_asset_in_module, - :can_add_samples_to_module, - :can_delete_samples_from_module - ] do |proxy, *args, &block| - if args[0] - my_module = args[0] - if my_module.active? && - my_module.experiment.active? && - my_module.experiment.project.active? - proxy.call(*args, &block) - else - false - end - else - false - end - end - - # ---- Some things are disabled for archived experiment ---- - around [ - :can_reposition_modules, - :can_edit_connections, - :can_clone_modules, - ] do |proxy, *args, &block| - if args[0] - experiment = args[0] - if experiment.active? && - experiment.project.active? - proxy.call(*args, &block) - else - false - end - else - false - end - end - end - - private - - ####################################################### - # ROLES - ####################################################### - # The following code should stay private, and for each - # permission that's needed throughout application, a - # public method should be made. That way, we can have - # all permissions gathered here in one place. - - # ---- TEAM ROLES ---- - def is_member_of_team(team) - # This is already checked by aspector, so just return true - true - end - - def is_admin_of_team(team) - @user_team.admin? - end - - def is_normal_user_of_team(team) - @user_team.normal_user? - end - - def is_normal_user_or_admin_of_team(team) - @user_team.normal_user? or @user_team.admin? - end - - def is_guest_of_team(team) - @user_team.guest? - end - - # ---- PROJECT ROLES ---- - def is_member_of_project(project) - # This is already checked by aspector, so just return true - true - end - - def is_creator_of_project(project) - project.created_by == current_user - end - - def is_owner_of_project(project) - @user_project.owner? - end - - def is_user_of_project(project) - @user_project.normal_user? - end - - def is_user_or_higher_of_project(project) - @user_project.normal_user? or @user_project.owner? - end - - def is_technician_of_project(project) - @user_project.technician? - end - - def is_technician_or_higher_of_project(project) - @user_project.technician? or - @user_project.normal_user? or - @user_project.owner? - end - - def is_viewer_of_project(project) - @user_project.viewer? - end - - public - - ####################################################### - # PERMISSIONS - ####################################################### - # The following list can be expanded for new permissions, - # and only the following list should be public. Also, - # in a lot of cases, the following methods should be added - # to "is project archived" or "is module archived" checks - # at the beginning of this file (via aspector). - - # ---- ATWHO PERMISSIONS ---- - # def can_view_team_users(team) - # is_member_of_team(team) - # end - - # ---- PROJECT PERMISSIONS ---- - - # def can_view_projects(team) - # is_member_of_team(team) - # end - - # def can_create_project(team) - # is_normal_user_or_admin_of_team(team) - # end - - # User can view project if he's assigned onto it, or if - # a project is public/visible, and user is a member of that team - def can_view_project(project) - is_admin_of_team(project.team) || - is_member_of_project(project) || - (project.visible? and is_member_of_team(project.team)) - end - - def can_restore_archived_modules(project) - is_user_or_higher_of_project(project) - end - - # ---- WORKFLOW PERMISSIONS ---- - - def can_reposition_modules(experiment) - is_user_or_higher_of_project(experiment.project) - end - - def can_edit_connections(experiment) - is_user_or_higher_of_project(experiment.project) - end - - # ---- MODULE PERMISSIONS ---- - - def can_clone_modules(experiment) - is_user_or_higher_of_project(experiment.project) - end - - def can_view_module_info(my_module) - can_view_project(my_module.experiment.project) - end - - def can_view_module_users(my_module) - can_view_project(my_module.experiment.project) - end - - def can_edit_users_on_module(my_module) - is_owner_of_project(my_module.experiment.project) - end - - def can_add_user_to_module(my_module) - is_owner_of_project(my_module.experiment.project) - end - - def can_remove_user_from_module(my_module) - is_owner_of_project(my_module.experiment.project) - end - - def can_add_comment_to_module(my_module) - is_technician_or_higher_of_project(my_module.experiment.project) - end - - def can_edit_module_comment(comment) - comment.my_module.present? && - ( - comment.user == current_user || - is_owner_of_project( - comment.my_module.experiment.project - ) - ) - end - - def can_delete_module_comment(comment) - comment.my_module.present? && - ( - comment.user == current_user || - is_owner_of_project( - comment.my_module.experiment.project - ) - ) - end - - def can_view_module_archive(my_module) - is_user_or_higher_of_project(my_module.experiment.project) - end - - def can_complete_module(my_module) - is_technician_or_higher_of_project(my_module.experiment.project) - end - - # ---- RESULTS PERMISSIONS ---- - - def can_view_or_download_result_assets(my_module) - is_member_of_project(my_module.experiment.project) || - can_view_project(my_module.experiment.project) - end - - def can_view_result_comments(my_module) - can_view_project(my_module.experiment.project) - end - - def can_add_result_comment_in_module(my_module) - is_technician_or_higher_of_project(my_module.experiment.project) - end - - def can_edit_result_comment_in_module(comment) - comment.result.present? && - ( - comment.user == current_user || - is_owner_of_project( - comment.result.my_module.experiment.project - ) - ) - end - - def can_delete_result_comment_in_module(comment) - comment.result.present? && - ( - comment.user == current_user || - is_owner_of_project( - comment.result.my_module.experiment.project - ) - ) - end - - def can_delete_module_result(result) - is_owner_of_project(result.my_module.experiment.project) - end - # ---- RESULT TEXT PERMISSIONS ---- - - def can_create_result_text_in_module(my_module) - is_user_or_higher_of_project(my_module.experiment.project) - end - - def can_edit_result_text_in_module(my_module) - is_user_or_higher_of_project(my_module.experiment.project) - end - - def can_archive_result_text_in_module(my_module) - is_owner_of_project(my_module.experiment.project) - end - - # ---- RESULT TABLE PERMISSIONS ---- - - def can_create_result_table_in_module(my_module) - is_user_or_higher_of_project(my_module.experiment.project) - end - - def can_edit_result_table_in_module(my_module) - is_user_or_higher_of_project(my_module.experiment.project) - end - - def