mirror of
https://github.com/scinote-eln/scinote-web.git
synced 2024-11-10 09:23:58 +08:00
Update existing roles with new permissions/abilities [SCI-6076]
This commit is contained in:
Oleksii Kriuchykhin
parent
5125fb5ab5
commit
f806a56cac
7 changed files with 97 additions and 67 deletions
|
|
@ -1,8 +1,7 @@
|
|||
# frozen_string_literal: true
|
||||
|
||||
class UserRole < ApplicationRecord
|
||||
before_update :prevent_update, if: :predefined?
|
||||
|
||||
validate :prevent_update, on: :update, if: :predefined?
|
||||
validates :name,
|
||||
presence: true,
|
||||
length: { minimum: Constants::NAME_MIN_LENGTH,
|
||||
|
|
@ -32,18 +31,35 @@ class UserRole < ApplicationRecord
|
|||
permissions:
|
||||
[
|
||||
ProjectPermissions::READ,
|
||||
ProjectPermissions::EXPERIMENTS_CREATE,
|
||||
ProjectPermissions::READ_ARCHIVED,
|
||||
ProjectPermissions::ACTIVITIES_READ,
|
||||
ProjectPermissions::USERS_READ,
|
||||
ProjectPermissions::COMMENTS_READ,
|
||||
ProjectPermissions::COMMENTS_CREATE,
|
||||
ProjectPermissions::EXPERIMENTS_CREATE,
|
||||
ExperimentPermissions::READ,
|
||||
ExperimentPermissions::MANAGE,
|
||||
ExperimentPermissions::ARCHIVE,
|
||||
ExperimentPermissions::RESTORE,
|
||||
ExperimentPermissions::CLONE,
|
||||
ExperimentPermissions::TASKS_CREATE,
|
||||
ExperimentPermissions::TASKS_MANAGE,
|
||||
MyModulePermissions::READ,
|
||||
MyModulePermissions::MANAGE,
|
||||
MyModulePermissions::RESULTS_MANAGE,
|
||||
MyModulePermissions::PROTOCOL_MANAGE,
|
||||
MyModulePermissions::STEPS_MANAGE,
|
||||
MyModulePermissions::TAGS_MANAGE,
|
||||
MyModulePermissions::COMMENTS_CREATE,
|
||||
MyModulePermissions::COMMENTS_MANAGE,
|
||||
MyModulePermissions::COMMENTS_MANAGE_OWN,
|
||||
MyModulePermissions::COMPLETE,
|
||||
MyModulePermissions::UPDATE_STATUS,
|
||||
MyModulePermissions::REPOSITORY_ROWS_ASSIGN
|
||||
MyModulePermissions::STEPS_COMPLETE,
|
||||
MyModulePermissions::STEPS_UNCOMPLETE,
|
||||
MyModulePermissions::STEPS_CHECKLIST_CHECK,
|
||||
MyModulePermissions::STEPS_CHECKLIST_UNCHECK,
|
||||
MyModulePermissions::STEPS_COMMENTS_CREATE,
|
||||
MyModulePermissions::STEPS_COMMENTS_DELETE_OWN,
|
||||
MyModulePermissions::STEPS_COMMENT_UPDATE_OWN,
|
||||
MyModulePermissions::REPOSITORY_ROWS_ASSIGN,
|
||||
MyModulePermissions::REPOSITORY_ROWS_MANAGE
|
||||
],
|
||||
predefined: true
|
||||
)
|
||||
|
|
@ -55,12 +71,29 @@ class UserRole < ApplicationRecord
|
|||
permissions:
|
||||
[
|
||||
ProjectPermissions::READ,
|
||||
ProjectPermissions::READ_ARCHIVED,
|
||||
ProjectPermissions::ACTIVITIES_READ,
|
||||
ProjectPermissions::USERS_READ,
|
||||
ProjectPermissions::COMMENTS_READ,
|
||||
ProjectPermissions::COMMENTS_CREATE,
|
||||
ExperimentPermissions::READ,
|
||||
ExperimentPermissions::READ_ARCHIVED,
|
||||
ExperimentPermissions::ACTIVITIES_READ,
|
||||
ExperimentPermissions::USERS_READ,
|
||||
MyModulePermissions::READ,
|
||||
MyModulePermissions::COMMENTS_CREATE,
|
||||
MyModulePermissions::COMMENTS_MANAGE_OWN,
|
||||
MyModulePermissions::COMPLETE,
|
