Abilities refactoring

Dmitriy Zaporozhets
1 parent 7a9fc480
Showing 7 changed files with 83 additions and 8 deletions Show diff stats
app/controllers/issues_controller.rb
app/controllers/merge_requests_controller.rb
app/controllers/notes_controller.rb
app/controllers/snippets_controller.rb
app/controllers/team_members_controller.rb
app/models/ability.rb
app/models/project.rb
@@ -6,8 +6,18 @@ class IssuesController &lt; ApplicationController
  
   # Authorize
   before_filter :add_project_abilities
+
+  # Allow read any issue
   before_filter :authorize_read_issue!
-  before_filter :authorize_write_issue!, :only => [:new, :create, :close, :edit, :update, :sort]
+
+  # Allow write(create) issue
+  before_filter :authorize_write_issue!, :only => [:new, :create]
+
+  # Allow modify issue
+  before_filter :authorize_modify_issue!, :only => [:close, :edit, :update, :sort]
+
+  # Allow destroy issue
+  before_filter :authorize_admin_issue!, :only => [:destroy]
  
   respond_to :js, :html
  
@@ -115,4 +125,13 @@ class IssuesController &lt; ApplicationController
   def issue
     @issue ||= @project.issues.find(params[:id])
   end
+
+  def authorize_modify_issue!
+    can?(current_user, :modify_issue, @issue) || 
+      @issue.assignee == current_user
+  end
+
+  def authorize_admin_issue!
+    can?(current_user, :admin_issue, @issue)
+  end
 end
@@ -6,8 +6,18 @@ class MergeRequestsController &lt; ApplicationController
  
   # Authorize
   before_filter :add_project_abilities
-  before_filter :authorize_read_project!
-  before_filter :authorize_write_project!, :only => [:new, :create, :edit, :update]
+
+  # Allow read any merge_request
+  before_filter :authorize_read_merge_request!
+
+  # Allow write(create) merge_request
+  before_filter :authorize_write_merge_request!, :only => [:new, :create]
+
+  # Allow modify merge_request
+  before_filter :authorize_modify_merge_request!, :only => [:close, :edit, :update, :sort]
+
+  # Allow destroy merge_request
+  before_filter :authorize_admin_merge_request!, :only => [:destroy]
  
   def index
     @merge_requests = @project.merge_requests
@@ -85,4 +95,13 @@ class MergeRequestsController &lt; ApplicationController
   def merge_request
     @merge_request ||= @project.merge_requests.find(params[:id])
   end
+
+  def authorize_modify_merge_request!
+    can?(current_user, :modify_merge_request, @merge_request) || 
+      @merge_request.assignee == current_user
+  end
+
+  def authorize_admin_merge_request!
+    can?(current_user, :admin_merge_request, @merge_request)
+  end
 end
@@ -3,6 +3,8 @@ class NotesController &lt; ApplicationController
  
   # Authorize
   before_filter :add_project_abilities
+
+  before_filter :authorize_read_note!
   before_filter :authorize_write_note!, :only => [:create]
  
   respond_to :js
@@ -5,8 +5,18 @@ class SnippetsController &lt; ApplicationController
  
   # Authorize
   before_filter :add_project_abilities
+
+  # Allow read any snippet
   before_filter :authorize_read_snippet!
-  before_filter :authorize_write_snippet!, :only => [:new, :create, :close, :edit, :update, :sort]
+
+  # Allow write(create) snippet
+  before_filter :authorize_write_snippet!, :only => [:new, :create]
+
+  # Allow modify snippet
+  before_filter :authorize_modify_snippet!, :only => [:edit, :update]
+
+  # Allow destroy snippet
+  before_filter :authorize_admin_snippet!, :only => [:destroy]
  
   respond_to :html
  
@@ -60,4 +70,14 @@ class SnippetsController &lt; ApplicationController
  
     redirect_to project_snippets_path(@project)
   end
+
+  protected
+
+  def authorize_modify_snippet!
+    can?(current_user, :modify_snippet, @snippet)
+  end
+
+  def authorize_admin_snippet!
+    can?(current_user, :admin_snippet, @snippet)
+  end
 end
@@ -5,7 +5,7 @@ class TeamMembersController &lt; ApplicationController
   # Authorize
   before_filter :add_project_abilities
   before_filter :authorize_read_project!
-  before_filter :authorize_admin_project!, :only => [:new, :create, :destroy, :update]
+  before_filter :authorize_admin_project!, :except => [:show]
  
