diff --git a/app/models/ability.rb b/app/models/ability.rb deleted file mode 100644 index e31059b20..000000000 --- a/app/models/ability.rb +++ /dev/null @@ -1,268 +0,0 @@ -# # If rules goes one by one CanCan joins them by 'OR' sql operator -# # If rule has multiple conditions CanCan joins them by 'AND' sql operator -# # WARNING: -# # - put cannot rules _after_ can rules and not before! -# # - beware inner joins. Use sub queries against them! -# -# class Ability -# include CanCan::Ability -# -# def initialize(user) -# user ||= User.new # guest user (not logged in) -# @user = user -# -# # Shared rights between guests and registered users -# can [:show, :archive, :read], Project, visibility: 'open' -# can :get_id, Project, visibility: 'open' # api -# can(:refs_list, Project) {|project| can? :show, project} -# can :read, Issue, project: { visibility: 'open' } -# can [:read, :commits, :files], PullRequest, to_project: {visibility: 'open'} -# can [:read, :log, :everything], BuildList, project: {visibility: 'open'} -# can [:read, :log], ProductBuildList#, product: {platform: {visibility: 'open'}} # double nested hash don't work -# can [:read, :search], Advisory -# can :read, Statistic -# -# # Platforms block -# can [:show, :members, :advisories], Platform, visibility: 'open' -# can :platforms_for_build, Platform, visibility: 'open', platform_type: 'main' -# can([:read, :get_list], MassBuild) {|mass_build| can?(:show, mass_build.save_to_platform) } -# can [:read, :projects_list, :projects], Repository, platform: {visibility: 'open'} -# can :read, Product, platform: {visibility: 'open'} -# -# can :show, Group -# can :show, User -# can :possible_forks, Project -# -# if user.guest? # Guest rights -# cannot :index, Project -# # can [:new, :create], RegisterRequest -# else # Registered user rights -# if user.admin? -# can :manage, :all -# # Protection -# cannot :approve, RegisterRequest, approved: true -# cannot :reject, RegisterRequest, rejected: true -# cannot [:destroy, :create], Subscribe -# # Act admin as simple user -# cannot :read, Product, platform: {platform_type: 'personal'} -# cannot [:owned, :related], [BuildList, Platform] -# cannot :membered, Project # list products which user members -# end -# -# if user.user? -# can :edit, User, id: user.id -# can [:read, :create], Group -# can [:update, :manage_members, :members, :add_member, :remove_member, :remove_members, :update_member], Group do |group| -# group.actors.exists?(actor_type: 'User', actor_id: user.id, role: 'admin') # or group.owner_id = user.id -# end -# can :write, Group do |group| -# group.actors.exists?(actor_type: 'User', actor_id: user.id, role: ['writer', 'admin']) -# end -# can :destroy, Group, owner_id: user.id -# can :remove_user, Group -# -# can :create, Project -# can([:mass_import, :run_mass_import], Project) if user.platforms.main.find{ |p| local_admin?(p) }.present? -# can :read, Project, visibility: 'open' -# can [:read, :archive, :membered, :get_id], Project, owner_type: 'User', owner_id: user.id -# can [:read, :archive, :membered, :get_id], Project, owner_type: 'Group', owner_id: user_group_ids -# # can([:read, :archive, :membered, :get_id], Project, read_relations_for('projects')) {|project| local_reader? project} -# can([:read, :archive, :membered, :get_id], Project, read_relations_with_projects) {|project| local_reader? project} -# can(:write, Project) {|project| local_writer? project} # for grack -# can [:update, :sections, :manage_collaborators, :autocomplete_maintainers, :add_member, :remove_member, :remove_members, :update_member, :members, :schedule], Project do |project| -# local_admin? project -# end -# -# can(:fork, Project) {|project| can? :read, project} -# can(:alias, Project) {|project| local_admin?(project) } -# -# can(:destroy, Project) {|project| owner? project} -# can(:destroy, Project) {|project| project.owner_type == 'Group' and project.owner.actors.exists?