kotovalexarian-likes-gitlab
/
gitlab-org--gitlab-foss
1
0
Fork 0
Code Releases Activity

4 roles permission system

This commit is contained in:
Dmitriy Zaporozhets 2012-02-16 09:03:55 +02:00
parent dac7c44ab3
commit 1c62ec09b0
18 changed files with 66 additions and 111 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
app/controllers/projects_controller.rb
View File

@ -28,7 +28,7 @@ class ProjectsController < ApplicationController
Project.transaction do
@project.save!
@project.users_projects.create!(:repo_access => Repository::REPO_RW , :project_access => Project::PROJECT_RWA, :user => current_user)
@project.users_projects.create!(:project_access => UsersProject::MASTER, :user => current_user)
# when project saved no team member exist so
# project repository should be updated after first user add

38
app/models/project.rb
View File

@ -1,11 +1,6 @@
require "grit"
class Project < ActiveRecord::Base
PROJECT_N = 0
PROJECT_R = 1
PROJECT_RW = 2
PROJECT_RWA = 3
belongs_to :owner, :class_name => "User"
has_many :merge_requests, :dependent => :destroy
@ -61,12 +56,7 @@ class Project < ActiveRecord::Base
end
def self.access_options
{
"Denied" => PROJECT_N,
"Read" => PROJECT_R,
"Report" => PROJECT_RW,
"Admin" => PROJECT_RWA
}
UsersProject.access_roles
end
def repository
@ -193,11 +183,11 @@ class Project < ActiveRecord::Base
# Should be rewrited for new access rights
def add_access(user, *access)
access = if access.include?(:admin)
{ :project_access => PROJECT_RWA }
{ :project_access => UsersProject::MASTER }
elsif access.include?(:write)
{ :project_access => PROJECT_RW }
{ :project_access => UsersProject::DEVELOPER }
else
{ :project_access => PROJECT_R }
{ :project_access => UsersProject::GUEST }
end
opts = { :user => user }
opts.merge!(access)
@ -210,48 +200,48 @@ class Project < ActiveRecord::Base
def repository_readers
keys = Key.joins({:user => :users_projects}).
where("users_projects.project_id = ? AND users_projects.repo_access = ?", id, Repository::REPO_R)
where("users_projects.project_id = ? AND users_projects.project_access = ?", id, UsersProject::REPORTER)
keys.map(&:identifier) + deploy_keys.map(&:identifier)
end
def repository_writers
keys = Key.joins({:user => :users_projects}).
where("users_projects.project_id = ? AND users_projects.repo_access = ?", id, Repository::REPO_RW)
where("users_projects.project_id = ? AND users_projects.project_access = ?", id, UsersProject::DEVELOPER)
keys.map(&:identifier)
end
def repository_masters
keys = Key.joins({:user => :users_projects}).
where("users_projects.project_id = ? AND users_projects.repo_access = ?", id, Repository::REPO_MASTER)
where("users_projects.project_id = ? AND users_projects.project_access = ?", id, UsersProject::MASTER)
keys.map(&:identifier)
end
def readers
@readers ||= users_projects.includes(:user).where(:project_access => [PROJECT_R, PROJECT_RW, PROJECT_RWA]).map(&:user)
@readers ||= users_projects.includes(:user).map(&:user)
end
def writers
@writers ||= users_projects.includes(:user).where(:project_access => [PROJECT_RW, PROJECT_RWA]).map(&:user)
@writers ||= users_projects.includes(:user).map(&:user)
end
def admins
@admins ||= users_projects.includes(:user).where(:project_access => PROJECT_RWA).map(&:user)
@admins ||= users_projects.includes(:user).where(:project_access => UsersProject::MASTER).map(&:user)
end
def allow_read_for?(user)
!users_projects.where(:user_id => user.id, :project_access => [PROJECT_R, PROJECT_RW, PROJECT_RWA]).empty?
!users_projects.where(:user_id => user.id).empty?
end
def allow_write_for?(user)
!users_projects.where(:user_id => user.id, :project_access => [PROJECT_RW, PROJECT_RWA]).empty?
!users_projects.where(:user_id => user.id).empty?
end
def allow_admin_for?(user)
!users_projects.where(:user_id => user.id, :project_access => [PROJECT_RWA]).empty? || owner_id == user.id
!users_projects.where(:user_id => user.id, :project_access => [UsersProject::MASTER]).empty? || owner_id == user.id
end
def allow_pull_for?(user)
!users_projects.where(:user_id => user.id, :repo_access => [Repository::REPO_R, Repository::REPO_RW, Repository::REPO_MASTER]).empty?
!users_projects.where(:user_id => user.id, :project_access => [UsersProject::REPORTER, UsersProject::DEVELOPER, UsersProject::MASTER]).empty?
end
def root_ref

