rosa-build/app/models/ability.rb

class Ability
  include CanCan::Ability

  def initialize(user)
    user ||= User.new # guest user (not logged in)
    
    if user.admin?
      can :manage, :all
    else
      #WARNING:
      # - put cannot rules _after_ can rules and not before!
      # - beware inner joins. Use sub queries against them! 
      # Shared rights between guests and registered users
      can :forbidden, Platform

      #cannot :read, Platform, :visibility => 'hidden'
      can :read, [Project, Platform], :visibility => 'open'

      # Guest rights
      if user.guest?
        can :create, User
          
      # Registered user rights
      else
        # If rules goes one by one CanCan joins them by 'OR' sql operator
        can :read, Project, :visibility => 'open'
        # User can read and edit his profile:
        can :manage, User, :id => user.id
        can :manage_collaborators, Project do |project|
          project.relations.exists? :object_id => user.id, :object_type => 'User', :role => 'admin'
        end

        # If rule has multiple conditions CanCan joins them by 'AND' sql operator
        can [:read, :update, :process_build, :build, :destroy], Project, :owner_type => 'User', :owner_id => user.id
        #can :read, Project, :relations => {:role => 'read'}
        can :read, Project, projects_in_relations_with(:role => 'read', :object_type => 'User', :object_id => user.id) do |project|
          #The can? and cannot? call cannot be used with a raw sql 'can' definition.
          project.relations.exists?(:role => 'read', :object_type => 'User', :object_id => user.id)
        end
        #can [:update, :process_build, :build], Project, :relations => {:role => 'write'}
        can [:read, :update, :process_build, :build], Project, projects_in_relations_with(:role => ['write', 'admin'], :object_type => 'User', :object_id => user.id)  do |project|
          project.relations.exists?(:role => ['write', 'admin'], :object_type => 'User', :object_id => user.id)
        end
        
        can :read, Platform, :owner_type => 'User', :owner_id => user.id
        #can :read, Platform, :members => {:id => user.id}
        can :read, Platform, platforms_in_relations_with(:role => 'read', :object_type => 'User', :object_id => user.id) do |platform|
          platform.relations.exists?(:role => 'read', :object_type => 'User', :object_id => user.id)
        end
        
        #can :read, Repository
        # TODO: Add personal repos rules
        
        # Same rights for groups:
        can [:read, :update, :process_build, :build, :destroy], Project, :owner_type => 'Group', :owner_id => user.group_ids
        #can :read, Project, :relations => {:role => 'read', :object_type => 'Group', :object_id => user.group_ids}
        can :read, Project, projects_in_relations_with(:role => 'read', :object_type => 'Group', :object_id => user.group_ids) do |project|
          project.relations.exists?(:role => 'read', :object_type => 'Group', :object_id => user.group_ids)
        end
        #can [:update, :process_build, :build], Project, :relations => {:role => 'write', :object_type => 'Group', :object_id => user.group_ids}
        can [:read, :update, :process_build, :build], Project, projects_in_relations_with(:role => ['write', 'admin'], :object_type => 'Group', :object_id => user.group_ids) do |project|
          project.relations.exists?(:role => ['write', 'admin'], :object_type => 'Group', :object_id => user.group_ids)
        end
        
        can :manage, Platform, :owner_type => 'Group', :owner_id => user.group_ids
        #can :read, Platform, :groups => {:id => user.group_ids}
        can :read, Platform, platforms_in_relations_with(:role => 'read', :object_type => 'Group', :object_id => user.group_ids) do |platform|
          platform.relations.exists?(:role => 'read', :object_type => 'Group', :object_id => user.group_ids)
        end
      end
    end
    
    # Shared rights for all users (guests, registered, admin)
    cannot :destroy, Platform, :platform_type => 'personal'
  end

  # Sub query for platforms, projects relations
  %w[platforms projects repositories].each do |table_name|
    define_method table_name + "_in_relations_with" do |opts|
      query = "#{ table_name }.id IN (SELECT target_id FROM relations WHERE relations.target_type = '#{ table_name.singularize.camelize }'"
      opts.each do |key, value|
        query = query + " AND relations.#{ key } #{ value.class == Array ? 'IN (?)' : '= ?' } "
      end
      query = query + ")"

      return opts.values.unshift query
    end
  end

  ## Sub query for project relations
  #def projects_in_relations_with(opts={})
  #  ["projects.id IN (SELECT target_id FROM relations WHERE relations.object_id #{ opts[:object_id].class == Array ? 'IN (?)' : '= ?' } AND relations.object_type = '#{ opts[:object_type] }' AND relations.target_type = 'Platform') AND relations.role", opts[:object_id]]
  #end
end
Remove custom ACL calls. Add CanCan and some rules. Add bitmask_attribute 2011-11-15 20:05:08 +00:00			`class Ability`
			`include CanCan::Ability`

