4 roles permission system

Dmitriy Zaporozhets
1 parent dac7c44a
Showing 18 changed files with 66 additions and 111 deletions Show diff stats
app/controllers/projects_controller.rb
app/models/project.rb
app/models/repository.rb
app/models/users_project.rb
app/views/admin/projects/show.html.haml
app/views/admin/team_members/_form.html.haml
app/views/admin/users/show.html.haml
app/views/help/permissions.html.haml
app/views/team_members/_form.html.haml
app/views/team_members/_show.html.haml
app/views/team_members/show.html.haml
app/views/widgets/_project_member.html.haml
db/migrate/20120216085842_move_to_roles_permissions.rb
db/schema.rb
spec/models/note_spec.rb
spec/models/project_security_spec.rb
spec/requests/projects_security_spec.rb
spec/requests/team_members_spec.rb
@@ -28,7 +28,7 @@ class ProjectsController &lt; ApplicationController
     Project.transaction do
       @project.save!
-      @project.users_projects.create!(:repo_access => Repository::REPO_RW , :project_access => Project::PROJECT_RWA, :user => current_user)
+      @project.users_projects.create!(:project_access => UsersProject::MASTER, :user => current_user)
       # when project saved no team member exist so 
       # project repository should be updated after first user add
 require "grit"
 class Project < ActiveRecord::Base
-  PROJECT_N = 0
-  PROJECT_R = 1
-  PROJECT_RW = 2
-  PROJECT_RWA = 3
-
   belongs_to :owner, :class_name => "User"
   has_many :merge_requests, :dependent => :destroy
@@ -61,12 +56,7 @@ class Project &lt; ActiveRecord::Base
   end
   def self.access_options
-    {
-      "Denied" => PROJECT_N,
-      "Read"   => PROJECT_R,
-      "Report" => PROJECT_RW,
-      "Admin"  => PROJECT_RWA
-    }
+    UsersProject.access_roles
   end
   def repository
@@ -193,11 +183,11 @@ class Project &lt; ActiveRecord::Base
   # Should be rewrited for new access rights
   def add_access(user, *access)
     access = if access.include?(:admin) 
-               { :project_access => PROJECT_RWA } 
+               { :project_access => UsersProject::MASTER } 
              elsif access.include?(:write)
-               { :project_access => PROJECT_RW } 
+               { :project_access => UsersProject::DEVELOPER } 
              else
-               { :project_access => PROJECT_R } 
+               { :project_access => UsersProject::GUEST } 
              end
     opts = { :user => user }
     opts.merge!(access)
@@ -210,48 +200,48 @@ class Project &lt; ActiveRecord::Base
   def repository_readers
     keys = Key.joins({:user => :users_projects}).
-      where("users_projects.project_id = ? AND users_projects.repo_access = ?", id, Repository::REPO_R)
+      where("users_projects.project_id = ? AND users_projects.project_access = ?", id, UsersProject::REPORTER)
     keys.map(&:identifier) + deploy_keys.map(&:identifier)
   end
   def repository_writers
     keys = Key.joins({:user => :users_projects}).
-      where("users_projects.project_id = ? AND users_projects.repo_access = ?", id, Repository::REPO_RW)
+      where("users_projects.project_id = ? AND users_projects.project_access = ?", id, UsersProject::DEVELOPER)
     keys.map(&:identifier)
   end
   def repository_masters
     keys = Key.joins({:user => :users_projects}).
-      where("users_projects.project_id = ? AND users_projects.repo_access = ?", id, Repository::REPO_MASTER)
+      where("users_projects.project_id = ? AND users_projects.project_access = ?", id, UsersProject::MASTER)
     keys.map(&:identifier)
   end
   def readers
-    @readers ||= users_projects.includes(:user).where(:project_access => [PROJECT_R, PROJECT_RW, PROJECT_RWA]).map(&:user)
+    @readers ||= users_projects.includes(:user).map(&:user)
   end
   def writers
-    @writers ||= users_projects.includes(:user).where(:project_access => [PROJECT_RW, PROJECT_RWA]).map(&:user)
+    @writers ||= users_projects.includes(:user).map(&:user)
   end
   def admins
-    @admins ||= users_projects.includes(:user).where(:project_access => PROJECT_RWA).map(&:user)
+    @admins ||= users_projects.includes(:user).where(:project_access => UsersProject::MASTER).map(&:user)
   end
   def allow_read_for?(user)
-    !users_projects.where(:user_id => user.id, :project_access => [PROJECT_R, PROJECT_RW, PROJECT_RWA]).empty?