   def show
     @team_member = project.users_projects.find(params[:id])
@@ -19,7 +19,7 @@ class Ability
       :read_team_member,
       :read_merge_request,
       :read_note
-    ] if project.readers.include?(user)
+    ] if project.allow_read_for?(user)
  
     rules << [
       :write_project,
@@ -27,16 +27,18 @@ class Ability
       :write_snippet,
       :write_merge_request,
       :write_note
-    ] if project.writers.include?(user)
+    ] if project.allow_write_for?(user)
  
     rules << [
+      :modify_issue,
+      :modify_snippet,
       :admin_project,
       :admin_issue,
       :admin_snippet,
       :admin_team_member,
       :admin_merge_request,
       :admin_note
-    ] if project.admins.include?(user)
+    ] if project.allow_admin_for?(user)
  
     rules.flatten
   end
@@ -48,6 +50,7 @@ class Ability
           [
             :"read_#{name}",
             :"write_#{name}",
+            :"modify_#{name}",
             :"admin_#{name}"
           ]
         else
@@ -161,6 +161,18 @@ class Project &lt; ActiveRecord::Base
     @admins ||= users_projects.includes(:user).where(:project_access => PROJECT_RWA).map(&:user)
   end
  
+  def allow_read_for?(user)
+    !users_projects.where(:user_id => user.id, :project_access => [PROJECT_R, PROJECT_RW, PROJECT_RWA]).empty?
+  end
+
+  def allow_write_for?(user)
+    !users_projects.where(:user_id => user.id, :project_access => [PROJECT_RW, PROJECT_RWA]).empty?
+  end
+
+  def allow_admin_for?(user)
+    !users_projects.where(:user_id => user.id, :project_access => [PROJECT_RWA]).empty? || owner_id == user.id
+  end
+
   def root_ref 
     default_branch || "master"
   end
...	...	@@ -6,8 +6,18 @@ class IssuesController < ApplicationController
6	6
7	7	# Authorize
8	8	before_filter :add_project_abilities
	9	+
	10	+ # Allow read any issue
9	11	before_filter :authorize_read_issue!
10		- before_filter :authorize_write_issue!, :only => [:new, :create, :close, :edit, :update, :sort]
	12	+
	13	+ # Allow write(create) issue
	14	+ before_filter :authorize_write_issue!, :only => [:new, :create]
	15	+
	16	+ # Allow modify issue
	17	+ before_filter :authorize_modify_issue!, :only => [:close, :edit, :update, :sort]
	18	+
	19	+ # Allow destroy issue
	20	+ before_filter :authorize_admin_issue!, :only => [:destroy]
11	21
12	22	respond_to :js, :html
13	23
...	...	@@ -115,4 +125,13 @@ class IssuesController < ApplicationController
115	125	def issue
116	126	@issue \|\|= @project.issues.find(params[:id])
117	127	end
	128	+
	129	+ def authorize_modify_issue!
	130	+ can?(current_user, :modify_issue, @issue) \|\|
	131	+ @issue.assignee == current_user
	132	+ end
	133	+
	134	+ def authorize_admin_issue!
	135	+ can?(current_user, :admin_issue, @issue)
	136	+ end
118	137	end
...	...
...	...	@@ -6,8 +6,18 @@ class MergeRequestsController < ApplicationController
6	6
7	7	# Authorize
8	8	before_filter :add_project_abilities
9		- before_filter :authorize_read_project!
10		- before_filter :authorize_write_project!, :only => [:new, :create, :edit, :update]
	9	+
	10	+ # Allow read any merge_request
	11	+ before_filter :authorize_read_merge_request!
	12	+
	13	+ # Allow write(create) merge_request
	14	+ before_filter :authorize_write_merge_request!, :only => [:new, :create]
	15	+
	16	+ # Allow modify merge_request
	17	+ before_filter :authorize_modify_merge_request!, :only => [:close, :edit, :update, :sort]
	18	+
	19	+ # Allow destroy merge_request
	20	+ before_filter :authorize_admin_merge_request!, :only => [:destroy]
11	21
12	22	def index
13	23	@merge_requests = @project.merge_requests
...	...	@@ -85,4 +95,13 @@ class MergeRequestsController < ApplicationController
85	95	def merge_request
86	96	@merge_request \|\|= @project.merge_requests.find(params[:id])
