rosa-build/app/models/ability.rb

121 lines
6.6 KiB
Ruby

class Ability
include CanCan::Ability
def initialize(user)
user ||= User.new # guest user (not logged in)
if user.admin?
can :manage, :all
else
#WARNING:
# - put cannot rules _after_ can rules and not before!
# - beware inner joins. Use sub queries against them!
# Shared rights between guests and registered users
can :forbidden, Platform
#cannot :read, Platform, :visibility => 'hidden'
can :read, [Project, Platform], :visibility => 'open'
can :auto_build, Project # TODO: This needs to be checked!
can [:status_build, :pre_build, :post_build, :circle_build, :new_bbdt], BuildList
# Guest rights
if user.guest?
can :create, User
# Registered user rights
else
can :index, AutoBuildList
# If rules goes one by one CanCan joins them by 'OR' sql operator
can :read, Project, :visibility => 'open'
can :read, User
can :manage_collaborators, Project do |project|
project.relations.exists? :object_id => user.id, :object_type => 'User', :role => 'admin'
end
# Put here model names which objects can user create
can :create, Project
can :publish, BuildList do |build_list|
build_list.can_published? && build_list.project.relations.exists?(:object_type => 'User', :object_id => user.id)
end
can [:read, :create], PrivateUser, :platform => {:owner_type => 'User', :owner_id => user.id}
# If rule has multiple conditions CanCan joins them by 'AND' sql operator
can [:read, :update, :process_build, :build, :destroy], Project, :owner_type => 'User', :owner_id => user.id
#can :read, Project, :relations => {:role => 'read'}
can :read, Project, projects_in_relations_with(:role => 'read', :object_type => 'User', :object_id => user.id) do |project|
#The can? and cannot? call cannot be used with a raw sql 'can' definition.
project.relations.exists?(:role => 'read', :object_type => 'User', :object_id => user.id)
end
#can [:update, :process_build, :build], Project, :relations => {:role => 'write'}
can [:read, :update, :process_build, :build], Project, projects_in_relations_with(:role => ['write', 'admin'], :object_type => 'User', :object_id => user.id) do |project|
project.relations.exists?(:role => ['write', 'admin'], :object_type => 'User', :object_id => user.id)
end
can :manage, Platform, :owner_type => 'User', :owner_id => user.id
#can :read, Platform, :members => {:id => user.id}
can :read, Platform, platforms_in_relations_with(:role => 'read', :object_type => 'User', :object_id => user.id) do |platform|
platform.relations.exists?(:role => 'read', :object_type => 'User', :object_id => user.id)
end
can [:manage, :add_project, :remove_project, :change_visibility, :settings], Repository, :owner_type => 'User', :owner_id => user.id
#can :read, Platform, :members => {:id => user.id}
can :read, Repository, repositories_in_relations_with(:role => 'read', :object_type => 'User', :object_id => user.id) do |repository|
repository.relations.exists?(:role => 'read', :object_type => 'User', :object_id => user.id)
end
#can :read, Repository
# TODO: Add personal repos rules
# Same rights for groups:
can [:read, :create], PrivateUser, :platform => {:owner_type => 'Group', :owner_id => user.group_ids}
can :publish, BuildList do |build_list|
build_list.can_published? && build_list.project.relations.exists?(:object_type => 'Group', :object_id => user.group_ids)
end
can [:read, :update, :process_build, :build, :destroy], Project, :owner_type => 'Group', :owner_id => user.group_ids
#can :read, Project, :relations => {:role => 'read', :object_type => 'Group', :object_id => user.group_ids}
can :read, Project, projects_in_relations_with(:role => 'read', :object_type => 'Group', :object_id => user.group_ids) do |project|
project.relations.exists?(:role => 'read', :object_type => 'Group', :object_id => user.group_ids)
end
#can [:update, :process_build, :build], Project, :relations => {:role => 'write', :object_type => 'Group', :object_id => user.group_ids}
can [:read, :update, :process_build, :build], Project, projects_in_relations_with(:role => ['write', 'admin'], :object_type => 'Group', :object_id => user.group_ids) do |project|
project.relations.exists?(:role => ['write', 'admin'], :object_type => 'Group', :object_id => user.group_ids)
end
can :manage, Platform, :owner_type => 'Group', :owner_id => user.group_ids
#can :read, Platform, :groups => {:id => user.group_ids}
can :read, Platform, platforms_in_relations_with(:role => 'read', :object_type => 'Group', :object_id => user.group_ids) do |platform|
platform.relations.exists?(:role => 'read', :object_type => 'Group', :object_id => user.group_ids)
end
can [:manage, :add_project, :remove_project], Repository, :owner_type => 'Group', :owner_id => user.group_ids
#can :read, Platform, :groups => {:id => user.group_ids}
can :read, Repository, repositories_in_relations_with(:role => 'read', :object_type => 'Group', :object_id => user.group_ids) do |repository|
repository.relations.exists?(:role => 'read', :object_type => 'Group', :object_id => user.group_ids)
end
end
end
# Shared cannot rights for all users (guests, registered, admin)
cannot :destroy, Platform, :platform_type => 'personal'
cannot :destroy, Repository, :platform => {:platform_type => 'personal'}
end
# Sub query for platforms, projects relations
# TODO: Replace table names list by method_missing way
%w[platforms projects repositories].each do |table_name|
define_method table_name + "_in_relations_with" do |opts|
query = "#{ table_name }.id IN (SELECT target_id FROM relations WHERE relations.target_type = '#{ table_name.singularize.camelize }'"
opts.each do |key, value|
query = query + " AND relations.#{ key } #{ value.class == Array ? 'IN (?)' : '= ?' } "
end
query = query + ")"
return opts.values.unshift query
end
end
## Sub query for project relations
#def projects_in_relations_with(opts={})
# ["projects.id IN (SELECT target_id FROM relations WHERE relations.object_id #{ opts[:object_id].class == Array ? 'IN (?)' : '= ?' } AND relations.object_type = '#{ opts[:object_type] }' AND relations.target_type = 'Platform') AND relations.role", opts[:object_id]]
#end
end