12
app/models/repository.rb
View File

@ -1,11 +1,6 @@
require File.join(Rails.root, "lib", "gitlabhq", "git_host")
class Repository
REPO_N = 0
REPO_R = 1
REPO_RW = 2
REPO_MASTER = 3
attr_accessor :project
def self.default_ref
@ -13,12 +8,7 @@ class Repository
end
def self.access_options
{
"Denied" => REPO_N,
"Pull" => REPO_R,
"Pull & Push" => REPO_RW,
"Master" => REPO_MASTER
}
{}
end
def initialize(project)

14
app/models/users_project.rb
View File

@ -1,7 +1,8 @@
class UsersProject < ActiveRecord::Base
REPORTER = 21
DEVELOPER = 22
MASTER = 33
GUEST = 10
REPORTER = 20
DEVELOPER = 30
MASTER = 40
belongs_to :user
belongs_to :project
@ -21,7 +22,6 @@ class UsersProject < ActiveRecord::Base
UsersProject.transaction do
user_ids.each do |user_id|
users_project = UsersProject.new(
:repo_access => repo_access,
:project_access => project_access,
:user_id => user_id
)
@ -35,7 +35,6 @@ class UsersProject < ActiveRecord::Base
UsersProject.transaction do
project_ids.each do |project_id|
users_project = UsersProject.new(
:repo_access => repo_access,
:project_access => project_access,
)
users_project.project_id = project_id
@ -47,6 +46,7 @@ class UsersProject < ActiveRecord::Base
def self.access_roles
{
"Guest" => GUEST,
"Reporter" => REPORTER,
"Developer" => DEVELOPER,
"Master" => MASTER
@ -54,7 +54,7 @@ class UsersProject < ActiveRecord::Base
end
def role_access
"#{project_access}#{repo_access}"
project_access
end
def update_repository
@ -68,7 +68,7 @@ class UsersProject < ActiveRecord::Base
end
def repo_access_human
Repository.access_options.key(self.repo_access)
""
end
end
# == Schema Information

2
app/views/admin/projects/show.html.haml
View File

@ -53,7 +53,6 @@
%td
= link_to tm.user_name, admin_users_path(tm.user)
%td= select_tag :tm_project_access, options_for_select(Project.access_options, tm.project_access), :class => "medium project-access-select", :disabled => :disabled
%td= select_tag :tm_repo_access, options_for_select(Repository.access_options, tm.repo_access), :class => "medium repo-access-select", :disabled => :disabled
%td= link_to 'Edit Access', edit_admin_team_member_path(tm), :class => "btn small"
%td= link_to 'Remove from team', admin_team_member_path(tm), :confirm => 'Are you sure?', :method => :delete, :class => "btn danger small"
@ -68,7 +67,6 @@
%tr
%td= select_tag :user_ids, options_from_collection_for_select(@users , :id, :name), :multiple => true
%td= select_tag :project_access, options_for_select(Project.access_options), :class => "project-access-select"
%td= select_tag :repo_access, options_for_select(Repository.access_options), :class => "repo-access-select"
.actions
= submit_tag 'Add', :class => "btn primary"