||||
MyModulePermissions::UPDATE_STATUS,
|
||||
MyModulePermissions::REPOSITORY_ROWS_ASSIGN
|
||||
MyModulePermissions::STEPS_COMPLETE,
|
||||
MyModulePermissions::STEPS_UNCOMPLETE,
|
||||
MyModulePermissions::STEPS_CHECKLIST_CHECK,
|
||||
MyModulePermissions::STEPS_CHECKLIST_UNCHECK,
|
||||
MyModulePermissions::STEPS_COMMENTS_CREATE,
|
||||
MyModulePermissions::STEPS_COMMENTS_DELETE_OWN,
|
||||
MyModulePermissions::STEPS_COMMENT_UPDATE_OWN,
|
||||
MyModulePermissions::REPOSITORY_ROWS_ASSIGN,
|
||||
MyModulePermissions::REPOSITORY_ROWS_MANAGE
|
||||
],
|
||||
predefined: true
|
||||
)
|
||||
|
|
@ -72,7 +105,14 @@ class UserRole < ApplicationRecord
|
|||
permissions:
|
||||
[
|
||||
ProjectPermissions::READ,
|
||||
ProjectPermissions::READ_ARCHIVED,
|
||||
ProjectPermissions::ACTIVITIES_READ,
|
||||
ProjectPermissions::USERS_READ,
|
||||
ProjectPermissions::COMMENTS_READ,
|
||||
ExperimentPermissions::READ,
|
||||
ExperimentPermissions::READ_ARCHIVED,
|
||||
ExperimentPermissions::ACTIVITIES_READ,
|
||||
ExperimentPermissions::USERS_READ,
|
||||
MyModulePermissions::READ
|
||||
],
|
||||
predefined: true
|
||||
|
|
@ -86,6 +126,6 @@ class UserRole < ApplicationRecord
|
|||
private
|
||||
|
||||
def prevent_update
|
||||
raise ActiveRecord::RecordInvalid, I18n.t('user_roles.predefined.unchangable_error_message')
|
||||
errors.add(:base, I18n.t('user_roles.predefined.unchangable_error_message'))
|
||||
end
|
||||
end
|
||||
|
|
|
|||
|
|
@ -20,6 +20,10 @@ Canaid::Permissions.register_for(Experiment) do
|
|||
experiment.permission_granted?(user, ExperimentPermissions::READ)
|
||||
end
|
||||
|
||||
can :read_users_of_experiment do |user, project|
|
||||
project.permission_granted?(user, ExperimentPermissions::USERS_READ)
|
||||
end
|
||||
|
||||
# experiment: create/update/delete
|
||||
# canvas: update
|
||||
# module: create, copy, reposition, create/update/delete connection,
|
||||
|
|
@ -40,12 +44,12 @@ Canaid::Permissions.register_for(Experiment) do
|
|||
|
||||
# experiment: manage access policies
|
||||
can :manage_experiment_access do |user, experiment|
|
||||
experiment.permission_granted?(user, ExperimentPermissions::MANAGE_ACCESS)
|
||||
experiment.permission_granted?(user, ExperimentPermissions::USERS_MANAGE)
|
||||
end
|
||||
|
||||
# experiment: archive
|
||||
can :archive_experiment do |user, experiment|
|
||||
experiment.permission_granted?(user, ExperimentPermissions::ARCHIVE)
|
||||
experiment.permission_granted?(user, ExperimentPermissions::MANAGE)
|
||||
end
|
||||
|
||||
# NOTE: Must not be dependent on canaid parmision for which we check if it's
|
||||
|
|
@ -53,19 +57,19 @@ Canaid::Permissions.register_for(Experiment) do
|
|||
# experiment: restore
|
||||
can :restore_experiment do |user, experiment|
|
||||
project = experiment.project
|
||||
experiment.permission_granted?(user, ExperimentPermissions::RESTORE) &&
|
||||
experiment.permission_granted?(user, ExperimentPermissions::MANAGE) &&
|
||||
experiment.archived? &&
|
||||
project.active?