			`def initialize(user)`
			`user \|\|= User.new # guest user (not logged in)`
[refs #2249] Remove bitmask. Add new rules. Add some authorize filters. Add some template can? helpers 2011-11-16 18:45:01 +00:00
Remove custom ACL calls. Add CanCan and some rules. Add bitmask_attribute 2011-11-15 20:05:08 +00:00			`if user.admin?`
			`can :manage, :all`
			`else`
[refs #2249] Add new rules. Fix joins trouble. Add new relations dynamic methods. 2011-11-17 19:34:02 +00:00			`#WARNING:`
			`# - put cannot rules _after_ can rules and not before!`
			`# - beware inner joins. Use sub queries against them!`
Remove custom ACL calls. Add CanCan and some rules. Add bitmask_attribute 2011-11-15 20:05:08 +00:00			`# Shared rights between guests and registered users`
[refs #2249] Remove bitmask. Add new rules. Add some authorize filters. Add some template can? helpers 2011-11-16 18:45:01 +00:00			`can :forbidden, Platform`
[refs #2249] Add new rules. Fix joins trouble. Add new relations dynamic methods. 2011-11-17 19:34:02 +00:00
			`#cannot :read, Platform, :visibility => 'hidden'`
			`can :read, [Project, Platform], :visibility => 'open'`

Remove custom ACL calls. Add CanCan and some rules. Add bitmask_attribute 2011-11-15 20:05:08 +00:00			`# Guest rights`
			`if user.guest?`
[refs #2249] Add new rules. Fix joins trouble. Add new relations dynamic methods. 2011-11-17 19:34:02 +00:00			`can :create, User`

Remove custom ACL calls. Add CanCan and some rules. Add bitmask_attribute 2011-11-15 20:05:08 +00:00			`# Registered user rights`
			`else`
			`# If rules goes one by one CanCan joins them by 'OR' sql operator`
			`can :read, Project, :visibility => 'open'`
[refs #2249] Add new rules. Fix joins trouble. Add new relations dynamic methods. 2011-11-17 19:34:02 +00:00			`# User can read and edit his profile:`
			`can :manage, User, :id => user.id`
[refs #2249] CanCan rules update. Add admin role to relations. Change collaboratots edit logic and code 2011-11-18 18:26:22 +00:00			`can :manage_collaborators, Project do \|project\|`
			`project.relations.exists? :object_id => user.id, :object_type => 'User', :role => 'admin'`
			`end`
[refs #2249] Add new rules. Fix joins trouble. Add new relations dynamic methods. 2011-11-17 19:34:02 +00:00
			`# If rule has multiple conditions CanCan joins them by 'AND' sql operator`
[refs #2249] CanCan rules update. Add admin role to relations. Change collaboratots edit logic and code 2011-11-18 18:26:22 +00:00			`can [:read, :update, :process_build, :build, :destroy], Project, :owner_type => 'User', :owner_id => user.id`
[refs #2249] Add new rules. Fix joins trouble. Add new relations dynamic methods. 2011-11-17 19:34:02 +00:00			`#can :read, Project, :relations => {:role => 'read'}`
[refs #2249] CanCan rules update. Add admin role to relations. Change collaboratots edit logic and code 2011-11-18 18:26:22 +00:00			`can :read, Project, projects_in_relations_with(:role => 'read', :object_type => 'User', :object_id => user.id) do \|project\|`
			`#The can? and cannot? call cannot be used with a raw sql 'can' definition.`
			`project.relations.exists?(:role => 'read', :object_type => 'User', :object_id => user.id)`
			`end`
[refs #2249] Add new rules. Fix joins trouble. Add new relations dynamic methods. 2011-11-17 19:34:02 +00:00			`#can [:update, :process_build, :build], Project, :relations => {:role => 'write'}`
[refs #2249] CanCan rules update. Add admin role to relations. Change collaboratots edit logic and code 2011-11-18 18:26:22 +00:00			`can [:read, :update, :process_build, :build], Project, projects_in_relations_with(:role => ['write', 'admin'], :object_type => 'User', :object_id => user.id) do \|project\|`
			`project.relations.exists?(:role => ['write', 'admin'], :object_type => 'User', :object_id => user.id)`
			`end`
[refs #2249] Remove bitmask. Add new rules. Add some authorize filters. Add some template can? helpers 2011-11-16 18:45:01 +00:00
[refs #2249] Add new rules. Fix joins trouble. Add new relations dynamic methods. 2011-11-17 19:34:02 +00:00			`can :read, Platform, :owner_type => 'User', :owner_id => user.id`
			`#can :read, Platform, :members => {:id => user.id}`
[refs #2249] CanCan rules update. Add admin role to relations. Change collaboratots edit logic and code 2011-11-18 18:26:22 +00:00			`can :read, Platform, platforms_in_relations_with(:role => 'read', :object_type => 'User', :object_id => user.id) do \|platform\|`
			`platform.relations.exists?(:role => 'read', :object_type => 'User', :object_id => user.id)`
			`end`
[refs #2249] Remove bitmask. Add new rules. Add some authorize filters. Add some template can? helpers 2011-11-16 18:45:01 +00:00
			`#can :read, Repository`
			`# TODO: Add personal repos rules`

