4 roles permission system

1c62ec09 · Dmitriy Zaporozhets · dac7c44a · 1c62ec09 · 1c62ec09 · 1c62ec09
Commit 1c62ec09 authored Feb 16, 2012 by Dmitriy Zaporozhets
18 changed files
--- a/app/controllers/projects_controller.rb
+++ b/app/controllers/projects_controller.rb
@@ -28,7 +28,7 @@ class ProjectsController < ApplicationController
    Project.transaction do
      @project.save!
-      @project.users_projects.create!(:repo_access => Repository::REPO_RW , :project_access => Project::PROJECT_RWA, :user => current_user)
+      @project.users_projects.create!(:project_access => UsersProject::MASTER, :user => current_user)
      # when project saved no team member exist so 
      # project repository should be updated after first user add

--- a/app/models/project.rb
+++ b/app/models/project.rb
 require "grit"
 class Project < ActiveRecord::Base
-  PROJECT_N = 0
-  PROJECT_R = 1
-  PROJECT_RW = 2
-  PROJECT_RWA = 3
  belongs_to :owner, :class_name => "User"
  has_many :merge_requests, :dependent => :destroy
@@ -61,12 +56,7 @@ class Project < ActiveRecord::Base
  end
  def self.access_options
-    {
+    UsersProject.access_roles
-      "Denied" => PROJECT_N,
-      "Read"   => PROJECT_R,
-      "Report" => PROJECT_RW,
-      "Admin"  => PROJECT_RWA
-    }
  end
  def repository
@@ -193,11 +183,11 @@ class Project < ActiveRecord::Base
  # Should be rewrited for new access rights
  def add_access(user, *access)
    access = if access.include?(:admin) 
-               { :project_access => PROJECT_RWA } 
+               { :project_access => UsersProject::MASTER } 
             elsif access.include?(:write)
-               { :project_access => PROJECT_RW } 
+               { :project_access => UsersProject::DEVELOPER } 
             else
-               { :project_access => PROJECT_R } 
+               { :project_access => UsersProject::GUEST } 
             end
    opts = { :user => user }
    opts.merge!(access)
@@ -210,48 +200,48 @@ class Project < ActiveRecord::Base
  def repository_readers
    keys = Key.joins({:user => :users_projects}).
-      where("users_projects.project_id = ? AND users_projects.repo_access = ?", id, Repository::REPO_R)
+      where("users_projects.project_id = ? AND users_projects.project_access = ?", id, UsersProject::REPORTER)
    keys.map(&:identifier) + deploy_keys.map(&:identifier)
  end
  def repository_writers
    keys = Key.joins({:user => :users_projects}).
-      where("users_projects.project_id = ? AND users_projects.repo_access = ?", id, Repository::REPO_RW)
+      where("users_projects.project_id = ? AND users_projects.project_access = ?", id, UsersProject::DEVELOPER)
    keys.map(&:identifier)
  end
  def repository_masters
    keys = Key.joins({:user => :users_projects}).
-      where("users_projects.project_id = ? AND users_projects.repo_access = ?", id, Repository::REPO_MASTER)
+      where("users_projects.project_id = ? AND users_projects.project_access = ?", id, UsersProject::MASTER)
    keys.map(&:identifier)
  end
  def readers
-    @readers ||= users_projects.includes(:user).where(:project_access => [PROJECT_R, PROJECT_RW, PROJECT_RWA]).map(&:user)
+    @readers ||= users_projects.includes(:user).map(&:user)
  end
  def writers
-    @writers ||= users_projects.includes(:user).where(:project_access => [PROJECT_RW, PROJECT_RWA]).map(&:user)
+    @writers ||= users_projects.includes(:user).map(&:user)
  end
  def admins
-    @admins ||= users_projects.includes(:user).where(:project_access => PROJECT_RWA).map(&:user)
+    @admins ||= users_projects.includes(:user).where(:project_access => UsersProject::MASTER).map(&:user)
  end
  def allow_read_for?(user)
-    !users_projects.where(:user_id => user.id, :project_access => [PROJECT_R, PROJECT_RW, PROJECT_RWA]).empty?
+    !users_projects.where(:user_id => user.id).empty?
  end
  def allow_write_for?(user)
-    !users_projects.where(:user_id => user.id, :project_access => [PROJECT_RW, PROJECT_RWA]).empty?
+    !users_projects.where(:user_id => user.id).empty?
  end
  def allow_admin_for?(user)
-    !users_projects.where(:user_id => user.id, :project_access => [PROJECT_RWA]).empty? || owner_id == user.id
+    !users_projects.where(:user_id => user.id, :project_access => [UsersProject::MASTER]).empty? || owner_id == user.id
  end
  def allow_pull_for?(user)
-    !users_projects.where(:user_id => user.id, :repo_access => [Repository::REPO_R, Repository::REPO_RW, Repository::REPO_MASTER]).empty?
+    !users_projects.where(:user_id => user.id, :project_access => [UsersProject::REPORTER, UsersProject::DEVELOPER, UsersProject::MASTER]).empty?
  end
  def root_ref 

