scinote-eln/scinote-web
1
1
Fork 0
mirror of https://github.com/scinote-eln/scinote-web.git synced 2025-09-10 07:05:57 +08:00
Code Issues Projects Releases Packages Wiki Activity

Added repository permissions check when exporting repository records. Minor repositories refactoring and code style fixing. [SCI-1275]

Browse source
This commit is contained in:
Matej Zrimšek 2017-06-12 17:49:42 +02:00
parent 4ea8972a6c
commit e3db79b3cc
3 changed files with 26 additions and 19 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
app/assets/javascripts/repositories/repository_datatable.js
View file

@ -214,13 +214,13 @@ setTimeout(function() {
// Enables noSearchHidden plugin // Enables noSearchHidden plugin
$.fn.dataTable.defaults.noSearchHidden = true; $.fn.dataTable.defaults.noSearchHidden = true;
$('form#form-export').submit(function(e) { $('form#form-export').submit(function() {
var form = this; var form = this;
if (currentMode === 'viewMode') { if (currentMode === 'viewMode') {
// Remove all hidden fields // Remove all hidden fields
$('#form-export').find('input[name=row_ids\\[\\]]').remove(); $(form).find('input[name=row_ids\\[\\]]').remove();
$('#form-export').find('input[name=header_ids\\[\\]]').remove(); $(form).find('input[name=header_ids\\[\\]]').remove();
// Append visible column information // Append visible column information
$('.active table#repository-table thead tr th').each(function() { $('.active table#repository-table thead tr th').each(function() {