+    !users_projects.where(:user_id => user.id).empty?
   end
   def allow_write_for?(user)
-    !users_projects.where(:user_id => user.id, :project_access => [PROJECT_RW, PROJECT_RWA]).empty?
+    !users_projects.where(:user_id => user.id).empty?
   end
   def allow_admin_for?(user)
-    !users_projects.where(:user_id => user.id, :project_access => [PROJECT_RWA]).empty? || owner_id == user.id
+    !users_projects.where(:user_id => user.id, :project_access => [UsersProject::MASTER]).empty? || owner_id == user.id
   end
   def allow_pull_for?(user)
-    !users_projects.where(:user_id => user.id, :repo_access => [Repository::REPO_R, Repository::REPO_RW, Repository::REPO_MASTER]).empty?
+    !users_projects.where(:user_id => user.id, :project_access => [UsersProject::REPORTER, UsersProject::DEVELOPER, UsersProject::MASTER]).empty?
   end
   def root_ref 
 require File.join(Rails.root, "lib", "gitlabhq", "git_host")
 class Repository
-  REPO_N = 0
-  REPO_R = 1
-  REPO_RW = 2
-  REPO_MASTER = 3
-
   attr_accessor :project
   def self.default_ref
@@ -13,12 +8,7 @@ class Repository
   end
   def self.access_options
-    {
-      "Denied"      => REPO_N,
-      "Pull"        => REPO_R,
-      "Pull & Push" => REPO_RW,
-      "Master"      => REPO_MASTER
-    }
+    {}
   end
   def initialize(project)
 class UsersProject < ActiveRecord::Base
-  REPORTER = 21
-  DEVELOPER = 22
-  MASTER = 33
+  GUEST     = 10
+  REPORTER  = 20
+  DEVELOPER = 30
+  MASTER    = 40
   belongs_to :user
   belongs_to :project
@@ -21,7 +22,6 @@ class UsersProject &lt; ActiveRecord::Base
     UsersProject.transaction do
       user_ids.each do |user_id|
         users_project = UsersProject.new(
-          :repo_access => repo_access,
           :project_access => project_access,
           :user_id => user_id
         )
@@ -35,7 +35,6 @@ class UsersProject &lt; ActiveRecord::Base
     UsersProject.transaction do
       project_ids.each do |project_id|
         users_project = UsersProject.new(
-          :repo_access => repo_access,
           :project_access => project_access,
         )
         users_project.project_id = project_id
@@ -47,6 +46,7 @@ class UsersProject &lt; ActiveRecord::Base
   def self.access_roles
     {
+      "Guest"   => GUEST,
       "Reporter"   => REPORTER,
       "Developer" => DEVELOPER,
       "Master"  => MASTER
@@ -54,7 +54,7 @@ class UsersProject &lt; ActiveRecord::Base
   end
   def role_access
-    "#{project_access}#{repo_access}"
+    project_access
   end
   def update_repository
@@ -68,7 +68,7 @@ class UsersProject &lt; ActiveRecord::Base
   end
   def repo_access_human
-    Repository.access_options.key(self.repo_access)
+    ""
   end
 end
 # == Schema Information
@@ -53,7 +53,6 @@
         %td
           = link_to tm.user_name, admin_users_path(tm.user)
         %td= select_tag :tm_project_access, options_for_select(Project.access_options, tm.project_access), :class => "medium project-access-select", :disabled => :disabled
-        %td= select_tag :tm_repo_access, options_for_select(Repository.access_options, tm.repo_access), :class => "medium repo-access-select", :disabled => :disabled
         %td= link_to 'Edit Access', edit_admin_team_member_path(tm), :class => "btn small"
         %td= link_to 'Remove from team', admin_team_member_path(tm), :confirm => 'Are you sure?', :method => :delete, :class => "btn danger small"
@@ -68,7 +67,6 @@
       %tr
         %td= select_tag :user_ids, options_from_collection_for_select(@users , :id, :name),  :multiple => true
         %td= select_tag :project_access, options_for_select(Project.access_options), :class => "project-access-select"
-        %td= select_tag :repo_access, options_for_select(Repository.access_options), :class => "repo-access-select"
     .actions
       = submit_tag 'Add', :class => "btn primary"
@@ -10,10 +10,6 @@
     .input
       = f.select :project_access, options_for_select(Project.access_options, @admin_team_member.project_access), {}, :class => "project-access-select"
-  .clearfix
-    %label Repository Access:
-    .input
-      = f.select :repo_access, options_for_select(Repository.access_options, @admin_team_member.repo_access), {}, :class => "repo-access-select"
