From d01c42a2844e40b9b2a5c7f7c562464cb9844eb5 Mon Sep 17 00:00:00 2001
From: Victor Costa <vfcosta@gmail.com>
Date: Mon, 1 Jun 2015 16:05:10 -0300
Subject: [PATCH] New permission 'view_tasks' that allow only tasks visualization

---
 app/controllers/my_profile/tasks_controller.rb |   5 ++++-
 app/models/environment.rb                      |   3 ++-
 app/models/profile.rb                          |   1 +
 app/views/tasks/_task.html.erb                 |  15 ++++++++++++---
 app/views/tasks/index.html.erb                 |  25 +++++++++++++++----------
 test/functional/tasks_controller_test.rb       | 110 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
 6 files changed, 144 insertions(+), 15 deletions(-)

diff --git a/app/controllers/my_profile/tasks_controller.rb b/app/controllers/my_profile/tasks_controller.rb
index 343bed9..6296dc3 100644
--- a/app/controllers/my_profile/tasks_controller.rb
+++ b/app/controllers/my_profile/tasks_controller.rb
@@ -1,6 +1,7 @@
 class TasksController < MyProfileController
 
-  protect 'perform_task', :profile
+  protect [:perform_task, :view_tasks], :profile, :only => [:index]
+  protect :perform_task, :profile, :except => [:index]
 
   def index
     @filter_type = params[:filter_type].presence
@@ -15,6 +16,8 @@ class TasksController < MyProfileController
     @failed = params ? params[:failed] : {}
 
     @responsible_candidates = profile.members.by_role(profile.roles.reject {|r| !r.has_permission?('perform_task')}) if profile.organization?
+
+    @view_only = !current_person.has_permission?(:perform_task, profile)
   end
 
   def processed
diff --git a/app/models/environment.rb b/app/models/environment.rb
index 050708a..502d07b 100644
--- a/app/models/environment.rb
+++ b/app/models/environment.rb
@@ -75,7 +75,8 @@ class Environment < ActiveRecord::Base
         'edit_profile_design',
         'manage_products',
         'manage_friends',
-        'perform_task'
+        'perform_task',
+        'view_tasks'
       ]
     )
   end
diff --git a/app/models/profile.rb b/app/models/profile.rb
index 7338329..6cd2da0 100644
--- a/app/models/profile.rb
+++ b/app/models/profile.rb
@@ -71,6 +71,7 @@ class Profile < ActiveRecord::Base
     'manage_friends'       => N_('Manage friends'),
     'validate_enterprise'  => N_('Validate enterprise'),
     'perform_task'         => N_('Perform task'),
+    'view_tasks'           => N_('View tasks'),
     'moderate_comments'    => N_('Moderate comments'),
     'edit_appearance'      => N_('Edit appearance'),
     'view_private_content' => N_('View private content'),
diff --git a/app/views/tasks/_task.html.erb b/app/views/tasks/_task.html.erb
index a4a7ea1..d1a4cd2 100644
--- a/app/views/tasks/_task.html.erb
+++ b/app/views/tasks/_task.html.erb
@@ -2,7 +2,7 @@
 
   <%= render :partial => 'task_icon', :locals => {:task => task} %>
 
-  <% if profile.organization? && @responsible_candidates.present? %>
+  <% if !@view_only && profile.organization? && @responsible_candidates.present? %>
     <div class="task_responsible">
       <span class="label"><%= _('Assign to:') %></span>
       <span>
@@ -12,8 +12,16 @@
     </div>
   <% end %>
 
+  <% if @view_only && task.responsible.present? %>
+    <div class="task_responsible">
+      <span class="label"><%= _('Assigned to:') %></span>
+      <span class="value"><%= task.responsible.name %></span>
+    </div>
+  <% end %>
+
   <div class="task_decisions">
-    <%=
+    <% unless @view_only %>
+      <%=
         labelled_radio_button(_("Accept"), "tasks[#{task.id}][decision]", 'finish', task.default_decision == 'accept',
                               :id => "decision-finish-#{task.id}",
                               :class => 'task_accept_radio',
@@ -29,7 +37,8 @@
                               :class => 'task_skip_radio',
                               :disabled => task.skip_disabled?,
                               :task_id => "#{task.id}")
-    %>
+      %>
+    <% end %>
   </div><!-- class="task_decisions" -->
 
   <div class="task_date"><%= show_time(task.created_at) %></div>
diff --git a/app/views/tasks/index.html.erb b/app/views/tasks/index.html.erb
index efd4694..6eb8533 100644
--- a/app/views/tasks/index.html.erb
+++ b/app/views/tasks/index.html.erb
@@ -46,36 +46,41 @@
   </p>
 <% else %>
   <%= form_tag :action => 'close' do%>
-    <% button_bar do %>
+    <% button_bar(:class => 'task-actions') do %>
       <%# FiXME button(:edit, _('View my requests'), :action => 'list_requested') %>
       <%# FIXME button('menu-mail',  _('Send request'), :action => 'new') %>
       <%= submit_button :save, _("Apply!") %>
       <%= button(:edit, _('View processed tasks'), :action => 'processed') %>
       <%= button(:back, _('Back to control panel'), :controller => 'profile_editor') %>
-    <% end %>
+    <% end unless @view_only %>
 
     <ul class='task-list'>
-      <p>
-      <%= labelled_select(_("Set all to: "), 'set-decisions', 'first', 'last', nil, [['',""],['accept',_("Accept")],['reject',_("Reject")],['skip',_("Skip")]], :id => "up-set-all-tasks-to") %>
-      </p>
+      <% unless @view_only %>
+        <p>
+        <%= labelled_select(_("Set all to: "), 'set-decisions', 'first', 'last', nil, [['',""],['accept',_("Accept")],['reject',_("Reject")],['skip',_("Skip")]], :id => "up-set-all-tasks-to") %>
+        </p>
+      <% end %>
 