(actor_type: 'User', actor_id: user.id, role: 'admin')} -# can :remove_user, Project -# can :preview, Project -# -# can([:read, :create, :edit, :destroy, :update], Hook) {|hook| can?(:edit, hook.project)} -# -# can [:read, :log, :owned, :everything], BuildList, user_id: user.id -# can [:read, :log, :related, :everything], BuildList, project: {owner_type: 'User', owner_id: user.id} -# can [:read, :log, :related, :everything], BuildList, project: {owner_type: 'Group', owner_id: user_group_ids} -# # can([:read, :log, :everything, :list], BuildList, read_relations_for('build_lists', 'projects')) {|build_list| can? :read, build_list.project} -# # can([:read, :log, :everything, :list], BuildList, read_relations_for_build_lists_and_projects) {|build_list| can? :read, build_list.project} -# can([:read, :log, :everything, :list], BuildList, read_relations_with_projects('build_lists')) {|build_list| can? :read, build_list.project} -# -# can(:publish_into_testing, BuildList) { |build_list| ( can?(:create, build_list) || can?(:publish, build_list) ) && build_list.save_to_platform.main? } -# can([:create, :rerun_tests], BuildList) {|build_list| -# build_list.project.is_package && -# can?(:write, build_list.project) && -# (build_list.build_for_platform.blank? || can?(:show, build_list.build_for_platform)) -# } -# -# can(:publish, BuildList) do |build_list| -# if build_list.build_published? -# local_admin?(build_list.save_to_platform) || build_list.save_to_repository.members.exists?(id: user.id) -# else -# build_list.save_to_repository.publish_without_qa ? -# can?(:write, build_list.project) : local_admin?(build_list.save_to_platform) -# end -# end -# can(:create_container, BuildList) do |build_list| -# local_admin?(build_list.save_to_platform) -# end -# can(:reject_publish, BuildList) do |build_list| -# build_list.save_to_repository.publish_without_qa ? -# can?(:write, build_list.project) : local_admin?(build_list.save_to_platform) -# end -# can([:cancel, :create_container], BuildList) {|build_list| can?(:write, build_list.project)} -# -# can [:read, :owned, :related, :members], Platform, owner_type: 'User', owner_id: user.id -# can [:read, :related, :members], Platform, owner_type: 'Group', owner_id: user_group_ids -# can([:read, :related, :members], Platform, read_relations_for('platforms')) {|platform| local_reader? platform} -# can [:read, :related], Platform, id: user.repositories.pluck(:platform_id) -# can([:update, :destroy, :change_visibility], Platform) {|platform| owner?(platform) } -# can([:local_admin_manage, :members, :add_member, :remove_member, :remove_members, :remove_file] , Platform) {|platform| owner?(platform) || local_admin?(platform) } -# -# can([:create, :publish], MassBuild) {|mass_build| owner?(mass_build.save_to_platform) || local_admin?(mass_build.save_to_platform)} -# can(:cancel, MassBuild) {|mass_build| (owner?(mass_build.save_to_platform) || local_admin?(mass_build.save_to_platform)) && !mass_build.stop_build} -# -# can [:read, :projects_list, :projects], Repository, platform: {owner_type: 'User', owner_id: user.id} -# can [:read, :projects_list, :projects], Repository, platform: {owner_type: 'Group', owner_id: user_group_ids} -# can([:read, :projects_list, :projects], Repository, read_relations_for('repositories')) {|repository| can? :show, repository.platform} -# can([:read, :projects_list, :projects], Repository, read_relations_for('repositories', 'platforms')) {|repository| local_reader? repository.platform} -# can([:create, :edit, :update, :destroy, :projects_list, :projects, :add_project, :remove_project, :regenerate_metadata, :sync_lock_file, :add_repo_lock_file, :remove_repo_lock_file], Repository) {|repository| local_admin? repository.platform} -# can([:remove_member, :remove_members, :add_member, :signatures, :packages], Repository) {|repository| owner?(repository.platform) || local_admin?(repository.platform)} -# can([:add_project, :remove_project], Repository) {|repository| repository.members.exists?(id: user.id)} -# can(:clear, Platform) {|platform| owner?