Remove custom ACL calls. Add CanCan and some rules. Add bitmask_attribute

Gemfile

@@ -8,7 +8,8 @@ gem 'silent-postgres', '~> 0.1.1'
 gem 'devise', '~> 1.4.8'
 gem 'omniauth', '~> 0.3.2'
 gem 'oa-openid', '~> 0.3.2', :require => 'omniauth/openid'
-# gem 'cancan', '~> 1.6.7'
+gem 'cancan', '~> 1.6.7'
+gem 'bitmask_attributes'
 
 gem "haml-rails", '~> 0.3.4'
 gem "compass", '~> 0.11.5'

Gemfile.lock

@@ -56,7 +56,10 @@ GEM
       activerecord (>= 2.2.2)
     arel (2.0.10)
     bcrypt-ruby (3.0.1)
+    bitmask_attributes (0.2.3)
+      activerecord (~> 3.0)
     builder (2.1.2)
+    cancan (1.6.7)
     capistrano (2.9.0)
       highline
       net-scp (>= 1.0.0)
@@ -273,6 +276,8 @@ PLATFORMS
 DEPENDENCIES
   airbrake!
   ancestry (~> 1.2.4)
+  bitmask_attributes
+  cancan (~> 1.6.7)
   capistrano
   capistrano-ext
   capistrano_colors

app/controllers/application_controller.rb

@@ -8,6 +8,11 @@ class ApplicationController < ActionController::Base
   after_filter lambda { EventLog.current_controller = nil }
 
   helper_method :get_owner
+  
+  rescue_from CanCan::AccessDenied do |exception|
+    redirect_to root_url, :alert => exception.message
+  end
+  
   protected
     def get_owner
       params['user_id'] && User.find_by_id(params['user_id']) ||

app/controllers/auto_build_lists_controller.rb

@@ -1,6 +1,6 @@
 class AutoBuildListsController < ApplicationController
   before_filter :authenticate_user!, :except => :auto_build
-  before_filter :check_global_access
+  #before_filter :check_global_access
   
   def index
     projects = Project.where(:owner_id => current_user.id, :owner_type => 'User')

app/controllers/build_lists_controller.rb

@@ -5,7 +5,7 @@ class BuildListsController < ApplicationController
 	before_filter :find_arches, :only => [:index, :filter, :all]
 	before_filter :find_project_versions, :only => [:index, :filter]
 	before_filter :find_build_list_by_bs, :only => [:status_build, :pre_build, :post_build]
-  before_filter :check_global_access, :except => [:status_build, :post_build, :pre_build, :circle_build, :new_bbdt, :show, :publish, :cancel]
+  #before_filter :check_global_access, :except => [:status_build, :post_build, :pre_build, :circle_build, :new_bbdt, :show, :publish, :cancel]
 
 	def all
     if params[:filter]
@@ -24,7 +24,7 @@ class BuildListsController < ApplicationController
 	
 	def cancel
 	 build_list = BuildList.find(params[:id])
-   can_perform? build_list.project if build_list
+   #can_perform? build_list.project if build_list
    if build_list.delete_build_list
      redirect_to :back, :notice => t('layout.build_lists.cancel_successed')
    else
@@ -47,13 +47,13 @@ class BuildListsController < ApplicationController
 	end
 
 	def show
-    can_perform? @project
+    #can_perform? @project
 		@build_list = @project.build_lists.find(params[:id])
 		@item_groups = @build_list.items.group_by_level
 	end
 	
 	def publish
-    can_perform? @project if @project
+    #can_perform? @project if @project
 		@build_list = @project.build_lists.find(params[:id])
 		@build_list.publish
 		

app/controllers/categories_controller.rb

@@ -3,7 +3,7 @@ class CategoriesController < ApplicationController
   before_filter :find_category, :only => [:show, :edit, :update, :destroy]
   before_filter :find_platform, :only => [:show, :index]
 
