Abilities refactoring

Dmitriy Zaporozhets
1 parent 7a9fc480
Showing 7 changed files with 83 additions and 8 deletions Show diff stats
app/controllers/issues_controller.rb
app/controllers/merge_requests_controller.rb
app/controllers/notes_controller.rb
app/controllers/snippets_controller.rb
app/controllers/team_members_controller.rb
app/models/ability.rb
app/models/project.rb
@@ -6,8 +6,18 @@ class IssuesController &lt; ApplicationController
   # Authorize
   before_filter :add_project_abilities
+
+  # Allow read any issue
   before_filter :authorize_read_issue!
-  before_filter :authorize_write_issue!, :only => [:new, :create, :close, :edit, :update, :sort]
+
+  # Allow write(create) issue
+  before_filter :authorize_write_issue!, :only => [:new, :create]
+
+  # Allow modify issue
+  before_filter :authorize_modify_issue!, :only => [:close, :edit, :update, :sort]
+
+  # Allow destroy issue
+  before_filter :authorize_admin_issue!, :only => [:destroy]
   respond_to :js, :html
@@ -115,4 +125,13 @@ class IssuesController &lt; ApplicationController
   def issue
     @issue ||= @project.issues.find(params[:id])
   end
+
+  def authorize_modify_issue!
+    can?(current_user, :modify_issue, @issue) || 
+      @issue.assignee == current_user
+  end
+
+  def authorize_admin_issue!
+    can?(current_user, :admin_issue, @issue)
+  end
 end
@@ -6,8 +6,18 @@ class MergeRequestsController &lt; ApplicationController
   # Authorize
   before_filter :add_project_abilities
-  before_filter :authorize_read_project!
-  before_filter :authorize_write_project!, :only => [:new, :create, :edit, :update]
+
+  # Allow read any merge_request
+  before_filter :authorize_read_merge_request!
+
+  # Allow write(create) merge_request
+  before_filter :authorize_write_merge_request!, :only => [:new, :create]
+
+  # Allow modify merge_request
+  before_filter :authorize_modify_merge_request!, :only => [:close, :edit, :update, :sort]
+
+  # Allow destroy merge_request
+  before_filter :authorize_admin_merge_request!, :only => [:destroy]
   def index
     @merge_requests = @project.merge_requests
@@ -85,4 +95,13 @@ class MergeRequestsController &lt; ApplicationController
   def merge_request
     @merge_request ||= @project.merge_requests.find(params[:id])
   end
+
+  def authorize_modify_merge_request!
+    can?(current_user, :modify_merge_request, @merge_request) || 
+      @merge_request.assignee == current_user
+  end
+
+  def authorize_admin_merge_request!
+    can?(current_user, :admin_merge_request, @merge_request)
+  end
 end
@@ -3,6 +3,8 @@ class NotesController &lt; ApplicationController
   # Authorize
   before_filter :add_project_abilities
+
+  before_filter :authorize_read_note!
   before_filter :authorize_write_note!, :only => [:create]
   respond_to :js
@@ -5,8 +5,18 @@ class SnippetsController &lt; ApplicationController
   # Authorize
   before_filter :add_project_abilities
+
+  # Allow read any snippet
   before_filter :authorize_read_snippet!
-  before_filter :authorize_write_snippet!, :only => [:new, :create, :close, :edit, :update, :sort]
+
+  # Allow write(create) snippet
+  before_filter :authorize_write_snippet!, :only => [:new, :create]
+
+  # Allow modify snippet
+  before_filter :authorize_modify_snippet!, :only => [:edit, :update]
+
+  # Allow destroy snippet
+  before_filter :authorize_admin_snippet!, :only => [:destroy]
   respond_to :html
@@ -60,4 +70,14 @@ class SnippetsController &lt; ApplicationController
     redirect_to project_snippets_path(@project)
   end
+
+  protected
+
+  def authorize_modify_snippet!
+    can?(current_user, :modify_snippet, @snippet)
+  end
+
+  def authorize_admin_snippet!
+    can?(current_user, :admin_snippet, @snippet)
+  end
 end
@@ -5,7 +5,7 @@ class TeamMembersController &lt; ApplicationController
   # Authorize
   before_filter :add_project_abilities
   before_filter :authorize_read_project!