|
||||
end
|
||||
|
||||
# experiment: copy
|
||||
can :clone_experiment do |user, experiment|
|
||||
experiment.permission_granted?(user, ExperimentPermissions::CLONE)
|
||||
experiment.permission_granted?(user, ExperimentPermissions::MANAGE)
|
||||
end
|
||||
|
||||
# experiment: move
|
||||
can :move_experiment do |user, experiment|
|
||||
experiment.permission_granted?(user, ExperimentPermissions::MOVE)
|
||||
experiment.permission_granted?(user, ExperimentPermissions::MANAGE)
|
||||
end
|
||||
end
|
||||
|
||||
|
|
|
|||
|
|
@ -36,15 +36,15 @@ Canaid::Permissions.register_for(MyModule) do
|
|||
end
|
||||
|
||||
can :update_my_module_start_date do |user, my_module|
|
||||
my_module.permission_granted?(user, MyModulePermissions::UPDATE_START_DATE)
|
||||
my_module.permission_granted?(user, MyModulePermissions::MANAGE)
|
||||
end
|
||||
|
||||
can :update_my_module_due_date do |user, my_module|
|
||||
my_module.permission_granted?(user, MyModulePermissions::UPDATE_DUE_DATE)
|
||||
my_module.permission_granted?(user, MyModulePermissions::MANAGE)
|
||||
end
|
||||
|
||||
can :update_my_module_notes do |user, my_module|
|
||||
my_module.permission_granted?(user, MyModulePermissions::UPDATE_NOTES)
|
||||
my_module.permission_granted?(user, MyModulePermissions::MANAGE)
|
||||
end
|
||||
|
||||
can :manage_my_module_tags do |user, my_module|
|
||||
|
|
@ -96,11 +96,11 @@ Canaid::Permissions.register_for(MyModule) do
|
|||
end
|
||||
|
||||
can :check_my_module_steps do |user, my_module|
|
||||
my_module.permission_granted?(user, MyModulePermissions::STEPS_CHECK)
|
||||
my_module.permission_granted?(user, MyModulePermissions::STEPS_CHECKLIST_CHECK)
|
||||
end
|
||||
|
||||
can :uncheck_my_module_steps do |user, my_module|
|
||||
my_module.permission_granted?(user, MyModulePermissions::STEPS_UNCHECK)
|
||||
my_module.permission_granted?(user, MyModulePermissions::STEPS_CHECKLIST_UNCHECK)
|
||||
end
|
||||
|
||||
can :create_comments_in_my_module_steps do |user, my_module|
|
||||
|
|
|
|||
|
|
@ -38,10 +38,6 @@ Canaid::Permissions.register_for(Project) do
|
|||
end
|
||||
end
|
||||
|
||||
can :read_project_folders do |user, project|
|
||||
project.permission_granted?(user, ProjectPermissions::FOLDERS_READ)
|
||||
end
|
||||
|
||||
can :manage_project_users do |user, project|
|
||||
project.permission_granted?(user, ProjectPermissions::USERS_MANAGE)
|
||||
end
|
||||
|
|
@ -58,26 +54,6 @@ Canaid::Permissions.register_for(Project) do
|
|||
project.permission_granted?(user, ProjectPermissions::EXPERIMENTS_CREATE)
|
||||
end
|
||||
|
||||
can :read_project_experiments do |user, project|
|
||||
project.permission_granted?(user, ProjectPermissions::EXPERIMENTS_READ)
|
||||
end
|
||||
|
||||
can :read_archived_project_experiments do |user, project|
|
||||