-  before_filter :check_global_access, :only => [:platforms, :new, :create]
+  #before_filter :check_global_access, :only => [:platforms, :new, :create]
 
   def platforms
     @all_platforms = Platform.all
@@ -16,7 +16,7 @@ class CategoriesController < ApplicationController
 
   def index
     if @platform
-      can_perform? @platform
+      #can_perform? @platform
       @categories = Category.select('categories.id, categories.name, categories.ancestry, count(projects.id) projects_count').
                              joins(:projects => :repositories).where('repositories.platform_id = ?', @platform.id).
                              having('projects_count > 0').group('categories.id, categories.name, categories.ancestry, projects_count').default_order
@@ -27,8 +27,8 @@ class CategoriesController < ApplicationController
   end
 
   def show
-    can_perform? @platform if @platform
+    #can_perform? @platform if @platform
-    can_perform? @category if @category
+    #can_perform? @category if @category
 
     @projects = @category.projects
     @projects = @projects.joins(:repositories).where("repositories.platform_id = ?", @platform.id) if @platform
@@ -40,11 +40,11 @@ class CategoriesController < ApplicationController
   end
 
   def edit
-    can_perform? @category if @category
+    #can_perform? @category if @category
   end
 
   def destroy
-    can_perform? @category if @category
+    #can_perform? @category if @category
     @category.destroy
     flash[:notice] = t("flash.category.destroyed")
     redirect_to categories_path
@@ -62,7 +62,7 @@ class CategoriesController < ApplicationController
   end
 
   def update
-    can_perform? @category if @category
+    #can_perform? @category if @category
     if @category.update_attributes(params[:category])
       flash[:notice] = t('flash.category.saved')
       redirect_to categories_path

app/controllers/collaborators_controller.rb

@@ -10,7 +10,7 @@ class CollaboratorsController < ApplicationController
   before_filter :find_groups
 
   def index
-    can_perform? @project if @project
+    #can_perform? @project if @project
     redirect_to edit_project_collaborators_path(@project)
   end
 
@@ -21,7 +21,7 @@ class CollaboratorsController < ApplicationController
   end
 
   def edit
-    can_perform? @project if @project
+    #can_perform? @project if @project
     if params[:id]
       @user = User.find params[:id]
       render :edit_rights and return
@@ -32,7 +32,7 @@ class CollaboratorsController < ApplicationController
   end
 
   def update
-    can_perform? @project if @project
+    #can_perform? @project if @project
     unless params[:id]
       if params[:user]
         users_for_removing = @project.collaborators.select do |u|

app/controllers/containers_controller.rb

@@ -1,3 +1,3 @@
 class ContainersController < ApplicationController
-  before_filter :check_global_access
+  #before_filter :check_global_access
 end

app/controllers/downloads_controller.rb

@@ -1,6 +1,6 @@
 class DownloadsController < ApplicationController
   before_filter :authenticate_user!
-  before_filter :check_global_access, :except => [:test_sudo]
+  #before_filter :check_global_access, :except => [:test_sudo]
 
   def index
     @downloads = Download.paginate :page => params[:page], :per_page => 30

app/controllers/event_logs_controller.rb

@@ -1,7 +1,7 @@
 # coding: UTF-8
 class EventLogsController < ApplicationController
   before_filter :authenticate_user!
-  before_filter :check_global_access
+  #before_filter :check_global_access
 
   def index
     @event_logs = EventLog.default_order.eager_loading.paginate :page => params[:page]

app/controllers/groups_controller.rb

@@ -2,14 +2,14 @@
 class GroupsController < ApplicationController
   before_filter :authenticate_user!
   before_filter :find_group, :only => [:show, :edit, :update, :destroy]
-  before_filter :check_global_access, :only => [:index, :new, :create]
+  #before_filter :check_global_access, :only => [:index, :new, :create]
 
   def index
     @groups = Group.paginate(:page => params[:group_page])
   end
 
   def show
-    can_perform? @group if @group
+    #can_perform? @group if @group
     @platforms    = @group.platforms.paginate(:page => params[:platform_page], :per_page => 10)
     @repositories = @group.repositories.paginate(:page => params[:repository_page], :per_page => 10)
     @projects     = @group.projects.paginate(:page => params[:project_page], :per_page => 10)
@@ -20,7 +20,7 @@ class GroupsController < ApplicationController
   end
 