can_archive_result_table_in_module(my_module) - is_owner_of_project(my_module.experiment.project) - end - - # ---- RESULT ASSET PERMISSIONS ---- - - def can_create_result_asset_in_module(my_module) - is_user_or_higher_of_project(my_module.experiment.project) - end - - def can_edit_result_asset_in_module(my_module) - is_user_or_higher_of_project(my_module.experiment.project) - end - - def can_archive_result_asset_in_module(my_module) - is_owner_of_project(my_module.experiment.project) - end - - # ---- REPORTS PERMISSIONS ---- - - # ---- SAMPLE PERMISSIONS ---- - - # def can_create_samples(team) - # is_normal_user_or_admin_of_team(team) - # end - - # def can_view_samples(team) - # is_member_of_team(team) - # end - - # Only person who created the sample - # or team admin can edit it - # def can_edit_sample(sample) - # is_admin_of_team(sample.team) or - # sample.user == current_user - # end - - # Only person who created sample can delete it - # def can_delete_sample(sample) - # sample.user == current_user - # end - - # def can_delete_samples(team) - # is_normal_user_or_admin_of_team(team) - # end - - def can_add_samples_to_module(my_module) - is_technician_or_higher_of_project(my_module.experiment.project) - end - - def can_delete_samples_from_module(my_module) - is_technician_or_higher_of_project(my_module.experiment.project) - end - - # ---- SAMPLE TYPES PERMISSIONS ---- - - # def can_create_sample_type_in_team(team) - # is_normal_user_or_admin_of_team(team) - # end - - # ---- SAMPLE GROUPS PERMISSIONS ---- - - # def can_create_sample_group_in_team(team) - # is_normal_user_or_admin_of_team(team) - # end - - # ---- CUSTOM FIELDS PERMISSIONS ---- - - # def can_create_custom_field_in_team(team) - # is_normal_user_or_admin_of_team(team) - # end - - # def can_edit_custom_field(custom_field) - # custom_field.user == current_user || - # is_admin_of_team(custom_field.team) - # end - - # def can_delete_custom_field(custom_field) - # custom_field.user == current_user || - # is_admin_of_team(custom_field.team) - # end - - # ---- PROTOCOL PERMISSIONS ---- - - # def can_view_team_protocols(team) - # is_member_of_team(team) - # end - - # def can_create_new_protocol(team) - # is_normal_user_or_admin_of_team(team) - # end - - # def can_import_protocols(team) - # is_normal_user_or_admin_of_team(team) - # end - - # def can_edit_protocol(protocol) - # is_normal_user_or_admin_of_team(protocol.team) and - # current_user == protocol.added_by and (not protocol.in_repository_archived?) - # end - - # def can_clone_protocol(protocol) - # is_normal_user_or_admin_of_team(protocol.team) and - # ( - # protocol.in_repository_public? or - # (protocol.in_repository_private? and current_user == protocol.added_by) - # ) - # end - - # def can_make_protocol_private(protocol) - # protocol.added_by == current_user and - # protocol.in_repository_public? - # end - - # def can_publish_protocol(protocol) - # protocol.added_by == current_user and - # protocol.in_repository_private? - # end - - # def can_archive_protocol(protocol) - # protocol.added_by == current_user and - # (protocol.in_repository_public? or protocol.in_repository_private?) - # end - - # def can_restore_protocol(protocol) - # protocol.added_by == current_user and - # protocol.in_repository_archived? - # end - - # ---- STEPS PERMISSIONS ---- - - def can_add_step_comment_in_protocol(protocol) - if protocol.in_module? - my_module = protocol.my_module - my_module.active? && - my_module.experiment.project.active? && - my_module.experiment.active? && - is_technician_or_higher_of_project(my_module.experiment.project) - else - # In repository, user cannot complete steps - false - end - end - - def can_edit_step_comment_in_protocol(comment) - return false if comment.step.blank? - - protocol = comment.step.protocol - if protocol.in_module? - comment.user == current_user || - is_owner_of_project( - protocol.my_module.experiment.project - ) - else - false - end - end - - def can_delete_step_comment_in_protocol(comment) - return false if comment.step.blank? - - protocol = comment.step.protocol - if protocol.in_module? - comment.user == current_user || - is_owner_of_project( - protocol.my_module.experiment.project - ) - else - false - end - end - - def can_complete_step_in_protocol(protocol) - if protocol.in_module? - my_module = protocol.my_module - my_module.active? && - my_module.experiment.project.active? && - my_module.experiment.active? && - is_technician_or_higher_of_project(my_module.experiment.project) - else - # In repository, user cannot complete steps - false - end - end - - def can_uncomplete_step_in_protocol(protocol) - if protocol.in_module? - my_module = protocol.my_module - my_module.active? && - my_module.experiment.project.active? && - my_module.experiment.active? && - is_user_or_higher_of_project(my_module.experiment.project) - else - # In repository, user cannot complete steps - false - end - end - - def can_check_checkbox(protocol) - if protocol.in_module? - my_module = protocol.my_module - my_module.active? && - my_module.experiment.project.active? && - my_module.experiment.active? && - is_technician_or_higher_of_project(my_module.experiment.project) - else - # In repository, user cannot check checkboxes - false - end - end - - def can_uncheck_checkbox(protocol) - if protocol.in_module? - my_module = protocol.my_module - my_module.active? && - my_module.experiment.project.active? && - my_module.experiment.active? && - is_user_or_higher_of_project(my_module.experiment.project) - else - # In repository, user cannot check checkboxes - false - end - end - - # ---- REPOSITORIES PERMISSIONS ---- - - # def can_view_team_repositories(team) - # is_member_of_team(team) - # end - - # def can_create_repository(team) - # is_admin_of_team(team) && - # team.repositories.count < Constants::REPOSITORIES_LIMIT - # end - - # def can_view_repository(repository) - # is_member_of_team(repository.team) - # end - - # def can_edit_and_destroy_repository(repository) - # is_admin_of_team(repository.team) - # end - - # def can_copy_repository(repository) - # can_create_repository(repository.team) - # end - - # def can_create_columns_in_repository(repository) - # is_normal_user_or_admin_of_team(repository.team) - # end - - # def can_delete_column_in_repository(column) - # column.created_by == current_user || - # is_admin_of_team(column.repository.team) - # end - - # def can_edit_column_in_repository(column) - # column.created_by == current_user || - # is_admin_of_team(column.repository.team) - # end - - # def can_create_repository_records(repository) - # is_normal_user_or_admin_of_team(repository.team) - # end - - # def can_import_repository_records(repository) - # is_normal_user_or_admin_of_team(repository.team) - # end - - # def can_edit_repository_record(record) - # is_normal_user_or_admin_of_team(record.repository.team) - # end - - # def can_delete_repository_records(repository) - # is_normal_user_or_admin_of_team(repository.team) - # end - - # def can_delete_repository_record(record) - # team = record.repository.team - # is_admin_of_team(team) || (is_normal_user_of_team(team) && - # record.created_by == current_user) - # end - - def can_assign_repository_records(my_module, repository) - is_normal_user_or_admin_of_team(repository.team) && - is_technician_or_higher_of_project(my_module.experiment.project) - end - - def can_unassign_repository_records(my_module, repository) - is_normal_user_or_admin_of_team(repository.team) && - is_technician_or_higher_of_project(my_module.experiment.project) - end -end diff --git a/app/helpers/protocols_io_helper.rb b/app/helpers/protocols_io_helper.rb index d9fb01648..915d9bb94 100644 --- a/app/helpers/protocols_io_helper.rb +++ b/app/helpers/protocols_io_helper.rb @@ -39,25 +39,40 @@ module ProtocolsIoHelper I18n.t('protocols.protocols_io_import.too_long').length # The + 2 above (in title) is there because if the length was at the limit, # the cutter method had issues, this gives it some space + + # below are default min table settings (minimum 5x5) + PIO_TABLE_MIN_WIDTH = 5 + PIO_TABLE_MIN_HEIGHT = 5 + def protocolsio_string_to_table_element(description_string) string_without_tables = string_html_table_remove(description_string) table_regex = %r{]*>(.*?)<\/table>}m tr_regex = %r{]*>(.*?)<\/tr>}m td_regex = %r{]*>(.*?)<\/td>}m tables = {} + description_string.gsub! '', '' + description_string.gsub! '', '' table_strings = description_string.scan(table_regex) table_strings.each_with_index do |table, table_counter| tables[table_counter.to_s] = {} - tr_strings = table[0].scan(tr_regex) + tr_number = table[0].scan(tr_regex).count + diff = PIO_TABLE_MIN_HEIGHT - tr_number # always tables have atleast 5 row + table_fix_str = table[0] + table_fix_str += '' * diff if tr_number < PIO_TABLE_MIN_HEIGHT + tr_strings = table_fix_str.scan(tr_regex) contents = {} contents['data'] = [] tr_strings.each_with_index do |tr, tr_counter| td_strings = tr[0].scan(td_regex) contents['data'][tr_counter] = [] + td_counter = td_strings.count + diff = PIO_TABLE_MIN_WIDTH - td_counter td_strings.each do |td| td_stripped = ActionController::Base.helpers.strip_tags(td[0]) contents['data'][tr_counter].push(td_stripped) end + next if td_counter >= PIO_TABLE_MIN_WIDTH + diff.times { contents['data'][tr_counter].push(' ') } end tables[table_counter.to_s]['contents'] = Base64.encode64( contents.to_s.sub('=>', ':') @@ -102,6 +117,8 @@ module ProtocolsIoHelper @toolong = true end text + else + '' end end @@ -128,6 +145,8 @@ module ProtocolsIoHelper @remaining -= text.length - reserved end text + else + '' end end @@ -145,10 +164,15 @@ module ProtocolsIoHelper Nokogiri::HTML::DocumentFragment.parse(text).to_html end + def step_hash_null?(step_json) + step_json.dig(0, 'components', 0, 'component_type_id').nil? + end + # Images are allowed in: # Step: description, expected result # Protocol description : description before_start warning # guidelines manuscript_citation + def prepare_for_view( attribute_text1, size, table = 'no_table', image_allowed = false ) @@ -321,8 +345,12 @@ module ProtocolsIoHelper end def protocols_io_guid_reorder_step_json(unordered_step_json) + return '' if unordered_step_json.blank? base_step = unordered_step_json.find { |step| step['previous_guid'].nil? } + return unordered_step_json if base_step.nil? number_of_steps = unordered_step_json.size + return unordered_step_json if number_of_steps == 1 + base_step = unordered_step_json.find { |step| step['previous_guid'].nil? } step_order = [] step_counter = 0 step_order[step_counter] = base_step diff --git a/app/helpers/results_helper.rb b/app/helpers/results_helper.rb index 939c71586..15df04211 100644 --- a/app/helpers/results_helper.rb +++ b/app/helpers/results_helper.rb @@ -19,34 +19,6 @@ module ResultsHelper end end - def can_edit_result(result) - if result.is_text - can_edit_result_text_in_module(result.my_module) - elsif result.is_table - can_edit_result_table_in_module(result.my_module) - elsif result.is_asset - can_edit_result_asset_in_module(result.my_module) - end - end - - def can_archive_result(result) - if result.is_text - can_archive_result_text_in_module(result.my_module) - elsif result.is_table - can_archive_result_table_in_module(result.my_module) - elsif result.is_asset - can_archive_result_asset_in_module(result.my_module) - end - end - - def result_unlocked?(result) - if result.is_asset - !result.asset.locked? - else - true - end - end - def result_path_of_type(result) if result.is_asset result_asset_path(result.result_asset) diff --git a/app/helpers/samples_helper.rb b/app/helpers/samples_helper.rb index 3fd6608c3..cd20f22e7 100644 --- a/app/helpers/samples_helper.rb +++ b/app/helpers/samples_helper.rb @@ -1,16 +1,4 @@ module SamplesHelper - def can_add_samples - module_page? && can_add_samples_to_module(@my_module) - end - - def can_remove_samples - module_page? && can_delete_samples_from_module(@my_module) - end - - def can_add_sample_related_things_to_team - can_manage_sample_columns?(@team) - end - def all_custom_fields CustomField.where(team_id: @team).order(:created_at) end diff --git a/app/helpers/wopi_helper.rb b/app/helpers/wopi_helper.rb index 097a5cbc1..98cb1a906 100644 --- a/app/helpers/wopi_helper.rb +++ b/app/helpers/wopi_helper.rb @@ -1,6 +1,7 @@ module WopiHelper def wopi_result_view_file_button(result) - if result.asset.can_perform_action('view') + if can_read_experiment?(result.my_module.experiment) && + result.asset.can_perform_action('view') link_to view_asset_url(id: result.asset), class: 'btn btn-default btn-sm', target: '_blank', @@ -13,7 +14,7 @@ module WopiHelper end def wopi_result_edit_file_button(result) - if can_edit_result_asset_in_module(result.my_module) && + if can_manage_module?(result.my_module) && result.asset.can_perform_action('edit') link_to edit_asset_url(id: result.asset), class: 'btn btn-default btn-sm', diff --git a/app/models/result.rb b/app/models/result.rb index 5eff41d8c..9d2a9cb36 100644 --- a/app/models/result.rb +++ b/app/models/result.rb @@ -97,6 +97,14 @@ class Result < ApplicationRecord self.asset.present? end + def unlocked?