Add specific ability for managing group members

2015-07-28 16:32:15 +02:00 · 2015-07-28 16:32:15 +02:00 · f9bcb9632c
parent 43d1188031
commit f9bcb9632c
5 changed files with 16 additions and 7 deletions
--- a/app/controllers/groups/group_members_controller.rb
+++ b/app/controllers/groups/group_members_controller.rb
@ -21,6 +21,8 @@ class Groups::GroupMembersController < Groups::ApplicationController
  end

  def create
+    return render_403 unless can?(current_user, :admin_group_member, @group)
+
    @group.add_users(params[:user_ids].split(','), params[:access_level], current_user)

    redirect_to group_group_members_path(@group), notice: 'Users were successfully added.'
@ -28,6 +30,9 @@ class Groups::GroupMembersController < Groups::ApplicationController

  def update
    @member = @group.group_members.find(params[:id])
+
+    return render_403 unless can?(current_user, :update_group_member, @member)
+
    @member.update_attributes(member_params)
  end

@ -46,6 +51,8 @@ class Groups::GroupMembersController < Groups::ApplicationController
  end

  def resend_invite
+    return render_403 unless can?(current_user, :admin_group_member, @group)
+
    redirect_path = group_group_members_path(@group)

    @group_member = @group.group_members.find(params[:id])
--- a/app/models/ability.rb
+++ b/app/models/ability.rb
@ -233,7 +233,8 @@ class Ability
      if group.has_owner?(user) || user.admin?
        rules.push(*[
          :admin_group,
-          :admin_namespace
+          :admin_namespace,
+          :admin_group_member
        ])
      end

@ -295,7 +296,7 @@ class Ability
      rules = []
      target_user = subject.user
      group = subject.group
-      can_manage = group_abilities(user, group).include?(:admin_group)
+      can_manage = group_abilities(user, group).include?(:admin_group_member)

      if can_manage && (user != target_user)
        rules << :update_group_member
--- a/app/views/dashboard/groups/index.html.haml
+++ b/app/views/dashboard/groups/index.html.haml
@ -23,9 +23,10 @@
              %i.fa.fa-cogs
              Settings

-          = link_to leave_group_group_members_path(group), data: { confirm: leave_group_message(group.name) }, method: :delete, class: "btn-sm btn btn-grouped", title: 'Leave this group' do
-            %i.fa.fa-sign-out
-            Leave
+          - if can?(current_user, :destroy_group_member, group_member)
+            = link_to leave_group_group_members_path(group), data: { confirm: leave_group_message(group.name) }, method: :delete, class: "btn-sm btn btn-grouped", title: 'Leave this group' do
+              %i.fa.fa-sign-out
+              Leave

        = image_tag group_icon(group), class: "avatar s40 avatar-tile hidden-xs"
        = link_to group, class: 'group-name' do
--- a/app/views/groups/group_members/_group_member.html.haml
+++ b/app/views/groups/group_members/_group_member.html.haml
@ -24,7 +24,7 @@
          = link_to member.created_by.name, user_path(member.created_by)
        = time_ago_with_tooltip(member.created_at)

-      - if show_controls && can?(current_user, :admin_group, @group)
+      - if show_controls && can?(current_user, :admin_group_member, member)
        = link_to resend_invite_group_group_member_path(@group, member), method: :post, class: "btn-xs btn", title: 'Resend invite' do
          Resend invite

--- a/app/views/groups/group_members/index.html.haml
+++ b/app/views/groups/group_members/index.html.haml
@ -17,7 +17,7 @@
      = search_field_tag :search, params[:search], { placeholder: 'Find existing member by name', class: 'form-control search-text-input' }
    = button_tag 'Search', class: 'btn'

-  - if current_user && current_user.can?(:admin_group, @group)
+  - if current_user && current_user.can?(:admin_group_member, @group)
    .pull-right
      = button_tag class: 'btn btn-new js-toggle-button', type: 'button' do
        Add members