   def edit
-    can_perform? @group if @group
+    #can_perform? @group if @group
   end
 
   def create
@@ -37,7 +37,7 @@ class GroupsController < ApplicationController
   end
 
   def update
-    can_perform? @group if @group
+    #can_perform? @group if @group
     if @group.update_attributes(params[:group])
       flash[:notice] = t('flash.group.saved')
       redirect_to groups_path
@@ -48,7 +48,7 @@ class GroupsController < ApplicationController
   end
 
   def destroy
-    can_perform? @group if @group
+    #can_perform? @group if @group
     @group.destroy
     flash[:notice] = t("flash.group.destroyed")
     redirect_to groups_path

app/controllers/personal_repositories_controller.rb

@@ -5,7 +5,7 @@ class PersonalRepositoriesController < ApplicationController
   #before_filter :check_global_access
 
   def show
-    can_perform? @repository if @repository
+    #can_perform? @repository if @repository
     if params[:query]
       @projects = @repository.projects.recent.by_name(params[:query]).paginate :page => params[:project_page], :per_page => 30
     else
@@ -16,18 +16,18 @@ class PersonalRepositoriesController < ApplicationController
   end
   
   def change_visibility
-    can_perform? @repository if @repository
+    #can_perform? @repository if @repository
     @repository.platform.change_visibility
     
     redirect_to settings_personal_repository_path(@repository)
   end
   
   def settings
-    can_perform? @repository if @repository
+    #can_perform? @repository if @repository
   end
 
   def add_project
-    can_perform? @repository if @repository
+    #can_perform? @repository if @repository
     if params[:project_id]
       @project = Project.find(params[:project_id])
       # params[:project_id] = nil
@@ -45,7 +45,7 @@ class PersonalRepositoriesController < ApplicationController
   end
 
   def remove_project
-    can_perform? @repository if @repository
+    #can_perform? @repository if @repository
     @project = Project.find(params[:project_id])
     ProjectToRepository.where(:project_id => @project.id, :repository_id => @repository.id).destroy_all
     redirect_to personal_repository_path(@repository), :notice => t('flash.repository.project_removed')

app/controllers/platforms_controller.rb

@@ -3,10 +3,11 @@ class PlatformsController < ApplicationController
   before_filter :authenticate_user!, :except => :easy_urpmi
   before_filter :find_platform, :only => [:freeze, :unfreeze, :clone, :edit, :destroy]
   before_filter :get_paths, :only => [:new, :create, :clone]
-  before_filter :check_global_access, :only => [:index, :new, :create]#:except => :easy_urpmi
+  #before_filter :check_global_access, :only => [:index, :new, :create]#:except => :easy_urpmi
 
   def index
-    @platforms = Platform.visible_to(current_user).paginate(:page => params[:platform_page])
+    #@platforms = Platform.visible_to(current_user).paginate(:page => params[:platform_page])
+    @platforms = Platform.accessible_by(current_ability).paginate(:page => params[:platform_page])
   end
 
   def easy_urpmi
@@ -27,19 +28,19 @@ class PlatformsController < ApplicationController
 
   def show
     @platform = Platform.find params[:id], :include => :repositories
-    can_perform? @platform if @platform
+    #can_perform? @platform if @platform
     @repositories = @platform.repositories
     @members = @platform.members.uniq
   end
 
   def new
-    @platforms = Platform.visible_to current_user
+    #@platforms = Platform.visible_to current_user
     @platform = Platform.new
   end
   
   def edit
-    can_perform? @platform if @platform
+    #can_perform? @platform if @platform
-    @platforms = Platform.visible_to current_user
+    #@platforms = Platform.visible_to current_user
   end
 
   def create
@@ -52,13 +53,13 @@ class PlatformsController < ApplicationController
       redirect_to @platform
     else
       flash[:error] = I18n.t("flash.platform.saved_error")
-      @platforms = Platform.visible_to current_user
+      #@platforms = Platform.visible_to current_user
       render :action => :new
     end
   end
 