(result) + if result.is_asset + !result.asset.locked? + else + true + end + end + private def text_or_asset_or_table diff --git a/app/models/samples_table.rb b/app/models/samples_table.rb index c33cc1883..84e58edfe 100644 --- a/app/models/samples_table.rb +++ b/app/models/samples_table.rb @@ -1,9 +1,10 @@ class SamplesTable < ApplicationRecord - validates :user, :team, presence: true - belongs_to :user, inverse_of: :samples_tables, optional: true belongs_to :team, inverse_of: :samples_tables, optional: true + validates :user, :team, presence: true + validates :user, uniqueness: { scope: :team } + scope :find_status, ->(user, team) { where(user: user, team: team).pluck(:status) } diff --git a/app/models/user.rb b/app/models/user.rb index e9265fbc6..cca3b9409 100644 --- a/app/models/user.rb +++ b/app/models/user.rb @@ -217,6 +217,14 @@ class User < ApplicationRecord self.full_name = name end + def avatar_remote_url=(url_value) + self.avatar = URI.parse(url_value) + # Assuming url_value is http://example.com/photos/face.png + # avatar_file_name == "face.png" + # avatar_content_type == "image/png" + @avatar_remote_url = url_value + end + def current_team Team.find_by_id(self.current_team_id) end diff --git a/app/permissions/experiment.rb b/app/permissions/experiment.rb index 316e17221..fe7e4452c 100644 --- a/app/permissions/experiment.rb +++ b/app/permissions/experiment.rb @@ -1,13 +1,29 @@ Canaid::Permissions.register_for(Experiment) do - # experiment: read - # canvas/workflow: read + # Experiment and its project must be active for all the specified permissions + %i(read_experiment + manage_experiment + archive_experiment + clone_experiment + move_experiment) + .each do |perm| + can perm do |_, experiment| + experiment.active? && + experiment.project.active? + end + end + + # experiment: read (read archive) + # canvas: read + # module: read (read users, read comments, read archive) + # result: read (read comments) can :read_experiment do |user, experiment| can_read_project?(user, experiment.project) end # experiment: create/update/delete - # canvas/workflow: edit - # module: create + # canvas: update + # module: create, copy, reposition, create/update/delete connection, + # assign/reassign/unassign tags can :manage_experiment do |user, experiment| user.is_user_or_higher_of_project?(experiment.project) end @@ -17,12 +33,15 @@ Canaid::Permissions.register_for(Experiment) do can_manage_experiment?(user, experiment) end + # NOTE: Must not be dependent on canaid parmision for which we check if it's + # active # experiment: restore can :restore_experiment do |user, experiment| - can_manage_experiment?(user, experiment) && experiment.archived? + user.is_user_or_higher_of_project?(experiment.project) && + experiment.archived? end - # experiment: clone + # experiment: copy can :clone_experiment do |user, experiment| user.is_user_or_higher_of_project?(experiment.project) && user.is_normal_user_or_admin_of_team?(experiment.project.team) @@ -32,72 +51,147 @@ Canaid::Permissions.register_for(Experiment) do can :move_experiment do |user, experiment| can_clone_experiment?(user, experiment) end - - %i(read_experiment - manage_experiment - archive_experiment - clone_experiment - move_experiment) - .each do |perm| - can perm do |_, experiment| - experiment.project.active? - end - end end Canaid::Permissions.register_for(MyModule) do - # module: restore - can :restore_module do |user, my_module| - can_manage_experiment?(user, my_module.experiment) && my_module.archived? + # Module, its experiment and its project must be active for all the specified + # permissions + %i(manage_module + manage_users_in_module + assign_sample_to_module + complete_module + create_comments_in_module) + .each do |perm| + can perm do |_, my_module| + my_module.active? && + my_module.experiment.active? && + my_module.experiment.project.active? + end end - # module: edit, archive, move + # module: update, archive, move + # result: create, update can :manage_module do |user, my_module| can_manage_experiment?(user, my_module.experiment) end - %i(manage_module).each do |perm| - can perm do |_, my_module| - my_module.experiment.project.active? - end + # NOTE: Must not be dependent on canaid parmision for which we check if it's + # active + # module: restore + can :restore_module do |user, my_module| + user.is_user_or_higher_of_project?(my_module.experiment.project) && + my_module.archived? + end + + # module: assign/reassign/unassign users + can :manage_users_in_module do |user, my_module| + user.is_owner_of_project?(my_module.experiment.project) + end + + # module: assign/unassign sample, assign/unassign repository record + # NOTE: Use 'module_page? &&' before calling this permission! + can :assign_repository_rows_to_module do |user, my_module| + user.is_technician_or_higher_of_project?(my_module.experiment.project) + end + + # module: complete/uncomplete + can :complete_module do |user, my_module| + user.is_technician_or_higher_of_project?(my_module.experiment.project) + end + + # module: create comment + # result: create comment + # step: create comment + can :create_comments_in_module do |user, my_module| + can_create_comments_in_project?(user, my_module.experiment.project) end end Canaid::Permissions.register_for(Protocol) do - # protocol in module: read - # step: read, read comments, read assets, download assets - can :read_protocol_in_module do |user, protocol| - if protocol.in_module? + # Protocol needs to be in a module for all Protocol permissions below + # experiment level + %i(read_protocol_in_module + manage_protocol_in_module + complete_or_checkbox_step) + .each do |perm| + can perm do |_, protocol| + protocol.in_module? + end + end + + # Module, its experiment and its project must be active for all the specified + # permissions + %i(read_protocol_in_module + manage_protocol_in_module + complete_or_checkbox_step) + .each do |perm| + can perm do |_, protocol| my_module = protocol.my_module my_module.active? && my_module.experiment.active? && - my_module.experiment.project.active? && - can_read_experiment?(user, my_module.experiment) - else - false + my_module.experiment.project.active? end end + # protocol in module: read + # step in module: read, read comments, read/download assets + can :read_protocol_in_module do |user, protocol| + can_read_experiment?