   %br
   .actions
     = f.submit 'Save', :class => "btn primary"
@@ -61,7 +61,6 @@
     %tr
       %td= link_to project.name, admin_project_path(project)
       %td= select_tag :tm_project_access, options_for_select(Project.access_options, tm.project_access), :class => "medium project-access-select", :disabled => :disabled
-      %td= select_tag :tm_repo_access, options_for_select(Repository.access_options, tm.repo_access), :class => "medium repo-access-select", :disabled => :disabled
       %td= link_to 'Edit Access', edit_admin_team_member_path(tm), :class => "btn small"
       %td= link_to 'Remove from team', admin_team_member_path(tm), :confirm => 'Are you sure?', :method => :delete, :class => "btn small danger"
@@ -76,7 +75,6 @@
     %tr
       %td= select_tag :project_ids, options_from_collection_for_select(@projects , :id, :name),  :multiple => true
       %td= select_tag :project_access, options_for_select(Project.access_options), :class => "project-access-select"
-      %td= select_tag :repo_access, options_for_select(Repository.access_options), :class => "repo-access-select"
   .actions
     = submit_tag 'Add', :class => "btn primary"
@@ -3,6 +3,12 @@
 %h4 Reporter
 %ul
+  %li Create new issue
+  %li Create new merge request
+  %li Write on project wall
+
+%h4 Reporter
+%ul
   %li Pull project code
   %li Create new issue
   %li Create new merge request
@@ -14,18 +14,9 @@
   .clearfix
     = f.label :project_access, "Project Access"
-    .input= f.select :_project_access, options_for_select(UsersProject.access_roles, @team_member.role_access), {}, :class => "project-access-select"
-    
+    .input= f.select :project_access, options_for_select(Project.access_options, @team_member.project_access), {}, :class => "project-access-select"
-  -#.clearfix
-    -#= f.label :project_access, "Project Access"
-    -#.input= f.select :project_access, options_for_select(Project.access_options, @team_member.project_access), {}, :class => "project-access-select"
-
-  -#.clearfix
-    -#= f.label :repo_access, "Repository Access"
-    -#.input= f.select :repo_access, options_for_select(Repository.access_options, @team_member.repo_access), {}, :class => "repo-access-select"
-
   .actions
     = f.submit 'Save', :class => "btn primary"
     = link_to "Cancel", team_project_path(@project), :class => "btn"
@@ -37,6 +28,6 @@
 :javascript
   $('select#team_member_user_id').chosen();
-  $('select#team_member__project_access').chosen();
+  $('select#team_member_project_access').chosen();
   //$('select#team_member_repo_access').chosen();
   //$('select#team_member_project_access').chosen();
@@ -11,9 +11,6 @@
     .span3
       = form_for(member, :as => :team_member, :url => project_team_member_path(@project, member)) do |f|
-        = f.select :_project_access, options_for_select(UsersProject.access_roles, member.role_access), {}, :class => "medium project-access-select", :disabled => !allow_admin
-    -#.span3
-      -#= form_for(member, :as => :team_member, :url => project_team_member_path(@project, member)) do |f|
-        -#= f.select :repo_access, options_for_select(Repository.access_options, member.repo_access), {}, :class => "medium repo-access-select", :disabled => !allow_admin
+        = f.select :project_access, options_for_select(UsersProject.access_roles, member.project_access), {}, :class => "medium project-access-select", :disabled => !allow_admin
     - if @project.owner == user
       %span.label Project Owner
@@ -28,13 +28,6 @@
       = form_for(@team_member, :as => :team_member, :url => project_team_member_path(@project, @team_member)) do |f|
         = f.select :project_access, options_for_select(Project.access_options, @team_member.project_access), {}, :class => "project-access-select", :disabled => !allow_admin
-  %tr
-    %td Repository Access
-    %td
-      = form_for(@team_member, :as => :team_member, :url => project_team_member_path(@project, @team_member)) do |f|
-        = f.select :repo_access, options_for_select(Repository.access_options, @team_member.repo_access), {}, :class => "repo-access-select", :disabled => !allow_admin
-
-
   - unless user.skype.empty?