(platform) && platform.personal?} -# can(:regenerate_metadata, Platform) {|platform| owner?(platform) || local_admin?(platform)} -# can([:settings, :destroy, :edit, :update], Repository) {|repository| owner? repository.platform} -# -# can([:create, :destroy], KeyPair) {|key_pair| key_pair.repository.blank? || owner?(key_pair.repository.platform) || local_admin?(key_pair.repository.platform)} -# -# can([:read, :create, :withdraw], Token) {|token| local_admin?(token.subject)} -# -# can :read, Product, platform: {owner_type: 'User', owner_id: user.id, platform_type: 'main'} -# can :read, Product, platform: {owner_type: 'Group', owner_id: user_group_ids, platform_type: 'main'} -# can(:read, Product, read_relations_for('products', 'platforms')) {|product| product.platform.main?} -# can([:create, :update, :destroy, :clone], Product) {|product| local_admin? product.platform and product.platform.main?} -# -# can([:create, :cancel], ProductBuildList) {|pbl| can?(:write, pbl.project)} -# can([:create, :cancel, :update], ProductBuildList) {|pbl| can?(:update, pbl.product)} -# can(:destroy, ProductBuildList) {|pbl| can?(:destroy, pbl.product)} -# -# can :read, Issue, project: {owner_type: 'User', owner_id: user.id} -# can :read, Issue, project: {owner_type: 'Group', owner_id: user_group_ids} -# can(:read, Issue, read_relations_for('issues', 'projects')) {|issue| can? :read, issue.project rescue nil} -# can(:create, Issue) {|issue| can? :read, issue.project} -# can(:update, Issue) {|issue| issue.user_id == user.id or local_admin?(issue.project)} -# cannot :manage, Issue, project: {has_issues: false} # switch off issues -# -# can [:read, :commits, :files], PullRequest, to_project: {owner_type: 'User', owner_id: user.id} -# can [:read, :commits, :files], PullRequest, to_project: {owner_type: 'Group', owner_id: user_group_ids} -# can([:read, :commits, :files], PullRequest, read_relations_for('pull_requests', 'to_projects')) {|pull| can? :read, pull.to_project} -# can :create, PullRequest -# can(:update, PullRequest) {|pull| pull.user_id == user.id or local_writer?(pull.to_project)} -# can(:merge, PullRequest) {|pull| local_writer?(pull.to_project)} -# -# can([:create, :new_line], Comment) {|comment| can? :read, comment.project} -# can([:update, :destroy], Comment) {|comment| comment.user == user or comment.project.owner == user or local_admin?(comment.project)} -# cannot :manage, Comment do |c| -# c.commentable_type == 'Issue' && !c.project.has_issues && !c.commentable.pull_request # when switch off issues -# end -# end -# -# # Shared cannot rights for all users (registered, admin) -# cannot [:regenerate_metadata, :destroy], Platform, platform_type: 'personal' -# cannot [:create, :destroy], Repository, platform: {platform_type: 'personal'}, name: 'main' -# cannot [:packages], Repository, platform: {platform_type: 'personal'} -# cannot [:remove_member, :remove_members, :add_member, :sync_lock_file, :add_repo_lock_file, :remove_repo_lock_file], Repository, platform: {platform_type: 'personal'} -# -# cannot :clear, Platform, platform_type: 'main' -# cannot :destroy, Issue -# -# cannot [:members, :add_member, :remove_member, :remove_members], Platform, platform_type: 'personal' -# -# cannot [:create, :update, :destroy, :clone], Product, platform: {platform_type: 'personal'} -# cannot [:clone], Platform, platform_type: 'personal' -# -# cannot [:publish, :publish_into_testing], BuildList, new_core: false -# cannot :create_container, BuildList, new_core: false -# cannot(:publish, BuildList) {|build_list| !build_list.can_publish? } -# cannot(:publish_into_testing, BuildList) {|build_list| !build_list.can_publish_into_testing? } -# cannot :publish_into_testing, BuildList, save_to_platform: {platform_type: 'personal'} -# -# cannot(:cancel, MassBuild) {|mass_build| mass_build.stop_build} -# -# if @user.system? -# can %i(key_pair add_repo_lock_file remove_repo_lock_file), Repository -# else -# cannot :key_pair, Repository -# end -# -# can :create, Subscribe do |subscribe| -# !subscribe.subscribeable.subscribes.exists?