(user, protocol.my_module.experiment) + end + # protocol in module: create/update/delete, unlink, revert, update from # protocol in repository, update from file - # step: create/update/delete, reorder + # step in module: create/update/delete, reorder can :manage_protocol_in_module do |user, protocol| - if protocol.in_module? - my_module = protocol.my_module + can_manage_module?(user, protocol.my_module) + end + + # step: complete/uncomplete + can :complete_or_checkbox_step do |user, protocol| + can_complete_module?(user, protocol.my_module) + end +end + +Canaid::Permissions.register_for(Result) do + # Module, its experiment and its project must be active for all the specified + # permissions + %i(manage_result).each do |perm| + can perm do |_, result| + my_module = result.my_module my_module.active? && my_module.experiment.active? && - my_module.experiment.project.active? && - can_manage_module?(user, my_module) - else - false + my_module.experiment.project.active? end end - %i(read_protocol_in_module - manage_protocol_in_module) - .each do |perm| - can perm do |_, protocol| - protocol.my_module.experiment.project.active? - end + # result: delete, archive + can :manage_result do |user, result| + result.unlocked?(result) && + user.is_owner_of_project?(result.my_module.experiment.project) + end +end + +Canaid::Permissions.register_for(Comment) do + # Module, its experiment and its project must be active for all the specified + # permissions + %i(manage_comment_in_module) + .each do |perm| + can perm do |_, comment| + my_module = ::PermissionsUtil.get_comment_module(comment) + my_module.active? && + my_module.experiment.active? && + my_module.experiment.project.active? + end + end + + # module: update/delete comment + # result: update/delete comment + # step: update/delete comment + can :manage_comment_in_module do |user, comment| + my_module = ::PermissionsUtil.get_comment_module(comment) + project = my_module.experiment.project + # Same check as in `can_manage_comment_in_project?` + project.present? && + (user.is_owner_of_project?(project) || comment.user == user) end end diff --git a/app/permissions/organization.rb b/app/permissions/organization.rb index 0e4bb910a..35960f1b3 100644 --- a/app/permissions/organization.rb +++ b/app/permissions/organization.rb @@ -1,5 +1,10 @@ +# TODO: For all permissions: foe ALL permission levels check whether they're +# archived (for restore permissions) or active (for all other permissions) - +# now we mostly do the check only for the permission level for which the +# permission was made Canaid::Permissions.register_generic do - can :create_teams do |user| + # organization: create team + can :create_teams do |_| true end end diff --git a/app/permissions/project.rb b/app/permissions/project.rb index 77da1edb4..3b07cf6cd 100644 --- a/app/permissions/project.rb +++ b/app/permissions/project.rb @@ -1,4 +1,18 @@ Canaid::Permissions.register_for(Project) do + # Project must be active for all the specified permissions + %i(read_project + manage_project + archive_project + create_experiments + create_comments_in_project + manage_tags + manage_reports) + .each do |perm| + can perm do |_, project| + project.active? + end + end + # project: read, read activities, read comments, read users, read archive, # read notifications # reports: read @@ -9,7 +23,7 @@ Canaid::Permissions.register_for(Project) do (project.visible? && user.is_member_of_team?(project.team)) end - # project: update/delete/archive, assign/reassign/unassign users + # project: update/delete, assign/reassign/unassign users can :manage_project do |user, project| user.is_owner_of_project?(project) end @@ -19,59 +33,47 @@ Canaid::Permissions.register_for(Project) do can_manage_project?(user, project) end + # NOTE: Must not be dependent on canaid parmision for which we check if it's + # active # project: restore can :restore_project do |user, project| - can_manage_project?(user, project) && project.archived? + user.is_owner_of_project?(project) && project.archived? end # experiment: create - can :create_experiment do |user, project| + can :create_experiments do |user, project| user.is_user_or_higher_of_project?(project) end # project: create comment - can :create_comment_in_project do |user, project| + can :create_comments_in_project do |user, project| user.is_technician_or_higher_of_project?(project) end # project: create/update/delete tag # module: assign/reassign/unassign tag - can :create_or_manage_tags do |user, project| + can :manage_tags do |user, project| user.is_user_or_higher_of_project?(project) end - # reports: create/delete - can :create_or_manage_reports do |user, project| + # reports: create, delete + can :manage_reports do |user, project| user.is_technician_or_higher_of_project?(project) end - - # Project must be active for all the specified permissions - %i(read_project - manage_project - archive_project - create_experiment - create_comment_in_project - create_or_manage_tags - create_or_manage_reports) - .each do |perm| - can perm do |_, project| - project.active? - end - end end -Canaid::Permissions.register_for(Comment) do - # project: update/delete comment - can :manage_comment_in_project do |user, comment| - comment.project.present? && (comment.user == user || - user.is_owner_of_project?(project)) - end - +Canaid::Permissions.register_for(ProjectComment) do # Project must be active for all the specified permissions %i(manage_comment_in_project) .each do |perm| - can perm do |_, comment| - comment.project.active? + can perm do |_, project_comment| + project_comment.project.active? end end + + # project: update/delete comment + can :manage_comment_in_project do |user, project_comment| + project_comment.project.present? && (project_comment.user == user || + user.is_owner_of_project?(project_comment.project)) + end end diff --git a/app/permissions/team.rb b/app/permissions/team.rb index 669181027..a27c56585 100644 --- a/app/permissions/team.rb +++ b/app/permissions/team.rb @@ -1,120 +1,129 @@ Canaid::Permissions.register_for(Team) do - # view projects, view protocols - # leave team, view team users (ATWHO) - # view samples, export samples - # view repositories, view repository, export repository rows + # team: leave, read users, read projects, read/export samples, + # read protocols, read/export repositories + # can :read_team do |user, team| user.is_member_of_team?(team) end - # edit team name, edit team description + # team: update can :update_team do |user, team| user.is_admin_of_team?