       <div class="task_boxes">
         <%= render :partial => 'task', :collection => @tasks %>
       </div>
-      <p>
-      <%= labelled_select(_("Set all to: "), 'set-decisions', 'first', 'last', nil, [['',""],['accept',_("Accept")],['reject',_("Reject")],['skip',_("Skip")]], :id => "down-set-all-tasks-to") %>
-      </p>
+
+      <% unless @view_only %>
+        <p>
+        <%= labelled_select(_("Set all to: "), 'set-decisions', 'first', 'last', nil, [['',""],['accept',_("Accept")],['reject',_("Reject")],['skip',_("Skip")]], :id => "down-set-all-tasks-to") %>
+        </p>
+      <% end %>
     </ul>
 
     <%= pagination_links(@tasks)%>
 
-    <% button_bar do %>
+    <% button_bar(:class => 'task-actions') do %>
       <%# FiXME button(:edit, _('View my requests'), :action => 'list_requested') %>
       <%# FIXME button('menu-mail',  _('Send request'), :action => 'new') %>
       <%= submit_button :save, _("Apply!") %>
       <%= button(:edit, _('View processed tasks'), :action => 'processed') %>
       <%= button(:back, _('Back to control panel'), :controller => 'profile_editor') %>
-    <% end %>
+    <% end unless @view_only %>
   <% end %>
 <% end %>
 </p>
diff --git a/test/functional/tasks_controller_test.rb b/test/functional/tasks_controller_test.rb
index 5c2090c..ed943d2 100644
--- a/test/functional/tasks_controller_test.rb
+++ b/test/functional/tasks_controller_test.rb
@@ -520,4 +520,114 @@ class TasksControllerTest < ActionController::TestCase
     assert !json_response['success']
   end
 
+  should 'list tasks for user with only view_tasks permission' do
+    community = fast_create(Community)
+    @controller.stubs(:profile).returns(community)
+    person = create_user_with_permission('taskviewer', 'view_tasks', community)
+    login_as person.user.login
+    get :index
+    assert_response :success
+    assert assigns(:view_only)
+  end
+
+  should 'forbid user with only view_tasks permission to close a task' do
+    community = fast_create(Community)
+    @controller.stubs(:profile).returns(community)
+    person = create_user_with_permission('taskviewer', 'view_tasks', community)
+    login_as person.user.login
+    post :close
+    assert_response 403
+  end
+
+  should 'hide tasks actions when user has only view_tasks permission' do
+    community = fast_create(Community)
+    @controller.stubs(:profile).returns(community)
+    person = create_user_with_permission('taskviewer', 'view_tasks', community)
+    login_as person.user.login
+
+    Task.create!(:requestor => person, :target => community)
+    get :index
+
+    assert_select '.task-actions', 0
+  end
+
+  should 'display tasks actions when user has perform_task permission' do
+    community = fast_create(Community)
+    @controller.stubs(:profile).returns(community)
+    person = create_user_with_permission('taskperformer', 'perform_task', community)
+    login_as person.user.login
+
+    Task.create!(:requestor => person, :target => community)
+    get :index
+
+    assert_select '.task-actions', 2
+  end
+
+  should 'hide decision selector when user has only view_tasks permission' do
+    community = fast_create(Community)
+    @controller.stubs(:profile).returns(community)
+    person = create_user_with_permission('taskviewer', 'view_tasks', community)
+    login_as person.user.login
+
+    Task.create!(:requestor => person, :target => community)
+    get :index
+
+    assert_select '#up-set-all-tasks-to', 0
+    assert_select '#down-set-all-tasks-to', 0
+  end
+
+  should 'display decision selector when user has perform_task permission' do
+    community = fast_create(Community)
+    @controller.stubs(:profile).returns(community)
+    person = create_user_with_permission('taskperformer', 'perform_task', community)
+    login_as person.user.login
+
+    Task.create!(:requestor => person, :target => community)
+    get :index
+
+    assert_select '#up-set-all-tasks-to'
+    assert_select '#down-set-all-tasks-to'
+  end
+
+  should 'hide decision buttons when user has only view_tasks permission' do
+    community = fast_create(Community)
+    @controller.stubs(:profile).returns(community)
+    person = create_user_with_permission('taskviewer', 'view_tasks', community)
+    login_as person.user.login
+
+    task = Task.create!(:requestor => person, :target => community)
+    get :index
+
+    assert_select "#decision-finish-#{task.id}", 0
+    assert_select "#decision-cancel-#{task.id}", 0
+    assert_select "#decision-skip-#{task.id}", 0
+  end
+
+  should 'display decision buttons when user has perform_task permission' do
+    community = fast_create(Community)
+    @controller.stubs(:profile).returns(community)
+    person = create_user_with_permission('taskperformer', 'perform_task', community)
+    login_as person.user.login
+
+    task = Task.create!(:requestor => person, :target => community)
+    get :index
+
+    assert_select "#decision-finish-#{task.id}"
+    assert_select "#decision-cancel-#{task.id}"
+    assert_select "#decision-skip-#{task.id}"
+  end
+
+  should 'hide responsive selection when user has only view_tasks permission' do
+    community = fast_create(Community)
+    @controller.stubs(:profile).returns(community)
+    person = create_user_with_permission('taskviewer', 'view_tasks', community)
+    login_as person.user.login
+
+    task = Task.create!(:requestor => person, :target => community, :responsible => person)
+    get :index
+
+    assert_select ".task_responsible select", 0
+    assert_select ".task_responsible .value"
+  end
+
 end
--
libgit2 0.21.2