(user_id: user.id) -# end -# can :destroy, Subscribe do |subscribe| -# subscribe.subscribeable.subscribes.exists?(user_id: user.id) && user.id == subscribe.user_id -# end -# end -# end -# -# def read_relations_for(table, parent = nil) -# key = parent ? "#{parent.singularize}_id" : 'id' -# parent ||= table -# -# ["#{table}.#{key} = ANY ( -# ARRAY ( -# SELECT target_id -# FROM relations -# WHERE relations.target_type = ? AND -# (relations.actor_type = 'User' AND relations.actor_id = ? OR -# relations.actor_type = 'Group' AND relations.actor_id IN (?)) -# ) -# )", parent.classify, @user, user_group_ids -# ] -# end -# -# def read_relations_with_projects(table = 'projects') -# key = table == 'projects' ? 'id' : 'project_id' -# ["#{table}.#{key} = ANY ( -# ARRAY ( -# SELECT target_id -# FROM relations -# INNER JOIN projects ON projects.id = relations.target_id -# WHERE relations.target_type = 'Project' AND -# ( -# projects.owner_type = 'User' AND projects.owner_id != :user OR -# projects.owner_type = 'Group' AND projects.owner_id NOT IN (:groups) -# ) AND ( -# relations.actor_type = 'User' AND relations.actor_id = :user OR -# relations.actor_type = 'Group' AND relations.actor_id IN (:groups) -# ) -# ) -# )", { user: @user, groups: user_group_ids } -# ] -# end -# -# def local_reader?(target) -# %w{reader writer admin}.include? @user.best_role(target) -# end -# -# def local_writer?(target) -# %w{writer admin}.include? @user.best_role(target) -# end -# -# def local_admin?(target) -# @user.best_role(target) == 'admin' -# end -# -# def owner?(target) -# target.owner == @user or user_own_groups.include?(target.owner) -# end -# -# def user_own_groups -# @user_own_groups ||= @user.own_groups -# end -# -# def user_group_ids -# @user_group_ids ||= @user.group_ids -# end -# end diff --git a/spec/models/cancan_spec.rb b/spec/models/cancan_spec.rb deleted file mode 100644 index 58fabf1d2..000000000 --- a/spec/models/cancan_spec.rb +++ /dev/null @@ -1,360 +0,0 @@ -# require 'spec_helper' -# require "cancan/matchers" -# -# def admin_create -# @admin = FactoryGirl.create(:admin) -# @ability = Ability.new(@admin) -# end -# -# def user_create -# @user = FactoryGirl.create(:user) -# @ability = Ability.new(@user) -# end -# -# def guest_create -# @ability = Ability.new(User.new) -# end -# -# describe CanCan do -# let(:open_platform) { FactoryGirl.create(:platform, visibility: 'open') } -# -# before(:each) do -# stub_symlink_methods -# end -# -# context 'Site admin' do -# let(:personal_platform) { FactoryGirl.create(:platform, platform_type: 'personal') } -# let(:personal_repository_main) { FactoryGirl.create(:personal_repository, name: 'main') } -# let(:personal_repository) { FactoryGirl.create(:personal_repository) } -# before(:each) do -# admin_create -# end -# -# it 'should manage all' do -# #(@ability.can? :manage, :all).should be_truthy -# @ability.should be_able_to(:manage, :all) -# end -# -# it 'should not be able to destroy personal platforms' do -# @ability.should_not be_able_to(:destroy, personal_platform) -# end -# -# it 'should not be able to destroy personal repositories with name "main"' do -# @ability.should_not be_able_to(:destroy, personal_repository_main) -# end -# it 'should be able to destroy personal repositories with name not "main"' do -# @ability.should be_able_to(:destroy, personal_repository) -# end -# end -# -# context 'Site guest' do -# let(:register_request) { FactoryGirl.create(:register_request) } -# -# before(:each) do -# guest_create -# end -# -# it 'should not be able to read open platform' do -# @ability.should_not be_able_to(:read, open_platform) -# end -# -# [:publish, :cancel, :reject_publish, :create_container].each do |action| -# it "should not be able to #{ action } build list" do -# @ability.should_not be_able_to(action, BuildList) -# end -# end -# -# [:mass_import, :run_mass_import].each do |action| -# it "should not be able to #{ action } project" do -# @ability.should_not be_able_to(action, Project) -# end -# end -# -# it 'should not be able to update register request' do -# @ability.should_not be_able_to(:update, register_request) -# end -# -# it 'should not be able to list register requests' do -# @ability.should_not be_able_to(:read, register_request) -# end -# -# it 'should not be able to destroy register requests' do -# @ability.should_not be_able_to(:destroy, register_request) -# end -# -# pending 'should be able to register new user' do # while self registration is closed -# @ability.should be_able_to(:create, User) -# end -# end -# -# context 'Site user' do -# before(:each) do -# user_create -# end -# -# [Platform, Repository].each do |model_name| -# it "should be able to read #{model_name}" do -# @ability.should be_able_to(:read, model_name) -# end -# end -# -# [:mass_import, :run_mass_import].each do |action| -# it "should not be able to #{ action } project" do -# @ability.should_not be_able_to(action, Project) -# end -# end -# -# it "shoud be able to show user profile" do -# @ability.should be_able_to(:show, User) -# end -# -# it "shoud be able to read another user object" do -# admin_create -# @ability.should be_able_to(:read, @admin) -# end -# -# it "shoud be able to read open projects" do -# @project = FactoryGirl.create(:project, visibility: 'open') -# @ability.should be_able_to(:read, @project) -# end -# -# it 'should be able to see open platform' do -# @ability.should be_able_to(:show, open_platform) -# end -# -# it "shoud be able to create project" do -# @ability.should be_able_to(:create, Project) -# end -# -# it "should not be able to manage register requests" do -# @ability.should_not be_able_to(:manage, RegisterRequest) -# end -# -# context 'as project collaborator' do -# before(:each) do -# @project = FactoryGirl.create(:project_with_commit) -# @issue = FactoryGirl.create(:issue, project_id: @project.id) -# end -# -# context 'with read rights' do -# before(:each) do -# create_relation(@project, @user, 'reader') -# end -# -# it 'should be able to read project' do -# @ability.should be_able_to(:read, @project) -# end -# -# it 'should be able to read issue' do -# @ability.should be_able_to(:read, @issue) -# end -# end -# -# context 'with writer rights' do -# before(:each) do -# create_relation(@project, @user, 'writer') -# end -# -# [:read, :create, :new].each do |action| -# it "should be able to #{ action } project" do -# @ability.should be_able_to(action, @project) -# end -# end -# -# [:new, :create].each do |action| -# it "should be able to #{action} build_list" do -# @build_list = FactoryGirl.create(:build_list_with_attaching_project, project: @project) -# @ability.should be_able_to(action, @build_list) -# end -# end -# end -# -# context 'with admin rights' do -# before(:each) do -# create_relation(@project, @user, 'admin') -# end -# -# [:read, :update].each do |action| -# it "should be able to #{ action } project" do -# @ability.should be_able_to(action, @project) -# end -# end -# -# [:new, :create].each do |action| -# it "should be able to #{action} build_list" do -# @build_list = FactoryGirl.create(:build_list_with_attaching_project, project: @project) -# @ability.should be_able_to(action, @build_list) -# end -# end -# -# it "should be able to manage collaborators of project" do -# @ability.should be_able_to(:manage_collaborators, @project) -# end -# -# [:read, :create, :new, :update, :edit].each do |action| -# it "should be able to #{ action } issue" do -# @ability.should be_able_to(action, @issue) -# end -# end -# end -# -# context 'with owner rights' do -# before(:each) do -# @project = FactoryGirl.create(:project_with_commit, owner: @user) -# @issue = FactoryGirl.create(:issue, project_id: @project.id) -# end -# -# [:read, :update, :destroy].each do |action| -# it "should be able to #{ action } project" do -# @ability.should be_able_to(action, @project) -# end -# end -# -# [:new, :create].each do |action| -# it "should be