   def freeze
-    can_perform? @platform if @platform
+    #can_perform? @platform if @platform
     @platform.released = true
     if @platform.save
       flash[:notice] = I18n.t("flash.platform.freezed")
@@ -70,7 +71,7 @@ class PlatformsController < ApplicationController
   end
 
   def unfreeze
-    can_perform? @platform if @platform
+    #can_perform? @platform if @platform
     @platform.released = false
     if @platform.save
       flash[:notice] = I18n.t("flash.platform.unfreezed")
@@ -82,7 +83,7 @@ class PlatformsController < ApplicationController
   end
 
   def clone
-    can_perform? @platform if @platform
+    #can_perform? @platform if @platform
     if request.post?
       @cloned = @platform.make_clone(:name => params[:platform]['name'], :unixname => params[:platform]['unixname'],
                                     :owner_id => current_user.id, :owner_type => current_user.class.to_s)
@@ -100,7 +101,7 @@ class PlatformsController < ApplicationController
   end
 
   def destroy
-    can_perform? @platform if @platform
+    #can_perform? @platform if @platform
     @platform.destroy if @platform
 
     flash[:notice] = t("flash.platform.destroyed")

app/controllers/private_users_controller.rb

@@ -1,6 +1,6 @@
 class PrivateUsersController < ApplicationController
   before_filter :authenticate_user!
-  before_filter :check_global_access, :except => [:destroy]
+  #before_filter :check_global_access, :except => [:destroy]
   before_filter :find_platform_and_private_users
 
   def index
@@ -20,7 +20,7 @@ class PrivateUsersController < ApplicationController
 
   #def destroy
   #	user = PrivateUser.find(params[:id])
-  #  can_perform? user if user
+  #  #can_perform? user if user
   #	user.destroy
   #	redirect_to platform_private_users_path(params[:platform_id])
   #end

app/controllers/product_build_lists_controller.rb

@@ -3,13 +3,13 @@ class ProductBuildListsController < ApplicationController
   before_filter :find_product_build_list, :only => [:status_build]
   before_filter :find_product, :except => [:status_build]
   before_filter :find_platform, :except => [:status_build]
-  before_filter :check_global_access, :except => [:status_build]
+  #before_filter :check_global_access, :except => [:status_build]
 
   # def index
   # end
 
   def create
-    can_perform? @product # if @product
+    #can_perform? @product # if @product
     @product.product_build_lists.create! :base_url => "http://#{request.host_with_port}", :notified_at => Time.current
     flash[:notice] = t('flash.product.build_started')
     redirect_to [@platform, @product]

app/controllers/products_controller.rb

@@ -2,7 +2,7 @@ class ProductsController < ApplicationController
   before_filter :authenticate_user!
   before_filter :find_product, :only => [:show, :edit, :update, :destroy]
   before_filter :find_platform
-  before_filter :check_global_access, :only => [:new, :create]
+  #before_filter :check_global_access, :only => [:new, :create]
 
   def new
     @product = @platform.products.new
@@ -13,7 +13,7 @@ class ProductsController < ApplicationController
   end
 
   # def clone
-  #   can_perform? @platform if @platform
+  #   #can_perform? @platform if @platform
   #   @template = @platform.products.find(params[:id])
   #   @product = @platform.products.new
   #   @product.clone_from!(@template)
@@ -22,12 +22,12 @@ class ProductsController < ApplicationController
   # end
 
   def edit
-    can_perform? @product if @product
+    #can_perform? @product if @product
-    can_perform? @platform if @platform
+    #can_perform? @platform if @platform
   end
 
   def create
-    can_perform? @platform if @platform
+    #can_perform? @platform if @platform
     @product = @platform.products.new params[:product]
     if @product.save
       flash[:notice] = t('flash.product.saved') 
@@ -39,8 +39,8 @@ class ProductsController < ApplicationController
   end
 
