From 827936a06ca131cde6e2f9073e077020aab2b81a Mon Sep 17 00:00:00 2001 From: "konstantin.grabar" Date: Wed, 16 Nov 2011 00:05:08 +0400 Subject: [PATCH] Remove custom ACL calls. Add CanCan and some rules. Add bitmask_attribute --- Gemfile | 3 +- Gemfile.lock | 5 +++ app/controllers/application_controller.rb | 5 +++ .../auto_build_lists_controller.rb | 2 +- app/controllers/build_lists_controller.rb | 8 ++--- app/controllers/categories_controller.rb | 14 ++++----- app/controllers/collaborators_controller.rb | 6 ++-- app/controllers/containers_controller.rb | 2 +- app/controllers/downloads_controller.rb | 2 +- app/controllers/event_logs_controller.rb | 2 +- app/controllers/groups_controller.rb | 10 +++--- .../personal_repositories_controller.rb | 10 +++--- app/controllers/platforms_controller.rb | 23 +++++++------- app/controllers/private_users_controller.rb | 4 +-- .../product_build_lists_controller.rb | 4 +-- app/controllers/products_controller.rb | 22 ++++++------- app/controllers/projects_controller.rb | 20 +++++++----- app/controllers/repositories_controller.rb | 10 +++--- app/controllers/roles_controller.rb | 2 +- app/controllers/rpc_controller.rb | 2 +- app/controllers/users_controller.rb | 2 +- app/models/ability.rb | 31 +++++++++++++++++++ app/models/relation.rb | 2 ++ app/models/user.rb | 8 +++++ 24 files changed, 128 insertions(+), 71 deletions(-) create mode 100644 app/models/ability.rb diff --git a/Gemfile b/Gemfile index 7d88f31ad..04af7b105 100644 --- a/Gemfile +++ b/Gemfile @@ -8,7 +8,8 @@ gem 'silent-postgres', '~> 0.1.1' gem 'devise', '~> 1.4.8' gem 'omniauth', '~> 0.3.2' gem 'oa-openid', '~> 0.3.2', :require => 'omniauth/openid' -# gem 'cancan', '~> 1.6.7' +gem 'cancan', '~> 1.6.7' +gem 'bitmask_attributes' gem "haml-rails", '~> 0.3.4' gem "compass", '~> 0.11.5' diff --git a/Gemfile.lock b/Gemfile.lock index 328c1479e..b96ba3aeb 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -56,7 +56,10 @@ GEM activerecord (>= 2.2.2) arel (2.0.10) bcrypt-ruby (3.0.1) + bitmask_attributes (0.2.3) + activerecord (~> 3.0) builder (2.1.2) + cancan (1.6.7) capistrano (2.9.0) highline net-scp (>= 1.0.0) @@ -273,6 +276,8 @@ PLATFORMS DEPENDENCIES airbrake! ancestry (~> 1.2.4) + bitmask_attributes + cancan (~> 1.6.7) capistrano capistrano-ext capistrano_colors diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb index 3a8d902c4..e3b9d64e7 100644 --- a/app/controllers/application_controller.rb +++ b/app/controllers/application_controller.rb @@ -8,6 +8,11 @@ class ApplicationController < ActionController::Base after_filter lambda { EventLog.current_controller = nil } helper_method :get_owner + + rescue_from CanCan::AccessDenied do |exception| + redirect_to root_url, :alert => exception.message + end + protected def get_owner params['user_id'] && User.find_by_id(params['user_id']) || diff --git a/app/controllers/auto_build_lists_controller.rb b/app/controllers/auto_build_lists_controller.rb index bdd6aa507..70e7c9d39 100644 --- a/app/controllers/auto_build_lists_controller.rb +++ b/app/controllers/auto_build_lists_controller.rb @@ -1,6 +1,6 @@ class AutoBuildListsController < ApplicationController before_filter :authenticate_user!, :except => :auto_build - before_filter :check_global_access + #before_filter :check_global_access def index projects = Project.where(:owner_id => current_user.id, :owner_type => 'User') diff --git a/app/controllers/build_lists_controller.rb b/app/controllers/build_lists_controller.rb index b9e6a41fa..22768acd9 100644 --- a/app/controllers/build_lists_controller.rb +++ b/app/controllers/build_lists_controller.rb @@ -5,7 +5,7 @@ class BuildListsController < ApplicationController before_filter :find_arches, :only => [:index, :filter, :all] before_filter :find_project_versions, :only => [:index, :filter] before_filter :find_build_list_by_bs, :only => [:status_build, :pre_build, :post_build] - before_filter :check_global_access, :except => [:status_build, :post_build, :pre_build, :circle_build, :new_bbdt, :show, :publish, :cancel] + #before_filter :check_global_access, :except => [:status_build, :post_build, :pre_build, :circle_build, :new_bbdt, :show, :publish, :cancel] def all if params[:filter] @@ -24,7 +24,7 @@ class BuildListsController < ApplicationController def cancel build_list = BuildList.find(params[:id]) - can_perform? build_list.project if build_list + #can_perform? build_list.project if build_list if build_list.delete_build_list redirect_to :back, :notice => t('layout.build_lists.cancel_successed') else @@ -47,13 +47,13 @@ class BuildListsController < ApplicationController end def show - can_perform? @project + #can_perform? @project @build_list = @project.build_lists.find(params[:id]) @item_groups = @build_list.items.group_by_level end def publish - can_perform? @project if @project + #can_perform? @project if @project @build_list = @project.build_lists.find(params[:id]) @build_list.publish diff --git a/app/controllers/categories_controller.rb b/app/controllers/categories_controller.rb index 3a2f39f52..9cdc2202a 100644 --- a/app/controllers/categories_controller.rb +++ b/app/controllers/categories_controller.rb @@ -3,7 +3,7 @@ class CategoriesController < ApplicationController before_filter :find_category, :only => [:show, :edit, :update, :destroy] before_filter :find_platform, :only => [:show, :index] - before_filter :check_global_access, :only => [:platforms, :new, :create] + #before_filter :check_global_access, :only => [:platforms, :new, :create] def platforms @all_platforms = Platform.all @@ -16,7 +16,7 @@ class CategoriesController < ApplicationController def index if @platform - can_perform? @platform + #can_perform? @platform @categories = Category.select('categories.id, categories.name, categories.ancestry, count(projects.id) projects_count'). joins(:projects => :repositories).where('repositories.platform_id = ?', @platform.id). having('projects_count > 0').group('categories.id, categories.name, categories.ancestry, projects_count').default_order @@ -27,8 +27,8 @@ class CategoriesController < ApplicationController end def show - can_perform? @platform if @platform - can_perform? @category if @category + #can_perform? @platform if @platform + #can_perform? @category if @category @projects = @category.projects @projects = @projects.joins(:repositories).where("repositories.platform_id = ?", @platform.id) if @platform @@ -40,11 +40,11 @@ class CategoriesController < ApplicationController end def edit - can_perform? @category if @category + #can_perform? @category if @category end def destroy - can_perform? @category if @category + #can_perform? @category if @category @category.destroy flash[:notice] = t("flash.category.destroyed") redirect_to categories_path @@ -62,7 +62,7 @@ class CategoriesController < ApplicationController end def update - can_perform? @category if @category + #can_perform? @category if @category if @category.update_attributes(params[:category]) flash[:notice] = t('flash.category.saved') redirect_to categories_path diff --git a/app/controllers/collaborators_controller.rb b/app/controllers/collaborators_controller.rb index 585417c57..2c4ff4640 100644 --- a/app/controllers/collaborators_controller.rb +++ b/app/controllers/collaborators_controller.rb @@ -10,7 +10,7 @@ class CollaboratorsController < ApplicationController before_filter :find_groups def index - can_perform? @project if @project + #can_perform? @project if @project redirect_to edit_project_collaborators_path(@project) end @@ -21,7 +21,7 @@ class CollaboratorsController < ApplicationController end def edit - can_perform? @project if @project + #can_perform? @project if @project if params[:id] @user = User.find params[:id] render :edit_rights and return @@ -32,7 +32,7 @@ class CollaboratorsController < ApplicationController end def update - can_perform? @project if @project + #can_perform? @project if @project unless params[:id] if params[:user] users_for_removing = @project.collaborators.select do |u| diff --git a/app/controllers/containers_controller.rb b/app/controllers/containers_controller.rb index 09e3cae81..80c58816e 100644 --- a/app/controllers/containers_controller.rb +++ b/app/controllers/containers_controller.rb @@ -1,3 +1,3 @@ class ContainersController < ApplicationController - before_filter :check_global_access + #before_filter :check_global_access end diff --git a/app/controllers/downloads_controller.rb b/app/controllers/downloads_controller.rb index 4a79836e0..6a69869c3 100644 --- a/app/controllers/downloads_controller.rb +++ b/app/controllers/downloads_controller.rb @@ -1,6 +1,6 @@ class DownloadsController < ApplicationController before_filter :authenticate_user! - before_filter :check_global_access, :except => [:test_sudo] + #before_filter :check_global_access, :except => [:test_sudo] def index @downloads = Download.paginate :page => params[:page], :per_page => 30 diff --git a/app/controllers/event_logs_controller.rb b/app/controllers/event_logs_controller.rb index a9554b82b..bd11ca1c1 100644 --- a/app/controllers/event_logs_controller.rb +++ b/app/controllers/event_logs_controller.rb @@ -1,7 +1,7 @@ # coding: UTF-8 class EventLogsController < ApplicationController before_filter :authenticate_user! - before_filter :check_global_access + #before_filter :check_global_access def index @event_logs = EventLog.default_order.eager_loading.paginate :page => params[:page] diff --git a/app/controllers/groups_controller.rb b/app/controllers/groups_controller.rb index 2eca345ac..0c0d152f6 100644 --- a/app/controllers/groups_controller.rb +++ b/app/controllers/groups_controller.rb @@ -2,14 +2,14 @@ class GroupsController < ApplicationController before_filter :authenticate_user! before_filter :find_group, :only => [:show, :edit, :update, :destroy] - before_filter :check_global_access, :only => [:index, :new, :create] + #before_filter :check_global_access, :only => [:index, :new, :create] def index @groups = Group.paginate(:page => params[:group_page]) end def show - can_perform? @group if @group + #can_perform? @group if @group @platforms = @group.platforms.paginate(:page => params[:platform_page], :per_page => 10) @repositories = @group.repositories.paginate(:page => params[:repository_page], :per_page => 10) @projects = @group.projects.paginate(:page => params[:project_page], :per_page => 10) @@ -20,7 +20,7 @@ class GroupsController < ApplicationController end def edit - can_perform? @group if @group + #can_perform? @group if @group end def create @@ -37,7 +37,7 @@ class GroupsController < ApplicationController end def update - can_perform? @group if @group + #can_perform? @group if @group if @group.update_attributes(params[:group]) flash[:notice] = t('flash.group.saved') redirect_to groups_path @@ -48,7 +48,7 @@ class GroupsController < ApplicationController end def destroy - can_perform? @group if @group + #can_perform? @group if @group @group.destroy flash[:notice] = t("flash.group.destroyed") redirect_to groups_path diff --git a/app/controllers/personal_repositories_controller.rb b/app/controllers/personal_repositories_controller.rb index e75d8fb79..c6cad8898 100644 --- a/app/controllers/personal_repositories_controller.rb +++ b/app/controllers/personal_repositories_controller.rb @@ -5,7 +5,7 @@ class PersonalRepositoriesController < ApplicationController #before_filter :check_global_access def show - can_perform? @repository if @repository + #can_perform? @repository if @repository if params[:query] @projects = @repository.projects.recent.by_name(params[:query]).paginate :page => params[:project_page], :per_page => 30 else @@ -16,18 +16,18 @@ class PersonalRepositoriesController < ApplicationController end def change_visibility - can_perform? @repository if @repository + #can_perform? @repository if @repository @repository.platform.change_visibility redirect_to settings_personal_repository_path(@repository) end def settings - can_perform? @repository if @repository + #can_perform? @repository if @repository end def add_project - can_perform? @repository if @repository + #can_perform? @repository if @repository if params[:project_id] @project = Project.find(params[:project_id]) # params[:project_id] = nil @@ -45,7 +45,7 @@ class PersonalRepositoriesController < ApplicationController end def remove_project - can_perform? @repository if @repository + #can_perform? @repository if @repository @project = Project.find(params[:project_id]) ProjectToRepository.where(:project_id => @project.id, :repository_id => @repository.id).destroy_all redirect_to personal_repository_path(@repository), :notice => t('flash.repository.project_removed') diff --git a/app/controllers/platforms_controller.rb b/app/controllers/platforms_controller.rb index 5850dd4ad..7f8c2567c 100644 --- a/app/controllers/platforms_controller.rb +++ b/app/controllers/platforms_controller.rb @@ -3,10 +3,11 @@ class PlatformsController < ApplicationController before_filter :authenticate_user!, :except => :easy_urpmi before_filter :find_platform, :only => [:freeze, :unfreeze, :clone, :edit, :destroy] before_filter :get_paths, :only => [:new, :create, :clone] - before_filter :check_global_access, :only => [:index, :new, :create]#:except => :easy_urpmi + #before_filter :check_global_access, :only => [:index, :new, :create]#:except => :easy_urpmi def index - @platforms = Platform.visible_to(current_user).paginate(:page => params[:platform_page]) + #@platforms = Platform.visible_to(current_user).paginate(:page => params[:platform_page]) + @platforms = Platform.accessible_by(current_ability).paginate(:page => params[:platform_page]) end def easy_urpmi @@ -27,19 +28,19 @@ class PlatformsController < ApplicationController def show @platform = Platform.find params[:id], :include => :repositories - can_perform? @platform if @platform + #can_perform? @platform if @platform @repositories = @platform.repositories @members = @platform.members.uniq end def new - @platforms = Platform.visible_to current_user + #@platforms = Platform.visible_to current_user @platform = Platform.new end def edit - can_perform? @platform if @platform - @platforms = Platform.visible_to current_user + #can_perform? @platform if @platform + #@platforms = Platform.visible_to current_user end def create @@ -52,13 +53,13 @@ class PlatformsController < ApplicationController redirect_to @platform else flash[:error] = I18n.t("flash.platform.saved_error") - @platforms = Platform.visible_to current_user + #@platforms = Platform.visible_to current_user render :action => :new end end def freeze - can_perform? @platform if @platform + #can_perform? @platform if @platform @platform.released = true if @platform.save flash[:notice] = I18n.t("flash.platform.freezed") @@ -70,7 +71,7 @@ class PlatformsController < ApplicationController end def unfreeze - can_perform? @platform if @platform + #can_perform? @platform if @platform @platform.released = false if @platform.save flash[:notice] = I18n.t("flash.platform.unfreezed") @@ -82,7 +83,7 @@ class PlatformsController < ApplicationController end def clone - can_perform? @platform if @platform + #can_perform? @platform if @platform if request.post? @cloned = @platform.make_clone(:name => params[:platform]['name'], :unixname => params[:platform]['unixname'], :owner_id => current_user.id, :owner_type => current_user.class.to_s) @@ -100,7 +101,7 @@ class PlatformsController < ApplicationController end def destroy - can_perform? @platform if @platform + #can_perform? @platform if @platform @platform.destroy if @platform flash[:notice] = t("flash.platform.destroyed") diff --git a/app/controllers/private_users_controller.rb b/app/controllers/private_users_controller.rb index d9f5278b9..0cd9e9331 100644 --- a/app/controllers/private_users_controller.rb +++ b/app/controllers/private_users_controller.rb @@ -1,6 +1,6 @@ class PrivateUsersController < ApplicationController before_filter :authenticate_user! - before_filter :check_global_access, :except => [:destroy] + #before_filter :check_global_access, :except => [:destroy] before_filter :find_platform_and_private_users def index @@ -20,7 +20,7 @@ class PrivateUsersController < ApplicationController #def destroy # user = PrivateUser.find(params[:id]) - # can_perform? user if user + # #can_perform? user if user # user.destroy # redirect_to platform_private_users_path(params[:platform_id]) #end diff --git a/app/controllers/product_build_lists_controller.rb b/app/controllers/product_build_lists_controller.rb index 930de3df1..be3456de8 100644 --- a/app/controllers/product_build_lists_controller.rb +++ b/app/controllers/product_build_lists_controller.rb @@ -3,13 +3,13 @@ class ProductBuildListsController < ApplicationController before_filter :find_product_build_list, :only => [:status_build] before_filter :find_product, :except => [:status_build] before_filter :find_platform, :except => [:status_build] - before_filter :check_global_access, :except => [:status_build] + #before_filter :check_global_access, :except => [:status_build] # def index # end def create - can_perform? @product # if @product + #can_perform? @product # if @product @product.product_build_lists.create! :base_url => "http://#{request.host_with_port}", :notified_at => Time.current flash[:notice] = t('flash.product.build_started') redirect_to [@platform, @product] diff --git a/app/controllers/products_controller.rb b/app/controllers/products_controller.rb index eb810378b..91d20f38e 100644 --- a/app/controllers/products_controller.rb +++ b/app/controllers/products_controller.rb @@ -2,7 +2,7 @@ class ProductsController < ApplicationController before_filter :authenticate_user! before_filter :find_product, :only => [:show, :edit, :update, :destroy] before_filter :find_platform - before_filter :check_global_access, :only => [:new, :create] + #before_filter :check_global_access, :only => [:new, :create] def new @product = @platform.products.new @@ -13,7 +13,7 @@ class ProductsController < ApplicationController end # def clone - # can_perform? @platform if @platform + # #can_perform? @platform if @platform # @template = @platform.products.find(params[:id]) # @product = @platform.products.new # @product.clone_from!(@template) @@ -22,12 +22,12 @@ class ProductsController < ApplicationController # end def edit - can_perform? @product if @product - can_perform? @platform if @platform + #can_perform? @product if @product + #can_perform? @platform if @platform end def create - can_perform? @platform if @platform + #can_perform? @platform if @platform @product = @platform.products.new params[:product] if @product.save flash[:notice] = t('flash.product.saved') @@ -39,8 +39,8 @@ class ProductsController < ApplicationController end def update - can_perform? @platform if @platform - can_perform? @product if @product + #can_perform? @platform if @platform + #can_perform? @product if @product if @product.update_attributes(params[:product]) flash[:notice] = t('flash.product.saved') redirect_to @platform @@ -51,13 +51,13 @@ class ProductsController < ApplicationController end def show - can_perform? @platform if @platform - can_perform? @product if @product + #can_perform? @platform if @platform + #can_perform? @product if @product end def destroy - can_perform? @platform if @platform - can_perform? @product if @product + #can_perform? @platform if @platform + #can_perform? @product if @product @product.destroy flash[:notice] = t("flash.product.destroyed") redirect_to @platform diff --git a/app/controllers/projects_controller.rb b/app/controllers/projects_controller.rb index 6b13c837c..87ad9d0d1 100644 --- a/app/controllers/projects_controller.rb +++ b/app/controllers/projects_controller.rb @@ -2,13 +2,17 @@ class ProjectsController < ApplicationController before_filter :authenticate_user!, :except => :auto_build before_filter :find_project, :only => [:show, :edit, :update, :destroy, :build, :process_build] before_filter :get_paths, :only => [:new, :create, :edit, :update] - before_filter :check_global_access, :only => [:index, :new, :create]#:except => :auto_build + #before_filter :check_global_access, :only => [:index, :new, :create]#:except => :auto_build + #check_authorization + #authorize_resource def index if params[:query] - @projects = Project.visible_to(current_user).where(:name => params[:query]).paginate(:page => params[:project_page]) + #@projects = Project.visible_to(current_user).where(:name => params[:query]).paginate(:page => params[:project_page]) + @projects = Project.accessible_by(current_ability).where(:name => params[:query]).paginate(:page => params[:project_page]) else - @projects = Project.visible_to(current_user).paginate(:page => params[:project_page]) + #@projects = Project.visible_to(current_user).paginate(:page => params[:project_page]) + @projects = Project.accessible_by(current_ability).paginate(:page => params[:project_page]) end @own_projects = current_user.own_projects @@ -16,7 +20,7 @@ class ProjectsController < ApplicationController end def show - can_perform? @project if @project + #can_perform? @project if @project @current_build_lists = @project.build_lists.current.recent.paginate :page => params[:page] end @@ -25,7 +29,7 @@ class ProjectsController < ApplicationController end def edit - can_perform? @project if @project + #can_perform? @project if @project end def create @@ -43,7 +47,7 @@ class ProjectsController < ApplicationController end def update - can_perform? @project if @project + #can_perform? @project if @project if @project.update_attributes(params[:project]) flash[:notice] = t('flash.project.saved') redirect_to @project @@ -54,7 +58,7 @@ class ProjectsController < ApplicationController end def destroy - can_perform? @project if @project + #can_perform? @project if @project @project.destroy flash[:notice] = t("flash.project.destroyed") redirect_to @project.owner @@ -91,7 +95,7 @@ class ProjectsController < ApplicationController end def process_build - can_perform? @project if @project + #can_perform? @project if @project @arch_ids = params[:build][:arches].select{|_,v| v == "1"}.collect{|x| x[0].to_i } @arches = Arch.where(:id => @arch_ids) diff --git a/app/controllers/repositories_controller.rb b/app/controllers/repositories_controller.rb index c9fee430d..71ac6f097 100644 --- a/app/controllers/repositories_controller.rb +++ b/app/controllers/repositories_controller.rb @@ -4,7 +4,7 @@ class RepositoriesController < ApplicationController before_filter :find_repository, :only => [:show, :destroy, :add_project, :remove_project] before_filter :get_paths, :only => [:show, :new, :create, :add_project, :remove_project] before_filter :find_platforms, :only => [:new, :create] - before_filter :check_global_access, :only => [:index, :new, :create] + #before_filter :check_global_access, :only => [:index, :new, :create] def index if params[:platform_id] @@ -15,7 +15,7 @@ class RepositoriesController < ApplicationController end def show - can_perform? @repository if @repository + #can_perform? @repository if @repository if params[:query] @projects = @repository.projects.recent.by_name(params[:query]).paginate :page => params[:project_page], :per_page => 30 else @@ -29,7 +29,7 @@ class RepositoriesController < ApplicationController end def destroy - can_perform? @repository if @repository + #can_perform? @repository if @repository @repository.destroy platform_id = @repository.platform_id @@ -50,7 +50,7 @@ class RepositoriesController < ApplicationController end def add_project - can_perform? @repository if @repository + #can_perform? @repository if @repository if params[:project_id] @project = Project.find(params[:project_id]) # params[:project_id] = nil @@ -72,7 +72,7 @@ class RepositoriesController < ApplicationController end def remove_project - can_perform? @repository if @repository + #can_perform? @repository if @repository @project = Project.find(params[:project_id]) ProjectToRepository.where(:project_id => @project.id, :repository_id => @repository.id).destroy_all redirect_to repository_path(@repository), :notice => t('flash.repository.project_removed') diff --git a/app/controllers/roles_controller.rb b/app/controllers/roles_controller.rb index 4bb62266f..ffb93acec 100644 --- a/app/controllers/roles_controller.rb +++ b/app/controllers/roles_controller.rb @@ -3,7 +3,7 @@ class RolesController < ApplicationController before_filter :find_role, :only => [:show, :edit, :update, :destroy] before_filter :find_visibilities, :only => [:new, :edit] - before_filter :check_global_access + # before_filter :check_global_access def index @roles = Role.all diff --git a/app/controllers/rpc_controller.rb b/app/controllers/rpc_controller.rb index f0e29ef3f..cc8da96d2 100644 --- a/app/controllers/rpc_controller.rb +++ b/app/controllers/rpc_controller.rb @@ -2,7 +2,7 @@ class RpcController < ApplicationController exposes_xmlrpc_methods before_filter :authenticate_user! - before_filter :check_global_access + #before_filter :check_global_access before_filter lambda { EventLog.current_controller = self }, :only => :xe_index # should be after auth callback ## Usage example: diff --git a/app/controllers/users_controller.rb b/app/controllers/users_controller.rb index f8941041a..33e6e8caf 100644 --- a/app/controllers/users_controller.rb +++ b/app/controllers/users_controller.rb @@ -2,7 +2,7 @@ class UsersController < ApplicationController before_filter :authenticate_user! before_filter :find_user, :only => [:show, :edit, :update, :destroy] - before_filter :check_global_access + #before_filter :check_global_access def index @users = User.paginate(:page => params[:user_page]) diff --git a/app/models/ability.rb b/app/models/ability.rb new file mode 100644 index 000000000..3d7941bc8 --- /dev/null +++ b/app/models/ability.rb @@ -0,0 +1,31 @@ +class Ability + include CanCan::Ability + + def initialize(user) + # Define abilities for the passed in user here. For example: + # + user ||= User.new # guest user (not logged in) + if user.admin? + can :manage, :all + else + # Block access to all objects on the site + cannot :read, :all + + # Shared rights between guests and registered users + can :read, Platform + + # Guest rights + if user.guest? + can :read, Project, :visibility => 'open' + + # Registered user rights + else + # If rule has multiple conditions CanCan joins them by 'AND' sql operator + can [:read, :update, :process_build, :build], Project, :owner_type => 'User', :owner_id => user.id + # If rules goes one by one CanCan joins them by 'OR' sql operator + can :read, Project, :visibility => 'open' + can [:read, :update, :process_build, :build], Project, :collaborators => {:id => user.id} + end + end + end +end \ No newline at end of file diff --git a/app/models/relation.rb b/app/models/relation.rb index f8d4a35b2..3bf68fcd0 100644 --- a/app/models/relation.rb +++ b/app/models/relation.rb @@ -4,6 +4,8 @@ class Relation < ActiveRecord::Base has_many :role_lines has_many :roles, :autosave => true, :through => :role_lines + + bitmask :roles, :as => [:read, :update] after_create { with_ga do |ga| diff --git a/app/models/user.rb b/app/models/user.rb index 45c2ea0cd..74e8d4bab 100644 --- a/app/models/user.rb +++ b/app/models/user.rb @@ -50,6 +50,14 @@ class User < ActiveRecord::Base before_destroy { destroy_ssh_key(ssh_key) if ssh_key.present? } # after_create() { UserMailer.new_user_notification(self).deliver } + def admin? + self.id == 1 + end + + def guest? + self.id.blank? + end + class << self def find_for_database_authentication(warden_conditions) conditions = warden_conditions.dup