From ee7c646b1de82e34b662a6e69be21ce6b0f4cf55 Mon Sep 17 00:00:00 2001 From: zmagod Date: Mon, 22 Jan 2018 16:42:26 +0100 Subject: [PATCH 1/7] update user settings controllers to new permission system [fixes SCI-1960] --- app/controllers/users/invitations_controller.rb | 2 +- app/controllers/users/settings/teams_controller.rb | 2 +- app/controllers/users/settings/user_teams_controller.rb | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/app/controllers/users/invitations_controller.rb b/app/controllers/users/invitations_controller.rb index c413f1320..4709ad276 100644 --- a/app/controllers/users/invitations_controller.rb +++ b/app/controllers/users/invitations_controller.rb @@ -192,7 +192,7 @@ module Users @role = params['role'] render_403 if @emails && @emails.empty? - render_403 if @team && !is_admin_of_team(@team) + render_403 if @team && !can_read_team?(@team) render_403 if @role && !UserTeam.roles.keys.include?(@role) end end diff --git a/app/controllers/users/settings/teams_controller.rb b/app/controllers/users/settings/teams_controller.rb index 0786bc0db..100600dbb 100644 --- a/app/controllers/users/settings/teams_controller.rb +++ b/app/controllers/users/settings/teams_controller.rb @@ -147,7 +147,7 @@ module Users def load_team @team = Team.find_by_id(params[:id]) - render_403 unless is_admin_of_team(@team) + render_403 unless can_read_team?(@team) end def create_params diff --git a/app/controllers/users/settings/user_teams_controller.rb b/app/controllers/users/settings/user_teams_controller.rb index 4ed45c2ef..9aa2d1da6 100644 --- a/app/controllers/users/settings/user_teams_controller.rb +++ b/app/controllers/users/settings/user_teams_controller.rb @@ -150,7 +150,7 @@ module Users # Don't allow the user to modify UserTeam-s if he's not admin, # unless he/she is modifying his/her UserTeam if current_user != @user_t.user && - !is_admin_of_team(@user_t.team) + !can_read_team?(@user_t.team) render_403 end end From 259880c4410522b635d1819c158fa049f915443d Mon Sep 17 00:00:00 2001 From: zmagod Date: Tue, 23 Jan 2018 08:52:10 +0100 Subject: [PATCH 2/7] add permission helpers for view project and experiment --- app/permissions/team.rb | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/app/permissions/team.rb b/app/permissions/team.rb index 3988db7e8..855fdb021 100644 --- a/app/permissions/team.rb +++ b/app/permissions/team.rb @@ -117,3 +117,19 @@ Canaid::Permissions.register_for(RepositoryColumn) do can_create_repository_columns?(user, repository_column.repository.team) end end + +Canaid::Permissions.register_for(Project) do + # view project + can :read_project do |user, project| + user.is_admin_of_team?(project.team) || + user.is_member_of_project?(project) || + (project.visible? && user.is_member_of_team?(project.team)) + end +end + +Canaid::Permissions.register_for(Experiment) do + # view experiment + can :read_experiment do |user, experiment| + user.is_member_of_team?(experiment.project.team) + end +end From 9b836d04fa89c125f7036e2d0847cd60155f76c3 Mon Sep 17 00:00:00 2001 From: zmagod Date: Wed, 24 Jan 2018 13:21:53 +0100 Subject: [PATCH 3/7] fixes per @mlorb 's request --- app/controllers/users/invitations_controller.rb | 2 +- app/controllers/users/settings/teams_controller.rb | 2 +- app/controllers/users/settings/user_teams_controller.rb | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/app/controllers/users/invitations_controller.rb b/app/controllers/users/invitations_controller.rb index 4709ad276..519a3ec4a 100644 --- a/app/controllers/users/invitations_controller.rb +++ b/app/controllers/users/invitations_controller.rb @@ -192,7 +192,7 @@ module Users @role = params['role'] render_403 if @emails && @emails.empty? - render_403 if @team && !can_read_team?(@team) + render_403 if @team && !can_manage_team_users?(@team) render_403 if @role && !UserTeam.roles.keys.include?(@role) end end diff --git a/app/controllers/users/settings/teams_controller.rb b/app/controllers/users/settings/teams_controller.rb index 100600dbb..620fcd3c5 100644 --- a/app/controllers/users/settings/teams_controller.rb +++ b/app/controllers/users/settings/teams_controller.rb @@ -147,7 +147,7 @@ module Users def load_team @team = Team.find_by_id(params[:id]) - render_403 unless can_read_team?(@team) + render_403 unless can_update_team?(@team) end def create_params diff --git a/app/controllers/users/settings/user_teams_controller.rb b/app/controllers/users/settings/user_teams_controller.rb index 9aa2d1da6..34ecb4dfb 100644 --- a/app/controllers/users/settings/user_teams_controller.rb +++ b/app/controllers/users/settings/user_teams_controller.rb @@ -150,7 +150,7 @@ module Users # Don't allow the user to modify UserTeam-s if he's not admin, # unless he/she is modifying his/her UserTeam if current_user != @user_t.user && - !can_read_team?