Project

General

Profile

« Previous | Next » 

Revision acfbc458

Added by Marek Hulán about 10 years ago

fixes #812 - new permissions model, user group role and nest support, role filters for better granularity

Contributions from:

View differences:

app/models/role.rb
before_destroy :check_deletable
has_many :user_roles, :dependent => :destroy
has_many :users, :through => :user_roles
has_many :users, :through => :user_roles, :source => :owner, :source_type => 'User'
has_many :usergroups, :through => :user_roles, :source => :owner, :source_type => 'Usergroup'
has_many :cached_user_roles, :dependent => :destroy
has_many :cached_users, :through => :cached_user_roles, :source => :user
serialize :permissions, Array
has_many :filters, :dependent => :destroy
has_many :permissions, :through => :filters
attr_protected :builtin
validates :name, :presence => true, :uniqueness => true, :length => {:maximum => 30}, :format => {:with => /\A\w[\w\s\'\-]*\w\Z/i}
validates :name, :presence => true, :uniqueness => true, :format => {:with => /\A\w[\w\s\'\-]*\w\Z/i}
validates :builtin, :inclusion => { :in => 0..2 }
scoped_search :on => :name, :complete_value => true
......
self.builtin = 0
end
def permissions
read_attribute(:permissions) || []
end
def permissions=(perms)
perms = perms.collect {|p| p.to_sym unless p.blank? }.compact.uniq if perms
write_attribute(:permissions, perms)
end
def add_permission!(*perms)
self.permissions = [] unless permissions.is_a?(Array)
permissions_will_change!
perms.each do |p|
p = p.to_sym
permissions << p unless permissions.include?(p)
end
save!
end
def remove_permission!(*perms)
return unless permissions.is_a?(Array)
permissions_will_change!
perms.each { |p| permissions.delete(p.to_sym) }
save!
end
# Returns true if the role has the given permission
def has_permission?(perm)
!permissions.nil? && permissions.include?(perm.to_sym)
permission_names.include?(perm.to_sym)
end
def permission_names
@permission_names ||= permissions.map { |p| p.name.to_sym }
end
# Return true if the role is a builtin role
......
# * a permission Symbol (eg. :edit_project)
def allowed_to?(action)
if action.is_a? Hash
action[:controller] = action[:controller][1..-1] if action[:controller].starts_with?('/')
allowed_actions.include? "#{action[:controller]}/#{action[:action]}"
else
allowed_permissions.include? action
end
end
# Return all the permissions that can be given to the role
def setable_permissions
setable_permissions = Foreman::AccessControl.permissions - Foreman::AccessControl.public_permissions
setable_permissions -= Foreman::AccessControl.loggedin_only_permissions if self.builtin == BUILTIN_ANONYMOUS
setable_permissions
end
# Find all the roles that can be given to a user
def self.find_all_givable
all(:conditions => {:builtin => 0}, :order => 'name')
......
anonymous_role
end
# options can have following keys
# :search - scoped search applied to built filters
def add_permissions(permissions, options = {})
permissions = Array(permissions)
search = options.delete(:search)
collection = Permission.where(:name => permissions).all
raise ArgumentError, 'some permissions were not found' if collection.size != permissions.size
collection.group_by(&:resource_type).each do |resource_type, grouped_permissions|
filter = self.filters.build(:search => search)
filter.role ||= self
grouped_permissions.each do |permission|
filtering = filter.filterings.build
filtering.filter = filter
filtering.permission = permission
end
end
end
def add_permissions!(*args)
add_permissions(*args)
save!
end
private
def allowed_permissions
@allowed_permissions ||= permissions + Foreman::AccessControl.public_permissions.collect {|p| p.name}
@allowed_permissions ||= permission_names + Foreman::AccessControl.public_permissions.map(&:name)
end
def allowed_actions

Also available in: Unified diff