project.permission_granted?(user, ProjectPermissions::EXPERIMENTS_READ_ARCHIVED)
|
||||
end
|
||||
|
||||
can :read_canvas_of_project_experiments do |user, project|
|
||||
project.permission_granted?(user, ProjectPermissions::EXPERIMENTS_READ_CANVAS)
|
||||
end
|
||||
|
||||
can :read_activities_of_project_experiments do |user, project|
|
||||
project.permission_granted?(user, ProjectPermissions::EXPERIMENTS_ACTIVITIES_READ)
|
||||
end
|
||||
|
||||
can :read_users_of_project_experiments do |user, project|
|
||||
project.permission_granted?(user, ProjectPermissions::EXPERIMENTS_USERS_READ)
|
||||
end
|
||||
|
||||
can :create_project_comments do |user, project|
|
||||
project.permission_granted?(user, ProjectPermissions::COMMENTS_CREATE)
|
||||
end
|
||||
|
|
|
|||
|
|
@ -6,33 +6,26 @@ module PermissionExtends
|
|||
READ
|
||||
READ_ARCHIVED
|
||||
MANAGE
|
||||
FOLDERS_READ
|
||||
ACTIVITIES_READ
|
||||
USERS_READ
|
||||
USERS_MANAGE
|
||||
COMMENTS_READ
|
||||
COMMENTS_CREATE
|
||||
COMMENTS_MANAGE
|
||||
EXPERIMENTS_READ
|
||||
EXPERIMENTS_READ_ARCHIVED
|
||||
TAGS_MANAGE
|
||||
EXPERIMENTS_CREATE
|
||||
EXPERIMENTS_READ_CANVAS
|
||||
EXPERIMENTS_ACTIVITIES_READ
|
||||
EXPERIMENTS_USERS_READ
|
||||
TASKS_MANAGE
|
||||
).each { |permission| const_set(permission, "project_#{permission.underscore}") }
|
||||
end
|
||||
|
||||
module ExperimentPermissions
|
||||
%w(
|
||||
READ
|
||||
READ_ARCHIVED
|
||||
ACTIVITIES_READ
|
||||
MANAGE
|
||||
ARCHIVE
|
||||
RESTORE
|
||||
CLONE
|
||||
MOVE
|
||||
TASKS_CREATE
|
||||
MANAGE_ACCESS
|
||||
TASKS_MANAGE
|
||||
USERS_READ
|
||||
USERS_MANAGE
|
||||
).each { |permission| const_set(permission, "experiment_#{permission.underscore}") }
|
||||
end
|
||||
|
||||
|
|
@ -52,8 +45,8 @@ module PermissionExtends
|
|||
COMPLETE
|
||||
STEPS_COMPLETE
|
||||
STEPS_UNCOMPLETE
|
||||
STEPS_CHECK
|
||||
STEPS_UNCHECK
|
||||
STEPS_CHECKLIST_CHECK
|
||||
STEPS_CHECKLIST_UNCHECK
|
||||
STEPS_COMMENTS_CREATE
|
||||
STEPS_COMMENTS_DELETE
|
||||
STEPS_COMMENTS_DELETE_OWN
|
||||
|
|
|
|||
|
|
@ -161,4 +161,21 @@ namespace :data do
|
|||
task cleanup_blobs: :environment do
|
||||
ActiveStorage::Blob.unattached.find_each(&:purge_later)
|
||||
end
|
||||
|
||||
desc 'Reset to defaults all predefined user roles'
|
||||
task reset_predefined_user_roles: :environment do
|
||||
ActiveRecord::Base.transaction do
|
||||
%i(owner_role normal_user_role technician_role viewer_role).each do |predefined_role|
|
||||
reference_role = UserRole.public_send(predefined_role)
|
||||
existing_role = UserRole.find_by(name: reference_role.name)
|
||||
if existing_role.present?
|
||||
# rubocop:disable Rails/SkipsModelValidations
|
||||
existing_role.update_attribute(:permissions, reference_role.permissions)
|
||||
# rubocop:enable Rails/SkipsModelValidations
|
||||
else
|
||||
reference_role.save!