-  before_filter :authorize_admin_project!, :only => [:new, :create, :destroy, :update]
+  before_filter :authorize_admin_project!, :except => [:show]
   def show
     @team_member = project.users_projects.find(params[:id])
@@ -19,7 +19,7 @@ class Ability
       :read_team_member,
       :read_merge_request,
       :read_note
-    ] if project.readers.include?(user)
+    ] if project.allow_read_for?(user)
     rules << [
       :write_project,
@@ -27,16 +27,18 @@ class Ability
       :write_snippet,
       :write_merge_request,
       :write_note
-    ] if project.writers.include?(user)
+    ] if project.allow_write_for?(user)
     rules << [
+      :modify_issue,
+      :modify_snippet,
       :admin_project,
       :admin_issue,
       :admin_snippet,
       :admin_team_member,
       :admin_merge_request,
       :admin_note
-    ] if project.admins.include?(user)
+    ] if project.allow_admin_for?(user)
     rules.flatten
   end
@@ -48,6 +50,7 @@ class Ability
           [
             :"read_#{name}",
             :"write_#{name}",
+            :"modify_#{name}",
             :"admin_#{name}"
           ]
         else
@@ -161,6 +161,18 @@ class Project &lt; ActiveRecord::Base
     @admins ||= users_projects.includes(:user).where(:project_access => PROJECT_RWA).map(&:user)
   end
+  def allow_read_for?(user)
+    !users_projects.where(:user_id => user.id, :project_access => [PROJECT_R, PROJECT_RW, PROJECT_RWA]).empty?
+  end
+
+  def allow_write_for?(user)
+    !users_projects.where(:user_id => user.id, :project_access => [PROJECT_RW, PROJECT_RWA]).empty?
+  end
+
+  def allow_admin_for?(user)
+    !users_projects.where(:user_id => user.id, :project_access => [PROJECT_RWA]).empty? || owner_id == user.id
+  end
+
   def root_ref 
     default_branch || "master"
   end
	@@ -6,8 +6,18 @@ class IssuesController < ApplicationController		@@ -6,8 +6,18 @@ class IssuesController < ApplicationController
6		6
7	# Authorize	7	# Authorize
8	before_filter :add_project_abilities	8	before_filter :add_project_abilities
		9	+
		10	+ # Allow read any issue
9	before_filter :authorize_read_issue!	11	before_filter :authorize_read_issue!
10	- before_filter :authorize_write_issue!, :only => [:new, :create, :close, :edit, :update, :sort]	12	+
		13	+ # Allow write(create) issue
		14	+ before_filter :authorize_write_issue!, :only => [:new, :create]
		15	+
		16	+ # Allow modify issue
		17	+ before_filter :authorize_modify_issue!, :only => [:close, :edit, :update, :sort]
		18	+
		19	+ # Allow destroy issue
		20	+ before_filter :authorize_admin_issue!, :only => [:destroy]
11		21
12	respond_to :js, :html	22	respond_to :js, :html
13		23
	@@ -115,4 +125,13 @@ class IssuesController < ApplicationController		@@ -115,4 +125,13 @@ class IssuesController < ApplicationController
115	def issue	125	def issue
116	@issue \|\|= @project.issues.find(params[:id])	126	@issue \|\|= @project.issues.find(params[:id])
117	end	127	end
		128	+
		129	+ def authorize_modify_issue!
		130	+ can?(current_user, :modify_issue, @issue) \|\|
		131	+ @issue.assignee == current_user
		132	+ end
		133	+
		134	+ def authorize_admin_issue!
		135	+ can?(current_user, :admin_issue, @issue)
		136	+ end
118	end	137	end
	@@ -6,8 +6,18 @@ class MergeRequestsController < ApplicationController		@@ -6,8 +6,18 @@ class MergeRequestsController < ApplicationController
6		6
7	# Authorize	7	# Authorize
8	before_filter :add_project_abilities	8	before_filter :add_project_abilities
9	- before_filter :authorize_read_project!
10	- before_filter :authorize_write_project!, :only => [:new, :create, :edit, :update]	9	+
		10	+ # Allow read any merge_request
		11	+ before_filter :authorize_read_merge_request!
		12	+
		13	+ # Allow write(create) merge_request
		14	+ before_filter :authorize_write_merge_request!, :only => [:new, :create]
		15	+
		16	+ # Allow modify merge_request
		17	+ before_filter :authorize_modify_merge_request!, :only => [:close, :edit, :update, :sort]
		18	+
		19	+ # Allow destroy merge_request
		20	+ before_filter :authorize_admin_merge_request!, :only => [:destroy]
11		21
12	def index	22	def index
13	@merge_requests = @project.merge_requests	23	@merge_requests = @project.merge_requests
	@@ -85,4 +95,13 @@ class MergeRequestsController < ApplicationController		@@ -85,4 +95,13 @@ class MergeRequestsController < ApplicationController
85	def merge_request	95	def merge_request
86	@merge_request \|\|= @project.merge_requests.find(params[:id])	96	@merge_request \|\|= @project.merge_requests.find(params[:id])
87	end	97	end
		98	+
		99	+ def authorize_modify_merge_request!