able to #{action} build_list" do -# @build_list = FactoryGirl.create(:build_list_with_attaching_project, project: @project) -# @ability.should be_able_to(action, @build_list) -# end -# end -# -# [:read, :update, :edit].each do |action| -# it "should be able to #{ action } issue" do -# @ability.should be_able_to(action, @issue) -# end -# end -# end -# -# context 'through group-member' do -# before(:each) do -# @group_member = FactoryGirl.create(:group) -# create_relation(@project, @group_member, 'reader') -# @group_member_ability = Ability.new(@group_member.owner) -# end -# -# it 'should be able to read open project' do -# @group_member_ability.should be_able_to(:read, @project) -# end -# -# it 'should be able to read closed project' do -# @project.update_attribute :visibility, 'hidden' -# @group_member_ability.should be_able_to(:read, @project) -# end -# -# it 'should include hidden project in list' do -# @project.update_attribute :visibility, 'hidden' -# Project.accessible_by(@group_member_ability, :show).where(projects: {id: @project.id}).count.should == 1 -# end -# end -# end -# -# context 'platform relations' do -# before(:each) do -# @platform = FactoryGirl.create(:platform) -# end -# -# context 'with owner rights' do -# before(:each) do -# @platform.owner = @user -# @platform.save -# @ability = Ability.new(@user) -# end -# -# [:mass_import, :run_mass_import].each do |action| -# it "should be able to #{ action } project" do -# @ability.should be_able_to(action, Project) -# end -# end -# -# [:read, :update, :destroy, :change_visibility].each do |action| -# it "should be able to #{action} platform" do -# @ability.should be_able_to(action, @platform) -# end -# end -# end -# -# context 'with read rights' do -# before(:each) do -# create_relation(@platform, @user, 'reader') -# @ability = Ability.new(@user) -# end -# -# [:mass_import, :run_mass_import].each do |action| -# it "should not be able to #{ action } project" do -# @ability.should_not be_able_to(action, Project) -# end -# end -# -# it "should be able to read platform" do -# @ability.should be_able_to(:read, @platform) -# end -# end -# end -# -# context 'repository relations' do -# before(:each) do -# @repository = FactoryGirl.create(:repository) -# end -# -# context 'with owner rights' do -# before(:each) do -# @repository.platform.owner = @user -# @repository.platform.save -# end -# -# [:read, :create, :update, :destroy, :add_project, :remove_project, :settings].each do |action| -# it "should be able to #{action} repository" do -# @ability.should be_able_to(action, @repository) -# end -# end -# end -# -# context 'with read rights' do -# before(:each) do -# create_relation(@repository.platform, @user, 'reader') -# end -# -# it "should be able to read repository" do -# @ability.should be_able_to(:read, @repository) -# end -# end -# end # 'repository relations' -# -# context 'product build list relations' do -# let(:product_build_list) { FactoryGirl.create(:product_build_list) } -# -# before { FactoryGirl.create(:arch, name: 'x86_64') } -# -# context 'with platform admin rights' do -# before do -# product_build_list.product.platform.owner = @user -# product_build_list.product.platform.save -# end -# -# [:read, :create, :update, :destroy, :log, :cancel].each do |action| -# it "should be able to #{action} product build list" do -# @ability.should be_able_to(action, product_build_list) -# end -# end -# end -# -# context 'with project writer rights' do -# before do -# create_relation(product_build_list.project, @user, 'writer') -# end -# -# [:read, :create, :log, :cancel].each do |action| -# it "should be able to #{action} product build list" do -# @ability.should be_able_to(action, product_build_list) -# end -# end -# -# [:update, :destroy].each do |action| -# it "should not be able to #{action} product build list" do -# @ability.should_not be_able_to(action, product_build_list) -# end -# end -# end -# end # 'product build list relations' -# -# end # 'Site user' -# end