--- a/app/models/repository.rb
+++ b/app/models/repository.rb
 require File.join(Rails.root, "lib", "gitlabhq", "git_host")
 class Repository
-  REPO_N = 0
-  REPO_R = 1
-  REPO_RW = 2
-  REPO_MASTER = 3
  attr_accessor :project
  def self.default_ref
@@ -13,12 +8,7 @@ class Repository
  end
  def self.access_options
-    {
+    {}
-      "Denied"      => REPO_N,
-      "Pull"        => REPO_R,
-      "Pull & Push" => REPO_RW,
-      "Master"      => REPO_MASTER
-    }
  end
  def initialize(project)

--- a/app/models/users_project.rb
+++ b/app/models/users_project.rb
 class UsersProject < ActiveRecord::Base
-  REPORTER = 21
+  GUEST     = 10
-  DEVELOPER = 22
+  REPORTER  = 20
-  MASTER = 33
+  DEVELOPER = 30
+  MASTER    = 40
  belongs_to :user
  belongs_to :project
@@ -21,7 +22,6 @@ class UsersProject < ActiveRecord::Base
    UsersProject.transaction do
      user_ids.each do |user_id|
        users_project = UsersProject.new(
-          :repo_access => repo_access,
          :project_access => project_access,
          :user_id => user_id
        )
@@ -35,7 +35,6 @@ class UsersProject < ActiveRecord::Base
    UsersProject.transaction do
      project_ids.each do |project_id|
        users_project = UsersProject.new(
-          :repo_access => repo_access,
          :project_access => project_access,
        )
        users_project.project_id = project_id
@@ -47,6 +46,7 @@ class UsersProject < ActiveRecord::Base
  def self.access_roles
    {
+      "Guest"   => GUEST,
      "Reporter"   => REPORTER,
      "Developer" => DEVELOPER,
      "Master"  => MASTER
@@ -54,7 +54,7 @@ class UsersProject < ActiveRecord::Base
  end
  def role_access
-    "#{project_access}#{repo_access}"
+    project_access
  end
  def update_repository
@@ -68,7 +68,7 @@ class UsersProject < ActiveRecord::Base
  end
  def repo_access_human
-    Repository.access_options.key(self.repo_access)
+    ""
  end
 end
 # == Schema Information

--- a/app/views/admin/projects/show.html.haml
+++ b/app/views/admin/projects/show.html.haml
@@ -53,7 +53,6 @@
        %td
          = link_to tm.user_name, admin_users_path(tm.user)
        %td= select_tag :tm_project_access, options_for_select(Project.access_options, tm.project_access), :class => "medium project-access-select", :disabled => :disabled
-        %td= select_tag :tm_repo_access, options_for_select(Repository.access_options, tm.repo_access), :class => "medium repo-access-select", :disabled => :disabled
        %td= link_to 'Edit Access', edit_admin_team_member_path(tm), :class => "btn small"
        %td= link_to 'Remove from team', admin_team_member_path(tm), :confirm => 'Are you sure?', :method => :delete, :class => "btn danger small"
@@ -68,7 +67,6 @@
      %tr
        %td= select_tag :user_ids, options_from_collection_for_select(@users , :id, :name),  :multiple => true
        %td= select_tag :project_access, options_for_select(Project.access_options), :class => "project-access-select"
-        %td= select_tag :repo_access, options_for_select(Repository.access_options), :class => "repo-access-select"
    .actions
      = submit_tag 'Add', :class => "btn primary"