(@user_t.team) + !can_manage_team_users?(@user_t.team) render_403 end end From 76b08e6ac949fadad2b76c479d1fcd46095df45b Mon Sep 17 00:00:00 2001 From: zmagod Date: Wed, 24 Jan 2018 13:59:57 +0100 Subject: [PATCH 4/7] add permissions in views --- app/views/shared/_navigation.html.erb | 47 ++++++++++--------- app/views/users/settings/teams/index.html.erb | 18 +++---- 2 files changed, 34 insertions(+), 31 deletions(-) diff --git a/app/views/shared/_navigation.html.erb b/app/views/shared/_navigation.html.erb index c402faf41..31e73daa3 100644 --- a/app/views/shared/_navigation.html.erb +++ b/app/views/shared/_navigation.html.erb @@ -116,17 +116,16 @@ <% end %> <% end %> - <% if current_user.teams.length > 1 %> - + <% if current_user.teams.length > 1 && can_create_teams? %> + +
  • + <%= link_to new_team_path do %> + + <%= t('users.settings.teams.index.new_team') %> + <% end %> +
    • <% end %> -
  • - <%= link_to new_team_path do %> - - <%= t('users.settings.teams.index.new_team') %> - <% end %> -
    • <% end %> @@ -258,19 +257,21 @@ <%= image_tag avatar_path(current_user, :icon_small), class: "avatar" %> -
      -
    • - <%= link_to t('nav.user.settings'), - '/settings', - data: { turbolinks: false } %> -
      • - -
    • - <%= link_to t('nav.user.logout'), - destroy_user_session_path, - method: :delete %> -
      • -
    + <% if current_user.teams.length > 1 || can_create_teams? %> +
      +
    • + <%= link_to t('nav.user.settings'), + '/settings', + data: { turbolinks: false } %> +
      • + +
    • + <%= link_to t('nav.user.logout'), + destroy_user_session_path, + method: :delete %> +
      • +
    + <% end %> diff --git a/app/views/users/settings/teams/index.html.erb b/app/views/users/settings/teams/index.html.erb index 265f335c6..13c749e0b 100644 --- a/app/views/users/settings/teams/index.html.erb +++ b/app/views/users/settings/teams/index.html.erb @@ -13,14 +13,16 @@ <% else %> <%= t("users.settings.teams.index.no_teams") %> <% end %> - - <%= link_to new_team_path, class: "btn btn-default", style: "margin-left: 30px;" do %> - - - <% end %> - + <% if can_create_teams? %> + + <%= link_to new_team_path, class: "btn btn-default", style: "margin-left: 30px;" do %> + + + <% end %> + + <% end %> <% if @member_of > 0 %> From 4b2098c0c43c5d2bba980d03866122adde4bac37 Mon Sep 17 00:00:00 2001 From: Zmago Devetak Date: Wed, 24 Jan 2018 16:34:48 +0100 Subject: [PATCH 5/7] removes unneeded permissions --- app/permissions/team.rb | 15 --------------- 1 file changed, 15 deletions(-) diff --git a/app/permissions/team.rb b/app/permissions/team.rb index 855fdb021..669181027 100644 --- a/app/permissions/team.rb +++ b/app/permissions/team.rb @@ -118,18 +118,3 @@ Canaid::Permissions.register_for(RepositoryColumn) do end end -Canaid::Permissions.register_for(Project) do - # view project - can :read_project do |user, project| - user.is_admin_of_team?(project.team) || - user.is_member_of_project?(project) || - (project.visible? && user.is_member_of_team?(project.team)) - end -end - -Canaid::Permissions.register_for(Experiment) do - # view experiment - can :read_experiment do |user, experiment| - user.is_member_of_team?(experiment.project.team) - end -end From b1684dbd5b89269af38be5cb05b9540d1859282e Mon Sep 17 00:00:00 2001 From: zmagod Date: Wed, 31 Jan 2018 14:39:15 +0100 Subject: [PATCH 6/7] removed unneeded hook --- app/views/shared/_navigation.html.erb | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/app/views/shared/_navigation.html.erb b/app/views/shared/_navigation.html.erb index 31e73daa3..d2cea47d2 100644 --- a/app/views/shared/_navigation.html.erb +++ b/app/views/shared/_navigation.html.erb @@ -99,8 +99,7 @@ -
      +
        <%= form_for(current_user, url: user_current_team_path, method: :post) do |f| %> From 366b67ca1c56bcb2ada178c60add3afead118947 Mon Sep 17 00:00:00 2001 From: zmagod Date: Wed, 31 Jan 2018 15:18:18 +0100 Subject: [PATCH 7/7] fixes per @mojca 's request --- app/views/shared/_navigation.html.erb | 2 ++ 1 file changed, 2 insertions(+) diff --git a/app/views/shared/_navigation.html.erb b/app/views/shared/_navigation.html.erb index d2cea47d2..fc2b8957a 100644 --- a/app/views/shared/_navigation.html.erb +++ b/app/views/shared/_navigation.html.erb @@ -99,6 +99,7 @@ + <% if current_user.teams.length > 1 || can_create_teams? %>
          <%= form_for(current_user, url: user_current_team_path, @@ -126,6 +127,7 @@ <% end %>
        + <% end %> <% end %>