     %tr
       %td Skype:
@@ -13,7 +13,6 @@
     .span3
       %span.label= member.project_access_human
-      %span.label= member.repo_access_human
   - if can? current_user, :write_project, @project
     - if @project.issues_enabled && @project.merge_requests_enabled
@@ -0,0 +1,18 @@
+class MoveToRolesPermissions < ActiveRecord::Migration
+  def up
+    repo_n = 0
+    repo_r = 1
+    repo_rw = 2
+    project_rwa = 3
+
+    UsersProject.update_all ["project_access = ?", UsersProject::MASTER], ["project_access = ?", project_rwa]
+    UsersProject.update_all ["project_access = ?", UsersProject::DEVELOPER], ["repo_access = ?", repo_rw]
+    UsersProject.update_all ["project_access = ?", UsersProject::REPORTER], ["repo_access = ?", repo_r]
+    UsersProject.update_all ["project_access = ?", UsersProject::GUEST], ["repo_access = ?", repo_n]
+
+    remove_column :users_projects, :repo_access
+  end
+
+  def down
+  end
+end
@@ -11,19 +11,7 @@
 #
 # It's strongly recommended to check this file into your version control system.
-ActiveRecord::Schema.define(:version => 20120215182305) do
-
-  create_table "features", :force => true do |t|
-    t.string   "name"
-    t.string   "branch_name"
-    t.integer  "assignee_id"
-    t.integer  "author_id"
-    t.integer  "project_id"
-    t.datetime "created_at"
-    t.datetime "updated_at"
-    t.string   "version"
-    t.integer  "status",      :default => 0, :null => false
-  end
+ActiveRecord::Schema.define(:version => 20120216085842) do
   create_table "issues", :force => true do |t|
     t.string   "title"
@@ -160,7 +148,6 @@ ActiveRecord::Schema.define(:version =&gt; 20120215182305) do
     t.integer  "project_id",                    :null => false
     t.datetime "created_at"
     t.datetime "updated_at"
-    t.integer  "repo_access",    :default => 0, :null => false
     t.integer  "project_access", :default => 0, :null => false
   end
@@ -64,9 +64,8 @@ describe Note do
     describe :read do
       before do
-        @p1.users_projects.create(:user => @u1, :project_access => Project::PROJECT_N)
-        @p1.users_projects.create(:user => @u2, :project_access => Project::PROJECT_R)
-        @p2.users_projects.create(:user => @u3, :project_access => Project::PROJECT_R)
+        @p1.users_projects.create(:user => @u2, :project_access => UsersProject::GUEST)
+        @p2.users_projects.create(:user => @u3, :project_access => UsersProject::GUEST)
       end
       it { @abilities.allowed?(@u1, :read_note, @p1).should be_false }
@@ -76,9 +75,8 @@ describe Note do
     describe :write do
       before do
-        @p1.users_projects.create(:user => @u1, :project_access => Project::PROJECT_R)
-        @p1.users_projects.create(:user => @u2, :project_access => Project::PROJECT_RW)
-        @p2.users_projects.create(:user => @u3, :project_access => Project::PROJECT_RW)
+        @p1.users_projects.create(:user => @u2, :project_access => UsersProject::DEVELOPER)
+        @p2.users_projects.create(:user => @u3, :project_access => UsersProject::DEVELOPER)
       end
       it { @abilities.allowed?(@u1, :write_note, @p1).should be_false }
@@ -88,9 +86,9 @@ describe Note do
     describe :admin do
       before do
-        @p1.users_projects.create(:user => @u1, :project_access => Project::PROJECT_R)
-        @p1.users_projects.create(:user => @u2, :project_access => Project::PROJECT_RWA)
-        @p2.users_projects.create(:user => @u3, :project_access => Project::PROJECT_RWA)
+        @p1.users_projects.create(:user => @u1, :project_access => UsersProject::REPORTER)