(team) end - # invite user to team, change user's role, remove user from team + # team: assign/unassing user, change user role can :manage_team_users do |user, team| user.is_admin_of_team?(team) end - # create project + # project: create can :create_projects do |user, team| user.is_normal_user_or_admin_of_team?(team) end - # create protocol in repository, import protocol to repository + # protocol in repository: create, import can :create_protocols_in_repository do |user, team| user.is_normal_user_or_admin_of_team?(team) end - # create, import, edit, delete samples - can :manage_samples do |user, team| + # sample: create, import + can :create_samples do |user, team| user.is_normal_user_or_admin_of_team?(team) end - # create custom field - # create, update, delete sample type or sample group - can :manage_sample_columns do |user, team| + # sample: create field + can :create_sample_columns do |user, team| user.is_normal_user_or_admin_of_team?(team) end - # create, copy repository + # create/update/delete sample type/group + can :manage_sample_types_and_groups do |user, team| + user.is_normal_user_or_admin_of_team?(team) + end + + # repository: create, copy can :create_repositories do |user, team| - user.is_admin_of_team?(team) + user.is_admin_of_team?(team) && + team.repositories.count < Constants::REPOSITORIES_LIMIT end - # create, import, edit, delete repository records + # repository: create/import record + can :create_repository_rows do |user, team| + user.is_normal_user_or_admin_of_team?(team) + end + + # repository: update/delete records can :manage_repository_rows do |user, team| user.is_normal_user_or_admin_of_team?(team) end - # create repository column + # repository: create field can :create_repository_columns do |user, team| user.is_normal_user_or_admin_of_team?(team) end end Canaid::Permissions.register_for(Protocol) do - # view protocol in repository, export protocol from repository - # view step in protocol in repository, view or dowload step asset + # protocol in repository: read, export, read step, read/download step asset can :read_protocol_in_repository do |user, protocol| user.is_member_of_team?(protocol.team) && (protocol.in_repository_public? || protocol.in_repository_private? && user == protocol.added_by) end - # edit protocol in repository, - # create, edit, delete or reorder step in repository - can :update_protocol_in_repository do |user, protocol| + # protocol in repository: update, create/update/delete/reorder step, + # toggle private/public visibility, archive + can :manage_protocol_in_repository do |user, protocol| protocol.in_repository_active? && - can_update_protocol_type_in_repository?(user, protocol) - end - - # toggle protocol visibility (public, private, archive, restore) - can :update_protocol_type_in_repository do |user, protocol| - user.is_normal_user_or_admin_of_team?(protocol.team) && + user.is_normal_user_or_admin_of_team?(protocol.team) && user == protocol.added_by end - # clone protocol in repository + # protocol in repository: restore + can :restore_protocol_in_repository do |user, protocol| + protocol.in_repository_archived? && + user.is_normal_user_or_admin_of_team?(protocol.team) && + user == protocol.added_by + end + + # protocol in repository: copy can :clone_protocol_in_repository do |user, protocol| - can_create_protocols_in_repository?(user, protocol.team) && - can_read_protocol_in_repository?(user, protocol) + can_read_protocol_in_repository?(user, protocol) && + can_create_protocols_in_repository?(user, protocol.team) end end Canaid::Permissions.register_for(Sample) do - # edit, delete specific sample - can :update_or_delete_sample do |user, sample| - can_manage_samples?(user, sample.team) + # sample: update, delete + can :manage_sample do |user, sample| + can_create_samples?(user, sample.team) end end Canaid::Permissions.register_for(CustomField) do - # update, delete custom field - can :update_or_delete_custom_field do |user, custom_field| - can_manage_sample_columns?(user, custom_field.team) + # sample: update/delete field + can :manage_sample_column do |user, custom_field| + can_create_sample_columns?(user, custom_field.team) end end Canaid::Permissions.register_for(Repository) do - # edit, destroy repository - can :update_or_delete_repository do |user, repository| - can_create_repositories?(user, repository.team) + # repository: update, delete + can :manage_repository do |user, repository| + user.is_admin_of_team?(repository.team) end end Canaid::Permissions.register_for(RepositoryRow) do - # update, delete specific repository record - can :update_or_delete_repository_row do |user, repository_row| - can_manage_repository_rows?(user, repository_row.repository.team) + # repository: update/delete record + can :manage_repository_row do |user, repository_row| + can_create_repository_rows?(user, repository_row.repository.team) end end Canaid::Permissions.register_for(RepositoryColumn) do - # update, delete repository column - can :update_or_delete_repository_column do |user, repository_column| + # repository: update/delete field + can :manage_repository_column do |user, repository_column| can_create_repository_columns?(user, repository_column.repository.team) end end - diff --git a/app/utilities/permissions_util.rb b/app/utilities/permissions_util.rb new file mode 100644 index 000000000..456e6eb1a --- /dev/null +++ b/app/utilities/permissions_util.rb @@ -0,0 +1,20 @@ +module PermissionsUtil + def self.get_comment_module(comment) + comment = comment.becomes(comment.type.constantize) + my_module = case comment + when TaskComment + comment.my_module + when ResultComment + comment.result.my_module + when StepComment + comment.step.protocol.my_module + end + my_module + end + + def self.reference_project(obj) + return obj.experiment.project if obj.is_a? MyModule + return obj.project if obj.is_a? Experiment + obj + end +end diff --git a/app/views/canvas/_edit.html.erb b/app/views/canvas/_edit.html.erb index 3f8b63ecb..68a710e7e 100644 --- a/app/views/canvas/_edit.html.erb +++ b/app/views/canvas/_edit.html.erb @@ -1,11 +1,11 @@