			`# Same rights for groups:`
[refs #2249] CanCan rules update. Add admin role to relations. Change collaboratots edit logic and code 2011-11-18 18:26:22 +00:00			`can [:read, :update, :process_build, :build, :destroy], Project, :owner_type => 'Group', :owner_id => user.group_ids`
[refs #2249] Add new rules. Fix joins trouble. Add new relations dynamic methods. 2011-11-17 19:34:02 +00:00			`#can :read, Project, :relations => {:role => 'read', :object_type => 'Group', :object_id => user.group_ids}`
[refs #2249] CanCan rules update. Add admin role to relations. Change collaboratots edit logic and code 2011-11-18 18:26:22 +00:00			`can :read, Project, projects_in_relations_with(:role => 'read', :object_type => 'Group', :object_id => user.group_ids) do \|project\|`
			`project.relations.exists?(:role => 'read', :object_type => 'Group', :object_id => user.group_ids)`
			`end`
[refs #2249] Add new rules. Fix joins trouble. Add new relations dynamic methods. 2011-11-17 19:34:02 +00:00			`#can [:update, :process_build, :build], Project, :relations => {:role => 'write', :object_type => 'Group', :object_id => user.group_ids}`
[refs #2249] CanCan rules update. Add admin role to relations. Change collaboratots edit logic and code 2011-11-18 18:26:22 +00:00			`can [:read, :update, :process_build, :build], Project, projects_in_relations_with(:role => ['write', 'admin'], :object_type => 'Group', :object_id => user.group_ids) do \|project\|`
			`project.relations.exists?(:role => ['write', 'admin'], :object_type => 'Group', :object_id => user.group_ids)`
			`end`
[refs #2249] Remove bitmask. Add new rules. Add some authorize filters. Add some template can? helpers 2011-11-16 18:45:01 +00:00
			`can :manage, Platform, :owner_type => 'Group', :owner_id => user.group_ids`
[refs #2249] Add new rules. Fix joins trouble. Add new relations dynamic methods. 2011-11-17 19:34:02 +00:00			`#can :read, Platform, :groups => {:id => user.group_ids}`
[refs #2249] CanCan rules update. Add admin role to relations. Change collaboratots edit logic and code 2011-11-18 18:26:22 +00:00			`can :read, Platform, platforms_in_relations_with(:role => 'read', :object_type => 'Group', :object_id => user.group_ids) do \|platform\|`
			`platform.relations.exists?(:role => 'read', :object_type => 'Group', :object_id => user.group_ids)`
			`end`
Remove custom ACL calls. Add CanCan and some rules. Add bitmask_attribute 2011-11-15 20:05:08 +00:00			`end`
			`end`
[refs #2249] Remove bitmask. Add new rules. Add some authorize filters. Add some template can? helpers 2011-11-16 18:45:01 +00:00
			`# Shared rights for all users (guests, registered, admin)`
			`cannot :destroy, Platform, :platform_type => 'personal'`
Remove custom ACL calls. Add CanCan and some rules. Add bitmask_attribute 2011-11-15 20:05:08 +00:00			`end`
[refs #2249] Add new rules. Fix joins trouble. Add new relations dynamic methods. 2011-11-17 19:34:02 +00:00
			`# Sub query for platforms, projects relations`
			`%w[platforms projects repositories].each do \|table_name\|`
			`define_method table_name + "_in_relations_with" do \|opts\|`
			`query = "#{ table_name }.id IN (SELECT target_id FROM relations WHERE relations.target_type = '#{ table_name.singularize.camelize }'"`
			`opts.each do \|key, value\|`
			`query = query + " AND relations.#{ key } #{ value.class == Array ? 'IN (?)' : '= ?' } "`
			`end`
			`query = query + ")"`

			`return opts.values.unshift query`
			`end`
			`end`

			`## Sub query for project relations`
			`#def projects_in_relations_with(opts={})`
			`# ["projects.id IN (SELECT target_id FROM relations WHERE relations.object_id #{ opts[:object_id].class == Array ? 'IN (?)' : '= ?' } AND relations.object_type = '#{ opts[:object_type] }' AND relations.target_type = 'Platform') AND relations.role", opts[:object_id]]`
			`#end`
Remove custom ACL calls. Add CanCan and some rules. Add bitmask_attribute 2011-11-15 20:05:08 +00:00			`end`