		100	+ can?(current_user, :modify_merge_request, @merge_request) \|\|
		101	+ @merge_request.assignee == current_user
		102	+ end
		103	+
		104	+ def authorize_admin_merge_request!
		105	+ can?(current_user, :admin_merge_request, @merge_request)
		106	+ end
88	end	107	end
	@@ -3,6 +3,8 @@ class NotesController < ApplicationController		@@ -3,6 +3,8 @@ class NotesController < ApplicationController
3		3
4	# Authorize	4	# Authorize
5	before_filter :add_project_abilities	5	before_filter :add_project_abilities
		6	+
		7	+ before_filter :authorize_read_note!
6	before_filter :authorize_write_note!, :only => [:create]	8	before_filter :authorize_write_note!, :only => [:create]
7		9
8	respond_to :js	10	respond_to :js
	@@ -5,8 +5,18 @@ class SnippetsController < ApplicationController		@@ -5,8 +5,18 @@ class SnippetsController < ApplicationController
5		5
6	# Authorize	6	# Authorize
7	before_filter :add_project_abilities	7	before_filter :add_project_abilities
		8	+
		9	+ # Allow read any snippet
8	before_filter :authorize_read_snippet!	10	before_filter :authorize_read_snippet!
9	- before_filter :authorize_write_snippet!, :only => [:new, :create, :close, :edit, :update, :sort]	11	+
		12	+ # Allow write(create) snippet
		13	+ before_filter :authorize_write_snippet!, :only => [:new, :create]
		14	+
		15	+ # Allow modify snippet
		16	+ before_filter :authorize_modify_snippet!, :only => [:edit, :update]
		17	+
		18	+ # Allow destroy snippet
		19	+ before_filter :authorize_admin_snippet!, :only => [:destroy]
10		20
11	respond_to :html	21	respond_to :html
12		22
	@@ -60,4 +70,14 @@ class SnippetsController < ApplicationController		@@ -60,4 +70,14 @@ class SnippetsController < ApplicationController
60		70
61	redirect_to project_snippets_path(@project)	71	redirect_to project_snippets_path(@project)
62	end	72	end
		73	+
		74	+ protected
		75	+
		76	+ def authorize_modify_snippet!
		77	+ can?(current_user, :modify_snippet, @snippet)
		78	+ end
		79	+
		80	+ def authorize_admin_snippet!
		81	+ can?(current_user, :admin_snippet, @snippet)
		82	+ end
63	end	83	end
	@@ -5,7 +5,7 @@ class TeamMembersController < ApplicationController		@@ -5,7 +5,7 @@ class TeamMembersController < ApplicationController
5	# Authorize	5	# Authorize
6	before_filter :add_project_abilities	6	before_filter :add_project_abilities
7	before_filter :authorize_read_project!	7	before_filter :authorize_read_project!
8	- before_filter :authorize_admin_project!, :only => [:new, :create, :destroy, :update]	8	+ before_filter :authorize_admin_project!, :except => [:show]
9		9
10	def show	10	def show
11	@team_member = project.users_projects.find(params[:id])	11	@team_member = project.users_projects.find(params[:id])
	@@ -161,6 +161,18 @@ class Project < ActiveRecord::Base		@@ -161,6 +161,18 @@ class Project < ActiveRecord::Base
161	@admins \|\|= users_projects.includes(:user).where(:project_access => PROJECT_RWA).map(&:user)	161	@admins \|\|= users_projects.includes(:user).where(:project_access => PROJECT_RWA).map(&:user)
162	end	162	end
163		163
		164	+ def allow_read_for?(user)
		165	+ !users_projects.where(:user_id => user.id, :project_access => [PROJECT_R, PROJECT_RW, PROJECT_RWA]).empty?
		166	+ end
		167	+
		168	+ def allow_write_for?(user)
		169	+ !users_projects.where(:user_id => user.id, :project_access => [PROJECT_RW, PROJECT_RWA]).empty?
		170	+ end
		171	+
		172	+ def allow_admin_for?(user)
		173	+ !users_projects.where(:user_id => user.id, :project_access => [PROJECT_RWA]).empty? \|\| owner_id == user.id
		174	+ end
		175	+
164	def root_ref	176	def root_ref
165	default_branch \|\| "master"	177	default_branch \|\| "master"
166	end	178	end