35
app/controllers/repositories_controller.rb
View file

@ -1,19 +1,21 @@
class RepositoriesController < ApplicationController class RepositoriesController < ApplicationController
before_action :load_vars, except: %i(repository_table_index export_repository) before_action :load_vars, except: %i(index create create_modal)
before_action :load_parent_vars, except:
%i(repository_table_index export_repository)
before_action :check_view_all_permissions, only: :index before_action :check_view_all_permissions, only: :index
before_action :check_view_permissions, only: :export_repository
before_action :check_edit_and_destroy_permissions, only: before_action :check_edit_and_destroy_permissions, only:
%(destroy destroy_modal rename_modal update) %i(destroy destroy_modal rename_modal update)
before_action :check_copy_permissions, only: before_action :check_copy_permissions, only:
%(copy_modal copy) %i(copy_modal copy)
before_action :check_create_permissions, only: before_action :check_create_permissions, only:
%(create_new_modal create) %i(create_new_modal create)
def index def index
render('repositories/index') render('repositories/index')
end end
def show_tab def show_tab
@repository = Repository.find_by_id(params[:repository_id])
respond_to do |format| respond_to do |format|
format.json do format.json do
render json: { render json: {
@ -62,7 +64,6 @@ class RepositoriesController < ApplicationController
end end
def destroy_modal def destroy_modal
@repository = Repository.find(params[:repository_id])
respond_to do |format| respond_to do |format|
format.json do format.json do
render json: { render json: {
@ -75,7 +76,6 @@ class RepositoriesController < ApplicationController
end end
def destroy def destroy
@repository = Repository.find(params[:id])
flash[:success] = t('repositories.index.delete_flash', flash[:success] = t('repositories.index.delete_flash',
name: @repository.name) name: @repository.name)
@repository.destroy @repository.destroy
@ -83,7 +83,6 @@ class RepositoriesController < ApplicationController
end end
def rename_modal def rename_modal
@repository = Repository.find(params[:repository_id])
respond_to do |format| respond_to do |format|
format.json do format.json do
render json: { render json: {
@ -96,7 +95,6 @@ class RepositoriesController < ApplicationController
end end
def update def update
@repository = Repository.find(params[:id])
old_name = @repository.name old_name = @repository.name
@repository.update_attributes(repository_params) @repository.update_attributes(repository_params)
@ -116,7 +114,6 @@ class RepositoriesController < ApplicationController
end end
def copy_modal def copy_modal
@repository = Repository.find(params[:repository_id])
@tmp_repository = Repository.new( @tmp_repository = Repository.new(
team: @team, team: @team,
created_by: current_user, created_by: current_user,
@ -134,7 +131,6 @@ class RepositoriesController < ApplicationController
end end
def copy def copy
@repository = Repository.find(params[:repository_id])
@tmp_repository = Repository.new( @tmp_repository = Repository.new(
team: @team, team: @team,
created_by: current_user created_by: current_user
@ -169,7 +165,6 @@ class RepositoriesController < ApplicationController
# AJAX actions # AJAX actions
def repository_table_index def repository_table_index
@repository = Repository.find_by_id(params[:repository_id])
if @repository.nil? || !can_view_repository(@repository) if @repository.nil? || !can_view_repository(@repository)
render_403 render_403
else else
@ -197,6 +192,12 @@ class RepositoriesController < ApplicationController
private private
def load_vars def load_vars
repository_id = params[:id] || params[:repository_id]
@repository = Repository.find_by_id(repository_id)
render_404 unless @repository
end
def load_parent_vars
@team = Team.find_by_id(params[:team_id]) @team = Team.find_by_id(params[:team_id])
render_404 unless @team render_404 unless @team
@repositories = @team.repositories.order(created_at: :asc) @repositories = @team.repositories.order(created_at: :asc)
@ -206,6 +207,10 @@ class RepositoriesController < ApplicationController
render_403 unless can_view_team_repositories(@team) render_403 unless can_view_team_repositories(@team)
end end
def check_view_permissions
render_403 unless can_view_repository(@repository)
end
def check_create_permissions def check_create_permissions
render_403 unless can_create_repository(@team) render_403 unless can_create_repository(@team)
end end
@ -225,7 +230,9 @@ class RepositoriesController < ApplicationController
def generate_zip def generate_zip
# Fetch rows in the same order as in the currently viewed datatable # Fetch rows in the same order as in the currently viewed datatable
ordered_row_ids = params[:row_ids] ordered_row_ids = params[:row_ids]
id_row_map = RepositoryRow.where(id: ordered_row_ids).index_by(&:id) id_row_map = RepositoryRow.where(id: ordered_row_ids,
repository: @repository)
.index_by(&:id)
ordered_rows = ordered_row_ids.collect { |id| id_row_map[id.to_i] } ordered_rows = ordered_row_ids.collect { |id| id_row_map[id.to_i] }
zip = ZipExport.create(user: current_user) zip = ZipExport.create(user: current_user)
@ -273,7 +280,7 @@ class RepositoriesController < ApplicationController
I18n.l(row.created_at, format: :full) I18n.l(row.created_at, format: :full)
else else
cell = row.repository_cells cell = row.repository_cells
.find_by(repository_column_id: c_id) .find_by(repository_column_id: c_id)
cell ? cell.value.data : nil cell ? cell.value.data : nil
end end
end end

4
app/models/zip_export.rb
View file

@ -102,12 +102,12 @@ class ZipExport < ActiveRecord::Base
end end
end end
def generate_samples_zip(tmp_dir, data, options = {}) def generate_samples_zip(tmp_dir, data, _options = {})
file = FileUtils.touch("#{tmp_dir}/export.csv").first file = FileUtils.touch("#{tmp_dir}/export.csv").first
File.open(file, 'wb') { |f| f.write(data) } File.open(file, 'wb') { |f| f.write(data) }
end end
def generate_repositories_zip(tmp_dir, data, options = {}) def generate_repositories_zip(tmp_dir, data, _options = {})
file = FileUtils.touch("#{tmp_dir}/export.csv").first file = FileUtils.touch("#{tmp_dir}/export.csv").first
File.open(file, 'wb') { |f| f.write(data) } File.open(file, 'wb') { |f| f.write(data) }
end end