4
app/views/admin/team_members/_form.html.haml
View File

@ -10,10 +10,6 @@
.input
= f.select :project_access, options_for_select(Project.access_options, @admin_team_member.project_access), {}, :class => "project-access-select"
.clearfix
%label Repository Access:
.input
= f.select :repo_access, options_for_select(Repository.access_options, @admin_team_member.repo_access), {}, :class => "repo-access-select"
%br
.actions
= f.submit 'Save', :class => "btn primary"

2
app/views/admin/users/show.html.haml
View File

@ -61,7 +61,6 @@
%tr
%td= link_to project.name, admin_project_path(project)
%td= select_tag :tm_project_access, options_for_select(Project.access_options, tm.project_access), :class => "medium project-access-select", :disabled => :disabled
%td= select_tag :tm_repo_access, options_for_select(Repository.access_options, tm.repo_access), :class => "medium repo-access-select", :disabled => :disabled
%td= link_to 'Edit Access', edit_admin_team_member_path(tm), :class => "btn small"
%td= link_to 'Remove from team', admin_team_member_path(tm), :confirm => 'Are you sure?', :method => :delete, :class => "btn small danger"
@ -76,7 +75,6 @@
%tr
%td= select_tag :project_ids, options_from_collection_for_select(@projects , :id, :name), :multiple => true
%td= select_tag :project_access, options_for_select(Project.access_options), :class => "project-access-select"
%td= select_tag :repo_access, options_for_select(Repository.access_options), :class => "repo-access-select"
.actions
= submit_tag 'Add', :class => "btn primary"

6
app/views/help/permissions.html.haml
View File

@ -1,6 +1,12 @@
%h3 Permissions
%hr
%h4 Reporter
%ul
%li Create new issue
%li Create new merge request
%li Write on project wall
%h4 Reporter
%ul
%li Pull project code

13
app/views/team_members/_form.html.haml
View File

@ -14,18 +14,9 @@
.clearfix
= f.label :project_access, "Project Access"
.input= f.select :_project_access, options_for_select(UsersProject.access_roles, @team_member.role_access), {}, :class => "project-access-select"
.input= f.select :project_access, options_for_select(Project.access_options, @team_member.project_access), {}, :class => "project-access-select"
-#.clearfix
-#= f.label :project_access, "Project Access"
-#.input= f.select :project_access, options_for_select(Project.access_options, @team_member.project_access), {}, :class => "project-access-select"
-#.clearfix
-#= f.label :repo_access, "Repository Access"
-#.input= f.select :repo_access, options_for_select(Repository.access_options, @team_member.repo_access), {}, :class => "repo-access-select"
.actions
= f.submit 'Save', :class => "btn primary"
= link_to "Cancel", team_project_path(@project), :class => "btn"
@ -37,6 +28,6 @@
:javascript
$('select#team_member_user_id').chosen();
$('select#team_member__project_access').chosen();
$('select#team_member_project_access').chosen();
//$('select#team_member_repo_access').chosen();
//$('select#team_member_project_access').chosen();

5
app/views/team_members/_show.html.haml
View File

@ -11,9 +11,6 @@
.span3
= form_for(member, :as => :team_member, :url => project_team_member_path(@project, member)) do |f|
= f.select :_project_access, options_for_select(UsersProject.access_roles, member.role_access), {}, :class => "medium project-access-select", :disabled => !allow_admin
-#.span3
-#= form_for(member, :as => :team_member, :url => project_team_member_path(@project, member)) do |f|
-#= f.select :repo_access, options_for_select(Repository.access_options, member.repo_access), {}, :class => "medium repo-access-select", :disabled => !allow_admin
= f.select :project_access, options_for_select(UsersProject.access_roles, member.project_access), {}, :class => "medium project-access-select", :disabled => !allow_admin
- if @project.owner == user
%span.label Project Owner