   def update
-    can_perform? @platform if @platform
+    #can_perform? @platform if @platform
-    can_perform? @product if @product
+    #can_perform? @product if @product
     if @product.update_attributes(params[:product])
       flash[:notice] = t('flash.product.saved')
       redirect_to @platform
@@ -51,13 +51,13 @@ class ProductsController < ApplicationController
   end
 
   def show
-    can_perform? @platform if @platform
+    #can_perform? @platform if @platform
-    can_perform? @product if @product
+    #can_perform? @product if @product
   end
 
   def destroy
-    can_perform? @platform if @platform
+    #can_perform? @platform if @platform
-    can_perform? @product if @product
+    #can_perform? @product if @product
     @product.destroy
     flash[:notice] = t("flash.product.destroyed")
     redirect_to @platform

app/controllers/projects_controller.rb

@@ -2,13 +2,17 @@ class ProjectsController < ApplicationController
   before_filter :authenticate_user!, :except => :auto_build
   before_filter :find_project, :only => [:show, :edit, :update, :destroy, :build, :process_build]
   before_filter :get_paths, :only => [:new, :create, :edit, :update]
-  before_filter :check_global_access, :only => [:index, :new, :create]#:except => :auto_build
+  #before_filter :check_global_access, :only => [:index, :new, :create]#:except => :auto_build
+  #check_authorization
+  #authorize_resource
 
   def index
     if params[:query]
-      @projects = Project.visible_to(current_user).where(:name => params[:query]).paginate(:page => params[:project_page])
+      #@projects = Project.visible_to(current_user).where(:name => params[:query]).paginate(:page => params[:project_page])
+      @projects = Project.accessible_by(current_ability).where(:name => params[:query]).paginate(:page => params[:project_page])
     else
-      @projects = Project.visible_to(current_user).paginate(:page => params[:project_page])
+      #@projects = Project.visible_to(current_user).paginate(:page => params[:project_page])
+      @projects = Project.accessible_by(current_ability).paginate(:page => params[:project_page])
     end
     
     @own_projects = current_user.own_projects
@@ -16,7 +20,7 @@ class ProjectsController < ApplicationController
   end
 
   def show
-    can_perform? @project if @project
+    #can_perform? @project if @project
     @current_build_lists = @project.build_lists.current.recent.paginate :page => params[:page]
   end
 
@@ -25,7 +29,7 @@ class ProjectsController < ApplicationController
   end
 
   def edit
-    can_perform? @project if @project
+    #can_perform? @project if @project
   end
 
   def create
@@ -43,7 +47,7 @@ class ProjectsController < ApplicationController
   end
 
   def update
-    can_perform? @project if @project
+    #can_perform? @project if @project
     if @project.update_attributes(params[:project])
       flash[:notice] = t('flash.project.saved')
       redirect_to @project
@@ -54,7 +58,7 @@ class ProjectsController < ApplicationController
   end
 
   def destroy
-    can_perform? @project if @project
+    #can_perform? @project if @project
     @project.destroy
     flash[:notice] = t("flash.project.destroyed")
     redirect_to @project.owner
@@ -91,7 +95,7 @@ class ProjectsController < ApplicationController
   end
 
   def process_build
-    can_perform? @project if @project
+    #can_perform? @project if @project
     @arch_ids = params[:build][:arches].select{|_,v| v == "1"}.collect{|x| x[0].to_i }
     @arches = Arch.where(:id => @arch_ids)
 

app/controllers/repositories_controller.rb

@@ -4,7 +4,7 @@ class RepositoriesController < ApplicationController
   before_filter :find_repository, :only => [:show, :destroy, :add_project, :remove_project]
   before_filter :get_paths, :only => [:show, :new, :create, :add_project, :remove_project]
   before_filter :find_platforms, :only => [:new, :create]
-  before_filter :check_global_access, :only => [:index, :new, :create]
+  #before_filter :check_global_access, :only => [:index, :new, :create]
 
   def index
     if params[:platform_id]
@@ -15,7 +15,7 @@ class RepositoriesController < ApplicationController
   end
 
   def show
-    can_perform? @repository if @repository
+    #can_perform? @repository if @repository
     if params[:query]
       @projects = @repository.projects.recent.by_name(params[:query]).paginate :page => params[:project_page], :per_page => 30
     else
@@ -29,7 +29,7 @@ class RepositoriesController < ApplicationController
   end
 
   def destroy
-    can_perform? @repository if @repository
+    #can_perform? @repository if @repository
     @repository.destroy
     platform_id = @repository.platform_id
 