+        @p1.users_projects.create(:user => @u2, :project_access => UsersProject::MASTER)
+        @p2.users_projects.create(:user => @u3, :project_access => UsersProject::MASTER)
       end
       it { @abilities.allowed?(@u1, :admin_note, @p1).should be_false }
@@ -12,8 +12,7 @@ describe Project do
     describe "read access" do
       before do
-        @p1.users_projects.create(:project => @p1, :user => @u1, :project_access => Project::PROJECT_N)
-        @p1.users_projects.create(:project => @p1, :user => @u2, :project_access => Project::PROJECT_R)
+        @p1.users_projects.create(:project => @p1, :user => @u2, :project_access => UsersProject::REPORTER)
       end
       it { @abilities.allowed?(@u1, :read_project, @p1).should be_false }
@@ -22,8 +21,7 @@ describe Project do
     describe "write access" do
       before do
-        @p1.users_projects.create(:project => @p1, :user => @u1, :project_access => Project::PROJECT_R)
-        @p1.users_projects.create(:project => @p1, :user => @u2, :project_access => Project::PROJECT_RW)
+        @p1.users_projects.create(:project => @p1, :user => @u2, :project_access => UsersProject::DEVELOPER)
       end
       it { @abilities.allowed?(@u1, :write_project, @p1).should be_false }
@@ -32,8 +30,8 @@ describe Project do
     describe "admin access" do
       before do
-        @p1.users_projects.create(:project => @p1, :user => @u1, :project_access => Project::PROJECT_RW)
-        @p1.users_projects.create(:project => @p1, :user => @u2, :project_access => Project::PROJECT_RWA)
+        @p1.users_projects.create(:project => @p1, :user => @u1, :project_access => UsersProject::DEVELOPER)
+        @p1.users_projects.create(:project => @p1, :user => @u2, :project_access => UsersProject::MASTER)
       end
       it { @abilities.allowed?(@u1, :admin_project, @p1).should be_false }
@@ -20,11 +20,9 @@ describe &quot;Projects&quot; do
       @u2 = Factory :user
       @u3 = Factory :user
       # full access
-      @project.users_projects.create(:user => @u1, :project_access => Project::PROJECT_RWA)
-      # no access
-      @project.users_projects.create(:user => @u2, :project_access => Project::PROJECT_N)
+      @project.users_projects.create(:user => @u1, :project_access => UsersProject::MASTER)
       # readonly
-      @project.users_projects.create(:user => @u3, :project_access => Project::PROJECT_R)
+      @project.users_projects.create(:user => @u3, :project_access => UsersProject::REPORTER)
     end
     describe "GET /project_code" do
@@ -31,8 +31,7 @@ describe &quot;TeamMembers&quot; do
       before do
         within "#new_team_member" do 
           select @user_1.name, :from => "team_member_user_id"
-          select "Report", :from => "team_member_project_access"
-          select "Pull",   :from => "team_member_repo_access"
+          select "Reporter", :from => "team_member_project_access"
         end
       end
@@ -45,8 +44,7 @@ describe &quot;TeamMembers&quot; do
         page.should have_content @user_1.name
         @member.reload
-        @member.project_access.should == Project::PROJECT_RW
-        @member.repo_access.should == Repository::REPO_R
+        @member.project_access.should == UsersProject::REPORTER
       end
     end
   end
	@@ -28,7 +28,7 @@ class ProjectsController < ApplicationController		@@ -28,7 +28,7 @@ class ProjectsController < ApplicationController
28		28
29	Project.transaction do	29	Project.transaction do
30	@project.save!	30	@project.save!