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
|
|
|
|||
|
|
@ -61,51 +61,51 @@ describe ExperimentsController, type: :controller do
|
|||
|
||||
it_behaves_like "a controller action with permissions checking", :put, :update do
|
||||
let(:testable) { experiment }
|
||||
let(:permissions) { [ExperimentPermissions::MANAGE, ExperimentPermissions::RESTORE] }
|
||||
let(:permissions) { [ExperimentPermissions::MANAGE, ExperimentPermissions::MANAGE] }
|
||||
let(:action_params) { { id: experiment.id, experiment: { name: 'Test1' } } }
|
||||
end
|
||||
|
||||
it_behaves_like "a controller action with permissions checking", :post, :archive do
|
||||
let(:testable) { experiment }
|
||||
let(:permissions) { [ExperimentPermissions::ARCHIVE] }
|
||||
let(:permissions) { [ExperimentPermissions::MANAGE] }
|
||||
let(:action_params) { { id: experiment.id } }
|
||||
end
|
||||
|
||||
it_behaves_like "a controller action with permissions checking", :post, :archive_group do
|
||||
let(:testable) { experiment }
|
||||
let(:permissions) { [ExperimentPermissions::ARCHIVE] }
|
||||
let(:permissions) { [ExperimentPermissions::MANAGE] }
|
||||
let(:action_params) { { project_id: project.id, experiments_ids: [experiment.id] } }
|
||||
let(:custom_response_status) { :unprocessable_entity }
|
||||
end
|
||||
|
||||
it_behaves_like "a controller action with permissions checking", :post, :restore_group do
|
||||
let(:testable) { experiment }
|
||||
let(:permissions) { [ExperimentPermissions::RESTORE] }
|
||||
let(:permissions) { [ExperimentPermissions::MANAGE] }
|
||||
let(:action_params) { { project_id: project.id, experiments_ids: [experiment.id] } }
|
||||
let(:custom_response_status) { :unprocessable_entity }
|
||||
end
|
||||
|
||||
it_behaves_like "a controller action with permissions checking", :get, :clone_modal do
|
||||
let(:testable) { experiment }
|
||||
let(:permissions) { [ExperimentPermissions::CLONE] }
|
||||
let(:permissions) { [ExperimentPermissions::MANAGE] }
|
||||
let(:action_params) { { id: experiment.id } }
|
||||
end
|
||||
|
||||
it_behaves_like "a controller action with permissions checking", :post, :clone do
|
||||
let(:testable) { experiment }
|
||||
let(:permissions) { [ExperimentPermissions::CLONE] }
|
||||
let(:permissions) { [ExperimentPermissions::MANAGE] }
|
||||
let(:action_params) { { id: experiment.id } }
|
||||
end
|
||||
|
||||
it_behaves_like "a controller action with permissions checking", :get, :move_modal do
|
||||
let(:testable) { experiment }
|
||||
let(:permissions) { [ExperimentPermissions::MOVE] }
|
||||
let(:permissions) { [ExperimentPermissions::MANAGE] }
|
||||
let(:action_params) { { id: experiment.id } }
|
||||
end
|
||||
|
||||
it_behaves_like "a controller action with permissions checking", :post, :move do
|
||||
let(:testable) { experiment }
|
||||
let(:permissions) { [ExperimentPermissions::MOVE] }
|
||||
let(:permissions) { [ExperimentPermissions::MANAGE] }
|
||||
let(:action_params) { { id: experiment.id } }
|
||||
end
|
||||
|
||||
|
|
|
|||
Loading…
Reference in a new issue