7
app/views/team_members/show.html.haml
View File

@ -28,13 +28,6 @@
= form_for(@team_member, :as => :team_member, :url => project_team_member_path(@project, @team_member)) do |f|
= f.select :project_access, options_for_select(Project.access_options, @team_member.project_access), {}, :class => "project-access-select", :disabled => !allow_admin
%tr
%td Repository Access
%td
= form_for(@team_member, :as => :team_member, :url => project_team_member_path(@project, @team_member)) do |f|
= f.select :repo_access, options_for_select(Repository.access_options, @team_member.repo_access), {}, :class => "repo-access-select", :disabled => !allow_admin
- unless user.skype.empty?
%tr
%td Skype:

1
app/views/widgets/_project_member.html.haml
View File

@ -13,7 +13,6 @@
.span3
%span.label= member.project_access_human
%span.label= member.repo_access_human
- if can? current_user, :write_project, @project
- if @project.issues_enabled && @project.merge_requests_enabled

18
db/migrate/20120216085842_move_to_roles_permissions.rb Normal file
View File

@ -0,0 +1,18 @@
class MoveToRolesPermissions < ActiveRecord::Migration
def up
repo_n = 0
repo_r = 1
repo_rw = 2
project_rwa = 3
UsersProject.update_all ["project_access = ?", UsersProject::MASTER], ["project_access = ?", project_rwa]
UsersProject.update_all ["project_access = ?", UsersProject::DEVELOPER], ["repo_access = ?", repo_rw]
UsersProject.update_all ["project_access = ?", UsersProject::REPORTER], ["repo_access = ?", repo_r]
UsersProject.update_all ["project_access = ?", UsersProject::GUEST], ["repo_access = ?", repo_n]
remove_column :users_projects, :repo_access
end
def down
end
end

15
db/schema.rb
View File

@ -11,19 +11,7 @@
#
# It's strongly recommended to check this file into your version control system.
ActiveRecord::Schema.define(:version => 20120215182305) do
create_table "features", :force => true do |t|
t.string "name"
t.string "branch_name"
t.integer "assignee_id"
t.integer "author_id"
t.integer "project_id"
t.datetime "created_at"
t.datetime "updated_at"
t.string "version"
t.integer "status", :default => 0, :null => false
end
ActiveRecord::Schema.define(:version => 20120216085842) do
create_table "issues", :force => true do |t|
t.string "title"
@ -160,7 +148,6 @@ ActiveRecord::Schema.define(:version => 20120215182305) do
t.integer "project_id", :null => false
t.datetime "created_at"
t.datetime "updated_at"
t.integer "repo_access", :default => 0, :null => false
t.integer "project_access", :default => 0, :null => false
end

16
spec/models/note_spec.rb
View File

@ -64,9 +64,8 @@ describe Note do
describe :read do
before do
@p1.users_projects.create(:user => @u1, :project_access => Project::PROJECT_N)
@p1.users_projects.create(:user => @u2, :project_access => Project::PROJECT_R)
@p2.users_projects.create(:user => @u3, :project_access => Project::PROJECT_R)
@p1.users_projects.create(:user => @u2, :project_access => UsersProject::GUEST)
@p2.users_projects.create(:user => @u3, :project_access => UsersProject::GUEST)
end
it { @abilities.allowed?(@u1, :read_note, @p1).should be_false }
@ -76,9 +75,8 @@ describe Note do
describe :write do
before do
@p1.users_projects.create(:user => @u1, :project_access => Project::PROJECT_R)
@p1.users_projects.create(:user => @u2, :project_access => Project::PROJECT_RW)
@p2.users_projects.create(:user => @u3, :project_access => Project::PROJECT_RW)
@p1.users_projects.create(:user => @u2, :project_access => UsersProject::DEVELOPER)
@p2.users_projects.create(:user => @u3, :project_access => UsersProject::DEVELOPER)
end
it { @abilities.allowed?(@u1, :write_note, @p1).should be_false }
@ -88,9 +86,9 @@ describe Note do
describe :admin do
before do
@p1.users_projects.create(:user => @u1, :project_access => Project::PROJECT_R)
@p1.users_projects.create(:user => @u2, :project_access => Project::PROJECT_RWA)
@p2.users_projects.create(:user => @u3, :project_access => Project::PROJECT_RWA)
@p1.users_projects.create(:user => @u1, :project_access => UsersProject::REPORTER)
@p1.users_projects.create(:user => @u2, :project_access => UsersProject::MASTER)
@p2.users_projects.create(:user => @u3, :project_access => UsersProject::MASTER)
end
it { @abilities.allowed?(@u1, :admin_note, @p1).should be_false }