" data-can-edit-modules="<%= can_manage_experiment?(@experiment) ? "yes" : "no" %>" - data-can-clone-modules="<%= can_clone_modules(@experiment) ? "yes" : "no" %>" + data-can-clone-modules="<%= can_manage_experiment?(@experiment) ? "yes" : "no" %>" data-can-move-modules="<%= can_manage_experiment?(@experiment) ? "yes" : "no" %>" data-can-delete-modules="<%= can_manage_experiment?(@experiment) ? "yes" : "no" %>" - data-can-reposition-modules="<%= can_reposition_modules(@experiment) ? "yes" : "no" %>" - data-can-edit-connections="<%= can_edit_connections(@experiment) ? "yes" : "no" %>" + data-can-reposition-modules="<%= can_manage_experiment?(@experiment) ? "yes" : "no" %>" + data-can-edit-connections="<%= can_manage_experiment?(@experiment) ? "yes" : "no" %>" data-unsaved-work-text="<%=t "experiments.canvas.edit.unsaved_work" %>" > <%= bootstrap_form_tag url: canvas_experiment_url, method: "post" do |f| %> @@ -74,7 +74,7 @@ <% if can_manage_experiment?(@experiment) %>
<% my_modules.each do |my_module| %> - <%= render partial: "canvas/edit/my_module", locals: {experiment: @experiment, my_module: my_module} %> + <%= render partial: "canvas/edit/my_module", locals: { experiment: @experiment, my_module: my_module } %> <% end %>
<% end %> diff --git a/app/views/canvas/_tags.html.erb b/app/views/canvas/_tags.html.erb index 61a88a0df..9149e54c8 100644 --- a/app/views/canvas/_tags.html.erb +++ b/app/views/canvas/_tags.html.erb @@ -13,7 +13,7 @@ <%= my_module.tags.count %> <% else %> - "> + "> + <% end %> diff --git a/app/views/canvas/edit/_my_module.html.erb b/app/views/canvas/edit/_my_module.html.erb index 1e2b28012..f5e021c89 100644 --- a/app/views/canvas/edit/_my_module.html.erb +++ b/app/views/canvas/edit/_my_module.html.erb @@ -6,6 +6,9 @@ data-module-y="<%= my_module.y %>" data-module-conns="<%= construct_module_connections(my_module) %>"> + <% module_group = my_module.my_module_group %> + <% can_manage_module_group = module_group && (module_group.new_record? || module_group.my_modules.all? { |my_module| can_manage_module?(my_module) }) %> +

<%= my_module.name %>

@@ -21,7 +24,7 @@ <%=t "experiments.canvas.edit.edit_module" %> <% end %> - <% if can_clone_modules(my_module.experiment) %> + <% if can_manage_experiment?(my_module.experiment) %>
  • <%=t "experiments.canvas.edit.clone_module" %>
    • @@ -33,16 +36,19 @@
  • <%=t "experiments.canvas.edit.move_module" %>
    • -
  • > + <% end %> + <% if can_manage_module_group %> +
  • <%=t "experiments.canvas.edit.move_module_group" %>
    • + <% end %> + <% if can_manage_module?(my_module) %>
  • <%=t "experiments.canvas.edit.delete_module" %>
    • <% end %> - <% if my_module.my_module_group && my_module.my_module_group.my_modules.all? { |my_module| can_manage_module?(my_module) } %> -
  • > + <% if can_manage_module_group %> +
  • <%=t "experiments.canvas.edit.delete_module_group" %>
    • <% end %> @@ -51,7 +57,7 @@
    - <% if can_edit_connections(my_module.experiment) %> + <% if can_manage_experiment?(my_module.experiment) %>
    <%=t "experiments.canvas.edit.drag_connections" %>
    diff --git a/app/views/canvas/edit/modal/_move_module.html.erb b/app/views/canvas/edit/modal/_move_module.html.erb index d617b82c0..6c5d32a8a 100644 --- a/app/views/canvas/edit/modal/_move_module.html.erb +++ b/app/views/canvas/edit/modal/_move_module.html.erb @@ -10,17 +10,17 @@ <% if experiments.count > 1 %> <%= bootstrap_form_tag do |f| %> <%= f.select :experiment_id, experiments - .select { |e| e != @experiment } + .select { |e| e != @experiment && can_manage_experiment?(e) } .collect { |e| [ e.name, e.id ] }, {}, {class: "form-control selectpicker", "data-role" => "clear"} %> <% end %> - <% else %> -
    - - <%= t("experiments.canvas.edit.modal_move_module.no_experiments") %> - -
    - <% end %> + <% else %> +
    + + <%= t("experiments.canvas.edit.modal_move_module.no_experiments") %> + +
    + <% end %>
    <% if experiments.count > 1 %> diff --git a/app/views/canvas/full_zoom/_my_module.html.erb b/app/views/canvas/full_zoom/_my_module.html.erb index 57311e6f4..8d04617cf 100644 --- a/app/views/canvas/full_zoom/_my_module.html.erb +++ b/app/views/canvas/full_zoom/_my_module.html.erb @@ -12,15 +12,13 @@ data-module-tags-url="<%= my_module_my_module_tags_url(my_module, format: :json) %>" data-module-users-tab-url="<%= my_module_user_my_modules_url(my_module_id: my_module.id, format: :json) %>"> - <% if can_create_or_manage_tags?(my_module.experiment.project) %> + <% if can_manage_module?(my_module) %> - <% else %> - - <% end %> - <%= render partial: "canvas/tags.html.erb", locals: { my_module: my_module } %> - <% if can_create_or_manage_tags?(my_module.experiment.project) %> + <%= render partial: "canvas/tags.html.erb", locals: { my_module: my_module } %> <% else %> + + <%= render partial: "canvas/tags.html.erb", locals: { my_module: my_module } %> <% end %> @@ -42,14 +40,12 @@
    - <% if can_create_experiment?(@project) %> + <% if can_create_experiments?(@project) %> <%= link_to new_project_experiment_url(@project), remote: true, type: "button", diff --git a/app/views/my_module_comments/_comment.html.erb b/app/views/my_module_comments/_comment.html.erb index 630ffec58..06c84b48b 100644 --- a/app/views/my_module_comments/_comment.html.erb +++ b/app/views/my_module_comments/_comment.html.erb @@ -1,6 +1,6 @@
    <%= l comment.created_at, format: '%H:%M' %> - <% if can_edit_module_comment(comment) || can_delete_module_comment(comment) %> + <% if can_manage_comment_in_module?(comment.becomes(Comment)) %>
    <% end %> diff --git a/app/views/my_module_comments/_index.html.erb b/app/views/my_module_comments/_index.html.erb index 620710c40..ed9d2a4ff 100644 --- a/app/views/my_module_comments/_index.html.erb +++ b/app/views/my_module_comments/_index.html.erb @@ -14,7 +14,7 @@ <%= render 'my_module_comments/list.html.erb', comments: @comments %> <% end %> -<% if can_add_comment_to_module(@my_module) %> +<% if can_create_comments_in_module?(@my_module) %>
    • diff --git a/app/views/my_module_tags/_index_edit.html.erb b/app/views/my_module_tags/_index_edit.html.erb index b8ccf9f11..7564ad3f8 100644 --- a/app/views/my_module_tags/_index_edit.html.erb +++ b/app/views/my_module_tags/_index_edit.html.erb @@ -11,42 +11,38 @@

      <%= tag.name %>