--- a/app/views/admin/team_members/_form.html.haml
+++ b/app/views/admin/team_members/_form.html.haml
@@ -10,10 +10,6 @@
    .input
      = f.select :project_access, options_for_select(Project.access_options, @admin_team_member.project_access), {}, :class => "project-access-select"
-  .clearfix
-    %label Repository Access:
-    .input
-      = f.select :repo_access, options_for_select(Repository.access_options, @admin_team_member.repo_access), {}, :class => "repo-access-select"
  %br
  .actions
    = f.submit 'Save', :class => "btn primary"

--- a/app/views/admin/users/show.html.haml
+++ b/app/views/admin/users/show.html.haml
@@ -61,7 +61,6 @@
    %tr
      %td= link_to project.name, admin_project_path(project)
      %td= select_tag :tm_project_access, options_for_select(Project.access_options, tm.project_access), :class => "medium project-access-select", :disabled => :disabled
-      %td= select_tag :tm_repo_access, options_for_select(Repository.access_options, tm.repo_access), :class => "medium repo-access-select", :disabled => :disabled
      %td= link_to 'Edit Access', edit_admin_team_member_path(tm), :class => "btn small"
      %td= link_to 'Remove from team', admin_team_member_path(tm), :confirm => 'Are you sure?', :method => :delete, :class => "btn small danger"
@@ -76,7 +75,6 @@
    %tr
      %td= select_tag :project_ids, options_from_collection_for_select(@projects , :id, :name),  :multiple => true
      %td= select_tag :project_access, options_for_select(Project.access_options), :class => "project-access-select"
-      %td= select_tag :repo_access, options_for_select(Repository.access_options), :class => "repo-access-select"
  .actions
    = submit_tag 'Add', :class => "btn primary"

--- a/app/views/help/permissions.html.haml
+++ b/app/views/help/permissions.html.haml
 %h3 Permissions
 %hr
+%h4 Reporter
+%ul
+  %li Create new issue
+  %li Create new merge request
+  %li Write on project wall
 %h4 Reporter
 %ul
  %li Pull project code

--- a/app/views/team_members/_form.html.haml
+++ b/app/views/team_members/_form.html.haml
@@ -14,18 +14,9 @@
  .clearfix
    = f.label :project_access, "Project Access"
-    .input= f.select :_project_access, options_for_select(UsersProject.access_roles, @team_member.role_access), {}, :class => "project-access-select"
+    .input= f.select :project_access, options_for_select(Project.access_options, @team_member.project_access), {}, :class => "project-access-select"
-  -#.clearfix
-    -#= f.label :project_access, "Project Access"
-    -#.input= f.select :project_access, options_for_select(Project.access_options, @team_member.project_access), {}, :class => "project-access-select"
-  -#.clearfix
-    -#= f.label :repo_access, "Repository Access"
-    -#.input= f.select :repo_access, options_for_select(Repository.access_options, @team_member.repo_access), {}, :class => "repo-access-select"
  .actions
    = f.submit 'Save', :class => "btn primary"
    = link_to "Cancel", team_project_path(@project), :class => "btn"
@@ -37,6 +28,6 @@
 :javascript
  $('select#team_member_user_id').chosen();
-  $('select#team_member__project_access').chosen();
+  $('select#team_member_project_access').chosen();
  //$('select#team_member_repo_access').chosen();
  //$('select#team_member_project_access').chosen();
--- a/app/views/team_members/_show.html.haml
+++ b/app/views/team_members/_show.html.haml
@@ -11,9 +11,6 @@
    .span3
      = form_for(member, :as => :team_member, :url => project_team_member_path(@project, member)) do |f|
-        = f.select :_project_access, options_for_select(UsersProject.access_roles, member.role_access), {}, :class => "medium project-access-select", :disabled => !allow_admin
+        = f.select :project_access, options_for_select(UsersProject.access_roles, member.project_access), {}, :class => "medium project-access-select", :disabled => !allow_admin
-    -#.span3
-      -#= form_for(member, :as => :team_member, :url => project_team_member_path(@project, member)) do |f|
-        -#= f.select :repo_access, options_for_select(Repository.access_options, member.repo_access), {}, :class => "medium repo-access-select", :disabled => !allow_admin
    - if @project.owner == user
      %span.label Project Owner
--- a/app/views/team_members/show.html.haml
+++ b/app/views/team_members/show.html.haml
@@ -28,13 +28,6 @@
      = form_for(@team_member, :as => :team_member, :url => project_team_member_path(@project, @team_member)) do |f|
        = f.select :project_access, options_for_select(Project.access_options, @team_member.project_access), {}, :class => "project-access-select", :disabled => !allow_admin
-  %tr
-    %td Repository Access
-    %td
-      = form_for(@team_member, :as => :team_member, :url => project_team_member_path(@project, @team_member)) do |f|
-        = f.select :repo_access, options_for_select(Repository.access_options, @team_member.repo_access), {}, :class => "repo-access-select", :disabled => !allow_admin
  - unless user.skype.empty?
    %tr
      %td Skype:

--- a/app/views/widgets/_project_member.html.haml
+++ b/app/views/widgets/_project_member.html.haml
@@ -13,7 +13,6 @@
    .span3
      %span.label= member.project_access_human
-      %span.label= member.repo_access_human
  - if can? current_user, :write_project, @project
    - if @project.issues_enabled && @project.merge_requests_enabled

--- a/db/migrate/20120216085842_move_to_roles_permissions.rb
+++ b/db/migrate/20120216085842_move_to_roles_permissions.rb
+class MoveToRolesPermissions < ActiveRecord::Migration
+  def up
+    repo_n = 0
+    repo_r = 1
+    repo_rw = 2
+    project_rwa = 3
+    UsersProject.update_all ["project_access = ?", UsersProject::MASTER], ["project_access = ?", project_rwa]
+    UsersProject.update_all ["project_access = ?", UsersProject::DEVELOPER], ["repo_access = ?", repo_rw]
+    UsersProject.update_all ["project_access = ?", UsersProject::REPORTER], ["repo_access = ?", repo_r]
+    UsersProject.update_all ["project_access = ?", UsersProject::GUEST], ["repo_access = ?", repo_n]
+    remove_column :users_projects, :repo_access
+  end
+  def down
+  end
+end
--- a/db/schema.rb
+++ b/db/schema.rb
@@ -11,19 +11,7 @@
 #
 # It's strongly recommended to check this file into your version control system.
-ActiveRecord::Schema.define(:version => 20120215182305) do
+ActiveRecord::Schema.define(:version => 20120216085842) do
-  create_table "features", :force => true do |t|
-    t.string   "name"
-    t.string   "branch_name"
-    t.integer  "assignee_id"
-    t.integer  "author_id"
-    t.integer  "project_id"
-    t.datetime "created_at"
-    t.datetime "updated_at"
-    t.string   "version"
-    t.integer  "status",      :default => 0, :null => false
-  end
  create_table "issues", :force => true do |t|
    t.string   "title"
@@ -160,7 +148,6 @@ ActiveRecord::Schema.define(:version => 20120215182305) do
    t.integer  "project_id",                    :null => false
    t.datetime "created_at"
    t.datetime "updated_at"
-    t.integer  "repo_access",    :default => 0, :null => false
    t.integer  "project_access", :default => 0, :null => false
  end

--- a/spec/models/note_spec.rb
+++ b/spec/models/note_spec.rb
@@ -64,9 +64,8 @@ describe Note do
    describe :read do
      before do
-        @p1.users_projects.create(:user => @u1, :project_access => Project::PROJECT_N)
+        @p1.users_projects.create(:user => @u2, :project_access => UsersProject::GUEST)
-        @p1.users_projects.create(:user => @u2, :project_access => Project::PROJECT_R)
+        @p2.users_projects.create(:user => @u3, :project_access => UsersProject::GUEST)
-        @p2.users_projects.create(:user => @u3, :project_access => Project::PROJECT_R)
      end
      it { @abilities.allowed?(@u1, :read_note, @p1).should be_false }
@@ -76,9 +75,8 @@ describe Note do
    describe :write do
      before do
-        @p1.users_projects.create(:user => @u1, :project_access => Project::PROJECT_R)
+        @p1.users_projects.create(:user => @u2, :project_access => UsersProject::DEVELOPER)
-        @p1.users_projects.create(:user => @u2, :project_access => Project::PROJECT_RW)
+        @p2.users_projects.create(:user => @u3, :project_access => UsersProject::DEVELOPER)
-        @p2.users_projects.create(:user => @u3, :project_access => Project::PROJECT_RW)
      end
      it { @abilities.allowed?(@u1, :write_note, @p1).should be_false }
@@ -88,9 +86,9 @@ describe Note do
    describe :admin do
      before do
-        @p1.users_projects.create(:user => @u1, :project_access => Project::PROJECT_R)
+        @p1.users_projects.create(:user => @u1, :project_access => UsersProject::REPORTER)
-        @p1.users_projects.create(:user => @u2, :project_access => Project::PROJECT_RWA)
+        @p1.users_projects.create(:user => @u2, :project_access => UsersProject::MASTER)
-        @p2.users_projects.create(:user => @u3, :project_access => Project::PROJECT_RWA)
+        @p2.users_projects.create(:user => @u3, :project_access => UsersProject::MASTER)
      end
      it { @abilities.allowed?(@u1, :admin_note, @p1).should be_false }