10
spec/models/project_security_spec.rb
View File

@ -12,8 +12,7 @@ describe Project do
describe "read access" do
before do
@p1.users_projects.create(:project => @p1, :user => @u1, :project_access => Project::PROJECT_N)
@p1.users_projects.create(:project => @p1, :user => @u2, :project_access => Project::PROJECT_R)
@p1.users_projects.create(:project => @p1, :user => @u2, :project_access => UsersProject::REPORTER)
end
it { @abilities.allowed?(@u1, :read_project, @p1).should be_false }
@ -22,8 +21,7 @@ describe Project do
describe "write access" do
before do
@p1.users_projects.create(:project => @p1, :user => @u1, :project_access => Project::PROJECT_R)
@p1.users_projects.create(:project => @p1, :user => @u2, :project_access => Project::PROJECT_RW)
@p1.users_projects.create(:project => @p1, :user => @u2, :project_access => UsersProject::DEVELOPER)
end
it { @abilities.allowed?(@u1, :write_project, @p1).should be_false }
@ -32,8 +30,8 @@ describe Project do
describe "admin access" do
before do
@p1.users_projects.create(:project => @p1, :user => @u1, :project_access => Project::PROJECT_RW)
@p1.users_projects.create(:project => @p1, :user => @u2, :project_access => Project::PROJECT_RWA)
@p1.users_projects.create(:project => @p1, :user => @u1, :project_access => UsersProject::DEVELOPER)
@p1.users_projects.create(:project => @p1, :user => @u2, :project_access => UsersProject::MASTER)
end
it { @abilities.allowed?(@u1, :admin_project, @p1).should be_false }

6
spec/requests/projects_security_spec.rb
View File

@ -20,11 +20,9 @@ describe "Projects" do
@u2 = Factory :user
@u3 = Factory :user
# full access
@project.users_projects.create(:user => @u1, :project_access => Project::PROJECT_RWA)
# no access
@project.users_projects.create(:user => @u2, :project_access => Project::PROJECT_N)
@project.users_projects.create(:user => @u1, :project_access => UsersProject::MASTER)
# readonly
@project.users_projects.create(:user => @u3, :project_access => Project::PROJECT_R)
@project.users_projects.create(:user => @u3, :project_access => UsersProject::REPORTER)
end
describe "GET /project_code" do

6
spec/requests/team_members_spec.rb
View File

@ -31,8 +31,7 @@ describe "TeamMembers" do
before do
within "#new_team_member" do
select @user_1.name, :from => "team_member_user_id"
select "Report", :from => "team_member_project_access"
select "Pull", :from => "team_member_repo_access"
select "Reporter", :from => "team_member_project_access"
end
end
@ -45,8 +44,7 @@ describe "TeamMembers" do
page.should have_content @user_1.name
@member.reload
@member.project_access.should == Project::PROJECT_RW
@member.repo_access.should == Repository::REPO_R
@member.project_access.should == UsersProject::REPORTER
end
end
end