87	97	end
	98	+
	99	+ def authorize_modify_merge_request!
	100	+ can?(current_user, :modify_merge_request, @merge_request) \|\|
	101	+ @merge_request.assignee == current_user
	102	+ end
	103	+
	104	+ def authorize_admin_merge_request!
	105	+ can?(current_user, :admin_merge_request, @merge_request)
	106	+ end
88	107	end
...	...
...	...	@@ -3,6 +3,8 @@ class NotesController < ApplicationController
3	3
4	4	# Authorize
5	5	before_filter :add_project_abilities
	6	+
	7	+ before_filter :authorize_read_note!
6	8	before_filter :authorize_write_note!, :only => [:create]
7	9
8	10	respond_to :js
...	...
...	...	@@ -5,8 +5,18 @@ class SnippetsController < ApplicationController
5	5
6	6	# Authorize
7	7	before_filter :add_project_abilities
	8	+
	9	+ # Allow read any snippet
8	10	before_filter :authorize_read_snippet!
9		- before_filter :authorize_write_snippet!, :only => [:new, :create, :close, :edit, :update, :sort]
	11	+
	12	+ # Allow write(create) snippet
	13	+ before_filter :authorize_write_snippet!, :only => [:new, :create]
	14	+
	15	+ # Allow modify snippet
	16	+ before_filter :authorize_modify_snippet!, :only => [:edit, :update]
	17	+
	18	+ # Allow destroy snippet
	19	+ before_filter :authorize_admin_snippet!, :only => [:destroy]
10	20
11	21	respond_to :html
12	22
...	...	@@ -60,4 +70,14 @@ class SnippetsController < ApplicationController
60	70
61	71	redirect_to project_snippets_path(@project)
62	72	end
	73	+
	74	+ protected
	75	+
	76	+ def authorize_modify_snippet!
	77	+ can?(current_user, :modify_snippet, @snippet)
	78	+ end
	79	+
	80	+ def authorize_admin_snippet!
	81	+ can?(current_user, :admin_snippet, @snippet)
	82	+ end
63	83	end
...	...
...	...	@@ -5,7 +5,7 @@ class TeamMembersController < ApplicationController
5	5	# Authorize
6	6	before_filter :add_project_abilities
7	7	before_filter :authorize_read_project!
8		- before_filter :authorize_admin_project!, :only => [:new, :create, :destroy, :update]
	8	+ before_filter :authorize_admin_project!, :except => [:show]
9	9
10	10	def show
11	11	@team_member = project.users_projects.find(params[:id])
...	...
...	...	@@ -19,7 +19,7 @@ class Ability
19	19	:read_team_member,
20	20	:read_merge_request,
21	21	:read_note
22		- ] if project.readers.include?(user)
	22	+ ] if project.allow_read_for?(user)
23	23
24	24	rules << [
25	25	:write_project,
...	...	@@ -27,16 +27,18 @@ class Ability
27	27	:write_snippet,
28	28	:write_merge_request,
29	29	:write_note
30		- ] if project.writers.include?(user)
	30	+ ] if project.allow_write_for?(user)
31	31
32	32	rules << [
	33	+ :modify_issue,
	34	+ :modify_snippet,
33	35	:admin_project,
34	36	:admin_issue,
35	37	:admin_snippet,
36	38	:admin_team_member,
37	39	:admin_merge_request,
38	40	:admin_note
39		- ] if project.admins.include?(user)
	41	+ ] if project.allow_admin_for?(user)
40	42
41	43	rules.flatten
42	44	end
...	...	@@ -48,6 +50,7 @@ class Ability
48	50	[
49	51	:"read_#{name}",
50	52	:"write_#{name}",
	53	+ :"modify_#{name}",
51	54	:"admin_#{name}"
52	55	]
53	56	else
...	...
...	...	@@ -161,6 +161,18 @@ class Project < ActiveRecord::Base
161	161	@admins \|\|= users_projects.includes(:user).where(:project_access => PROJECT_RWA).map(&:user)
162	162	end
163	163
	164	+ def allow_read_for?(user)
	165	+ !users_projects.where(:user_id => user.id, :project_access => [PROJECT_R, PROJECT_RW, PROJECT_RWA]).empty?
	166	+ end
	167	+
	168	+ def allow_write_for?(user)
	169	+ !users_projects.where(:user_id => user.id, :project_access => [PROJECT_RW, PROJECT_RWA]).empty?
	170	+ end
	171	+
	172	+ def allow_admin_for?(user)
	173	+ !users_projects.where(:user_id => user.id, :project_access => [PROJECT_RWA]).empty? \|\| owner_id == user.id
	174	+ end
	175	+
164	176	def root_ref
165	177	default_branch \|\| "master"
166	178	end
...	...