    - <% if can_create_or_manage_tags?(@my_module.experiment.project) then %> - <%= link_to "", remote: true, class: 'btn btn-link edit-tag-link', title: t("experiments.canvas.modal_manage_tags.edit_tag") do %> - - <% end %> - <%= link_to my_module_my_module_tag_path(@my_module, mmt, format: :json), method: :delete, remote: true, class: 'btn btn-link remove-tag-link', title: t("experiments.canvas.modal_manage_tags.remove_tag", module: @my_module.name) do %> - - <% end %> - <%= bootstrap_form_for tag, remote: true, url: project_tag_path(@my_module.experiment.project, tag, format: :json), method: :delete, html: { class: "delete-tag-form"} do |f| %> - <%= hidden_field_tag :my_module_id, @my_module.id %> - <%= f.button class: 'btn btn-link delete-tag-link', title: t("experiments.canvas.modal_manage_tags.delete_tag") do %> - - <% end %> + <%= link_to "", remote: true, class: 'btn btn-link edit-tag-link', title: t("experiments.canvas.modal_manage_tags.edit_tag") do %> + + <% end %> + <%= link_to my_module_my_module_tag_path(@my_module, mmt, format: :json), method: :delete, remote: true, class: 'btn btn-link remove-tag-link', title: t("experiments.canvas.modal_manage_tags.remove_tag", module: @my_module.name) do %> + + <% end %> + <%= bootstrap_form_for tag, remote: true, url: project_tag_path(@my_module.experiment.project, tag, format: :json), method: :delete, html: { class: "delete-tag-form"} do |f| %> + <%= hidden_field_tag :my_module_id, @my_module.id %> + <%= f.button class: 'btn btn-link delete-tag-link', title: t("experiments.canvas.modal_manage_tags.delete_tag") do %> + <% end %> <% end %>
    - <% if can_create_or_manage_tags?(@my_module.experiment.project) %> - - <% end %> + <% end %> @@ -55,7 +51,6 @@
    - <% if can_create_or_manage_tags?(@my_module.experiment.project) then %> <%= bootstrap_form_for [@my_module, @new_mmt], remote: true, format: :json, html: { class: 'add-tag-form' } do |f| %>
    @@ -85,5 +80,4 @@ <% end %> <% end %>
    - <% end %>
    diff --git a/app/views/my_modules/_module_header.html.erb b/app/views/my_modules/_module_header.html.erb index fb129ffa5..b8d932514 100644 --- a/app/views/my_modules/_module_header.html.erb +++ b/app/views/my_modules/_module_header.html.erb @@ -52,7 +52,7 @@
    - <% if can_create_or_manage_tags?(@my_module.experiment.project) %> + <% if can_manage_module?(@my_module) %> diff --git a/app/views/my_modules/_result.html.erb b/app/views/my_modules/_result.html.erb index 5c11d0553..8bee5659f 100644 --- a/app/views/my_modules/_result.html.erb +++ b/app/views/my_modules/_result.html.erb @@ -13,12 +13,12 @@
    - <% if can_edit_result(result) %> + <% if can_manage_module?(result.my_module) %> <% end %> - <% if can_archive_result(result) && !result.archived && result_unlocked?(result) %> + <% if can_manage_result?(result) %>
    - <% if can_view_result_comments(@my_module) %> + <% if can_read_experiment?(@my_module.experiment) %>
    - <% if can_complete_module(@my_module) %> + <% if can_complete_module?(@my_module) %>
    <% if !@my_module.completed? %>
    @@ -13,4 +13,4 @@
    <% end %> -
    \ No newline at end of file +
    diff --git a/app/views/my_modules/archive/_result.html.erb b/app/views/my_modules/archive/_result.html.erb index 70d7d9f9f..f0f0c25c1 100644 --- a/app/views/my_modules/archive/_result.html.erb +++ b/app/views/my_modules/archive/_result.html.erb @@ -16,7 +16,7 @@ <%= link_to option_text, result_table_download_path(result.result_table_id), data: {no_turbolink: true} %> <% end %> - <% if can_delete_module_result(result) %> + <% if can_manage_result?(result) %>
  • <%= link_to t('my_modules.module_archive.option_delete'), result_path(action: :delete, id: result.id), diff --git a/app/views/my_modules/modals/_manage_users_modal.html.erb b/app/views/my_modules/modals/_manage_users_modal.html.erb index 8ed04d910..baf988374 100644 --- a/app/views/my_modules/modals/_manage_users_modal.html.erb +++ b/app/views/my_modules/modals/_manage_users_modal.html.erb @@ -8,10 +8,8 @@
    - <% if is_admin_of_team(@experiment.project.team) %> - <%= link_to t("experiments.canvas.full_zoom.modal_manage_users.invite_users_link"), - "/settings/teams/#{@experiment.project.team.id}", - data: { turbolinks: false } %> + <% if current_user.is_admin_of_team?(@experiment.project.team) %> + <%= link_to t("experiments.canvas.full_zoom.modal_manage_users.invite_users_link"), team_path(@experiment.project.team.id) %> <%=t "experiments.canvas.full_zoom.modal_manage_users.invite_users_details", team: @experiment.project.team.name %> <% else %> <%=t "experiments.canvas.full_zoom.modal_manage_users.contact_admins", team: @experiment.project.team.name %> diff --git a/app/views/my_modules/protocols/_protocol_status_bar_buttons.html.erb b/app/views/my_modules/protocols/_protocol_status_bar_buttons.html.erb index 22d24c32a..6adf6e836 100644 --- a/app/views/my_modules/protocols/_protocol_status_bar_buttons.html.erb +++ b/app/views/my_modules/protocols/_protocol_status_bar_buttons.html.erb @@ -40,7 +40,7 @@
      - <% if can_read_protocol_in_module?(@protocol) && can_update_protocol_in_repository?(@protocol.parent) %> + <% if can_read_protocol_in_module?(@protocol) && can_manage_protocol_in_repository?(@protocol.parent) %>
    • <%= link_to update_parent_modal_protocol_path(@protocol, format: :json), remote: true, title: t("my_modules.protocols.protocol_status_bar.btns.update_parent_title"), data: { action: "update-parent" } do %> <%= t("my_modules.protocols.protocol_status_bar.btns.update_parent") %> @@ -112,7 +112,7 @@
        - <% if can_read_protocol_in_module?(@protocol) && can_update_protocol_in_repository?(@protocol.parent) %> + <% if can_read_protocol_in_module?(@protocol) && can_manage_protocol_in_repository?(@protocol.parent) %>
      • <%= link_to update_parent_modal_protocol_path(@protocol, format: :json), remote: true, title: t("my_modules.protocols.protocol_status_bar.btns.update_parent_title"), data: { action: "update-parent" } do %> <%= t("my_modules.protocols.protocol_status_bar.btns.update_parent") %> diff --git a/app/views/my_modules/repository.html.erb b/app/views/my_modules/repository.html.erb index 0c09e6d50..6b37f0095 100644 --- a/app/views/my_modules/repository.html.erb +++ b/app/views/my_modules/repository.html.erb @@ -13,15 +13,13 @@
    - <% if can_create_result_text_in_module(@my_module) or - can_create_result_table_in_module(@my_module) or - can_create_result_asset_in_module(@my_module) %> + <% if can_manage_module?(@my_module) %> - <% end %> - <% if can_create_result_text_in_module(@my_module) %> - <% end %> - <% if can_create_result_table_in_module(@my_module) %> - <% end %> - <% if can_create_result_asset_in_module(@my_module) %> <% end %> -<% if can_create_comment_in_project?(@project) %> +<% if can_create_comments_in_project?(@project) %>
    • diff --git a/app/views/projects/index.html.erb b/app/views/projects/index.html.erb index 010c6aee4..d6eae5032 100644 --- a/app/views/projects/index.html.erb +++ b/app/views/projects/index.html.erb @@ -23,39 +23,37 @@
    • <% end %> -<% if can_manage_project?(@project) %> - -