--- a/spec/models/project_security_spec.rb
+++ b/spec/models/project_security_spec.rb
@@ -12,8 +12,7 @@ describe Project do
    describe "read access" do
      before do
-        @p1.users_projects.create(:project => @p1, :user => @u1, :project_access => Project::PROJECT_N)
+        @p1.users_projects.create(:project => @p1, :user => @u2, :project_access => UsersProject::REPORTER)
-        @p1.users_projects.create(:project => @p1, :user => @u2, :project_access => Project::PROJECT_R)
      end
      it { @abilities.allowed?(@u1, :read_project, @p1).should be_false }
@@ -22,8 +21,7 @@ describe Project do
    describe "write access" do
      before do
-        @p1.users_projects.create(:project => @p1, :user => @u1, :project_access => Project::PROJECT_R)
+        @p1.users_projects.create(:project => @p1, :user => @u2, :project_access => UsersProject::DEVELOPER)
-        @p1.users_projects.create(:project => @p1, :user => @u2, :project_access => Project::PROJECT_RW)
      end
      it { @abilities.allowed?(@u1, :write_project, @p1).should be_false }
@@ -32,8 +30,8 @@ describe Project do
    describe "admin access" do
      before do
-        @p1.users_projects.create(:project => @p1, :user => @u1, :project_access => Project::PROJECT_RW)
+        @p1.users_projects.create(:project => @p1, :user => @u1, :project_access => UsersProject::DEVELOPER)
-        @p1.users_projects.create(:project => @p1, :user => @u2, :project_access => Project::PROJECT_RWA)
+        @p1.users_projects.create(:project => @p1, :user => @u2, :project_access => UsersProject::MASTER)
      end
      it { @abilities.allowed?(@u1, :admin_project, @p1).should be_false }

--- a/spec/requests/projects_security_spec.rb
+++ b/spec/requests/projects_security_spec.rb
@@ -20,11 +20,9 @@ describe "Projects" do
      @u2 = Factory :user
      @u3 = Factory :user
      # full access
-      @project.users_projects.create(:user => @u1, :project_access => Project::PROJECT_RWA)
+      @project.users_projects.create(:user => @u1, :project_access => UsersProject::MASTER)
-      # no access
-      @project.users_projects.create(:user => @u2, :project_access => Project::PROJECT_N)
      # readonly
-      @project.users_projects.create(:user => @u3, :project_access => Project::PROJECT_R)
+      @project.users_projects.create(:user => @u3, :project_access => UsersProject::REPORTER)
    end
    describe "GET /project_code" do

--- a/spec/requests/team_members_spec.rb
+++ b/spec/requests/team_members_spec.rb
@@ -31,8 +31,7 @@ describe "TeamMembers" do
      before do
        within "#new_team_member" do 
          select @user_1.name, :from => "team_member_user_id"
-          select "Report", :from => "team_member_project_access"
+          select "Reporter", :from => "team_member_project_access"
-          select "Pull",   :from => "team_member_repo_access"
        end
      end
@@ -45,8 +44,7 @@ describe "TeamMembers" do
        page.should have_content @user_1.name
        @member.reload
-        @member.project_access.should == Project::PROJECT_RW
+        @member.project_access.should == UsersProject::REPORTER
-        @member.repo_access.should == Repository::REPO_R
      end
    end
  end