31	- @project.users_projects.create!(:repo_access => Repository::REPO_RW , :project_access => Project::PROJECT_RWA, :user => current_user)	31	+ @project.users_projects.create!(:project_access => UsersProject::MASTER, :user => current_user)
32		32
33	# when project saved no team member exist so	33	# when project saved no team member exist so
34	# project repository should be updated after first user add	34	# project repository should be updated after first user add
	@@ -3,6 +3,12 @@		@@ -3,6 +3,12 @@
3		3
4	%h4 Reporter	4	%h4 Reporter
5	%ul	5	%ul
		6	+ %li Create new issue
		7	+ %li Create new merge request
		8	+ %li Write on project wall
		9	+
		10	+%h4 Reporter
		11	+%ul
6	%li Pull project code	12	%li Pull project code
7	%li Create new issue	13	%li Create new issue
8	%li Create new merge request	14	%li Create new merge request
	@@ -28,13 +28,6 @@		@@ -28,13 +28,6 @@
28	= form_for(@team_member, :as => :team_member, :url => project_team_member_path(@project, @team_member)) do \|f\|	28	= form_for(@team_member, :as => :team_member, :url => project_team_member_path(@project, @team_member)) do \|f\|
29	= f.select :project_access, options_for_select(Project.access_options, @team_member.project_access), {}, :class => "project-access-select", :disabled => !allow_admin	29	= f.select :project_access, options_for_select(Project.access_options, @team_member.project_access), {}, :class => "project-access-select", :disabled => !allow_admin
30		30
31	- %tr
32	- %td Repository Access
33	- %td
34	- = form_for(@team_member, :as => :team_member, :url => project_team_member_path(@project, @team_member)) do \|f\|
35	- = f.select :repo_access, options_for_select(Repository.access_options, @team_member.repo_access), {}, :class => "repo-access-select", :disabled => !allow_admin
36	-
37	-
38	- unless user.skype.empty?	31	- unless user.skype.empty?
39	%tr	32	%tr
40	%td Skype:	33	%td Skype:
	@@ -13,7 +13,6 @@		@@ -13,7 +13,6 @@
13		13
14	.span3	14	.span3
15	%span.label= member.project_access_human	15	%span.label= member.project_access_human
16	- %span.label= member.repo_access_human
17		16
18	- if can? current_user, :write_project, @project	17	- if can? current_user, :write_project, @project
19	- if @project.issues_enabled && @project.merge_requests_enabled	18	- if @project.issues_enabled && @project.merge_requests_enabled
@@ -0,0 +1,18 @@		@@ -0,0 +1,18 @@
	1	+class MoveToRolesPermissions < ActiveRecord::Migration
	2	+ def up
	3	+ repo_n = 0
	4	+ repo_r = 1
	5	+ repo_rw = 2
	6	+ project_rwa = 3
	7	+
	8	+ UsersProject.update_all ["project_access = ?", UsersProject::MASTER], ["project_access = ?", project_rwa]
	9	+ UsersProject.update_all ["project_access = ?", UsersProject::DEVELOPER], ["repo_access = ?", repo_rw]
	10	+ UsersProject.update_all ["project_access = ?", UsersProject::REPORTER], ["repo_access = ?", repo_r]
	11	+ UsersProject.update_all ["project_access = ?", UsersProject::GUEST], ["repo_access = ?", repo_n]
	12	+
	13	+ remove_column :users_projects, :repo_access
	14	+ end
	15	+
	16	+ def down
	17	+ end
	18	+end
	@@ -11,19 +11,7 @@		@@ -11,19 +11,7 @@
11	#	11	#
12	# It's strongly recommended to check this file into your version control system.	12	# It's strongly recommended to check this file into your version control system.
13		13
14	-ActiveRecord::Schema.define(:version => 20120215182305) do
15	-
16	- create_table "features", :force => true do \|t\|
17	- t.string "name"
18	- t.string "branch_name"
19	- t.integer "assignee_id"
20	- t.integer "author_id"
21	- t.integer "project_id"
22	- t.datetime "created_at"
23	- t.datetime "updated_at"
24	- t.string "version"
25	- t.integer "status", :default => 0, :null => false
26	- end	14	+ActiveRecord::Schema.define(:version => 20120216085842) do
27		15
28	create_table "issues", :force => true do \|t\|	16	create_table "issues", :force => true do \|t\|
29	t.string "title"	17	t.string "title"
	@@ -160,7 +148,6 @@ ActiveRecord::Schema.define(:version => 20120215182305) do		@@ -160,7 +148,6 @@ ActiveRecord::Schema.define(:version => 20120215182305) do
160	t.integer "project_id", :null => false	148	t.integer "project_id", :null => false
161	t.datetime "created_at"	149	t.datetime "created_at"
162	t.datetime "updated_at"	150	t.datetime "updated_at"
163	- t.integer "repo_access", :default => 0, :null => false
164	t.integer "project_access", :default => 0, :null => false	151	t.integer "project_access", :default => 0, :null => false
165	end	152	end
166		153