@@ -50,7 +50,7 @@ class RepositoriesController < ApplicationController
   end
 
   def add_project
-    can_perform? @repository if @repository
+    #can_perform? @repository if @repository
     if params[:project_id]
       @project = Project.find(params[:project_id])
       # params[:project_id] = nil
@@ -72,7 +72,7 @@ class RepositoriesController < ApplicationController
   end
 
   def remove_project
-    can_perform? @repository if @repository
+    #can_perform? @repository if @repository
     @project = Project.find(params[:project_id])
     ProjectToRepository.where(:project_id => @project.id, :repository_id => @repository.id).destroy_all
     redirect_to repository_path(@repository), :notice => t('flash.repository.project_removed')

app/controllers/roles_controller.rb

@@ -3,7 +3,7 @@ class RolesController < ApplicationController
   before_filter :find_role, :only => [:show, :edit, :update, :destroy]
   before_filter :find_visibilities, :only => [:new, :edit]
 
-  before_filter :check_global_access
+ # before_filter :check_global_access
 
   def index
     @roles = Role.all

app/controllers/rpc_controller.rb

@@ -2,7 +2,7 @@ class RpcController < ApplicationController
   exposes_xmlrpc_methods
 
   before_filter :authenticate_user!
-  before_filter :check_global_access
+  #before_filter :check_global_access
   before_filter lambda { EventLog.current_controller = self }, :only => :xe_index # should be after auth callback
 
   ## Usage example:

app/controllers/users_controller.rb

@@ -2,7 +2,7 @@
 class UsersController < ApplicationController
   before_filter :authenticate_user!
   before_filter :find_user, :only => [:show, :edit, :update, :destroy]
-  before_filter :check_global_access
+  #before_filter :check_global_access
 
   def index
     @users = User.paginate(:page => params[:user_page])

app/models/ability.rb

@@ -0,0 +1,31 @@
+class Ability
+  include CanCan::Ability
+
+  def initialize(user)
+    # Define abilities for the passed in user here. For example:
+    #
+    user ||= User.new # guest user (not logged in)
+    if user.admin?
+      can :manage, :all
+    else
+      # Block access to all objects on the site
+      cannot :read, :all
+      
+      # Shared rights between guests and registered users
+      can :read, Platform
+      
+      # Guest rights
+      if user.guest?
+        can :read, Project, :visibility => 'open'
+      
+      # Registered user rights
+      else
+        # If rule has multiple conditions CanCan joins them by 'AND' sql operator
+        can [:read, :update, :process_build, :build], Project, :owner_type => 'User', :owner_id => user.id
+        # If rules goes one by one CanCan joins them by 'OR' sql operator
+        can :read, Project, :visibility => 'open'
+        can [:read, :update, :process_build, :build], Project, :collaborators => {:id => user.id}
+      end
+    end
+  end
+end

app/models/relation.rb

@@ -5,6 +5,8 @@ class Relation < ActiveRecord::Base
   has_many :role_lines
   has_many :roles, :autosave => true, :through => :role_lines
   
+  bitmask :roles, :as => [:read, :update] 
+
   after_create {
     with_ga do |ga|
       if repo = ga.find_repo(target.git_repo_name) and key = object.ssh_key and key.present?

app/models/user.rb

@@ -50,6 +50,14 @@ class User < ActiveRecord::Base
   before_destroy { destroy_ssh_key(ssh_key) if ssh_key.present? }
   # after_create() { UserMailer.new_user_notification(self).deliver }
 
+  def admin?
+    self.id == 1
+  end
+  
+  def guest?
+    self.id.blank?
+  end
+
   class << self
     def find_for_database_authentication(warden_conditions)
       conditions = warden_conditions.dup