Override LDAP members permissions

Closes #343

Override LDAP members permissions
Closes #343
67522fc6 · Phil Hughes · 9e32bd5d · 67522fc6 · 67522fc6 · 67522fc6
Commit 67522fc6 authored Oct 26, 2016 by Phil Hughes
5 changed files
--- a/app/assets/javascripts/members.js.es6
+++ b/app/assets/javascripts/members.js.es6
@@ -8,6 +8,12 @@
    }

    addListeners() {
+      const ldapPermissionsChangeBtns = document.querySelectorAll('.js-ldap-permissions');
+
+      ldapPermissionsChangeBtns.forEach((btn) => {
+        btn.addEventListener('click', this.showLDAPPermissionsWarning.bind(this));
+      });
+
      $('.project_member, .group_member').off('ajax:success').on('ajax:success', this.removeRow);
      $('.js-member-update-control').off('change').on('change', this.formSubmit);
      $('.js-edit-member-form').off('ajax:success').on('ajax:success', this.formSuccess);
@@ -32,6 +38,21 @@
    formSuccess() {
      $(this).find('.js-member-update-control').enable();
    }
+
+    showLDAPPermissionsWarning (e) {
+      const btn = e.currentTarget,
+            ldapPermissionsElement = this.getLDAPPermissionsElement(btn);
+
+      if (ldapPermissionsElement.style.display === 'none') {
+        ldapPermissionsElement.style.display = 'block';
+      } else {
+        ldapPermissionsElement.style.display = 'none';
+      }
+    }
+
+    getLDAPPermissionsElement (btn) {
+      return document.getElementById(btn.dataset.id).nextElementSibling;
+    }
  }

  gl.Members = Members;

--- a/app/assets/stylesheets/pages/members.scss
+++ b/app/assets/stylesheets/pages/members.scss
@@ -96,3 +96,24 @@
  border: 0;
  outline: 0;
 }
+
+.members-ldap {
+  -webkit-align-self: center;
+  align-self: center;
+  height: 100%;
+  margin-right: 10px;
+  margin-left: -49px;
+}
+
+.alert-member-ldap {
+  background-color: #fff1e0;
+
+  > p {
+    float: left;
+    color: $orange-normal;
+
+    @media (min-width: $screen-sm-min) {
+      padding-left: 55px;
+    }
+  }
+}
--- a/app/policies/group_member_policy.rb
+++ b/app/policies/group_member_policy.rb
@@ -15,5 +15,7 @@ class GroupMemberPolicy < BasePolicy
    elsif @user == target_user
      can! :destroy_group_member
    end
+
+    cannot! :update_group_member if @subject.ldap
  end
 end
--- a/app/policies/group_policy.rb
+++ b/app/policies/group_policy.rb
@@ -35,7 +35,7 @@ class GroupPolicy < BasePolicy
    end

    # EE-only
-    cannot! :admin_group_member if @subject.ldap_synced?
+    # cannot! :admin_group_member if @subject.ldap_synced?
  end

  def can_read_group?

--- a/app/views/shared/members/_member.html.haml
+++ b/app/views/shared/members/_member.html.haml
@@ -45,6 +45,9 @@
        = time_ago_with_tooltip(member.created_at)
  - if show_roles
    .controls.member-controls
+      - if member.ldap
+        %span.label.label-info.members-ldap
+          LDAP
      - if show_controls && (member.respond_to?(:group) && @group) || (member.respond_to?(:project) && @project)
        - if user != current_user
          = form_for member, remote: true, html: { class: 'form-horizontal js-edit-member-form' } do |f|
@@ -66,7 +69,7 @@
                    class: 'btn btn-success prepend-left-10',
                    title: 'Grant access'

-        - if can?(current_user, action_member_permission(:destroy, member), member)
+        - if can?(current_user, action_member_permission(:destroy, member), member) && !member.ldap
          - if current_user == user
            = link_to icon('sign-out', text: 'Leave'), polymorphic_path([:leave, member.source, :members]),
                      method: :delete,
@@ -82,5 +85,23 @@
              %span.visible-xs-block
                Delete
              = icon('trash', class: 'hidden-xs')
+        - elsif member.ldap
+          %button.btn.btn-default.prepend-left-10.js-ldap-permissions{ type: "button",
+            "aria-label" => "Override LDAP settings",
+            data: { name: user.name, id: dom_id(member) } }
+            = icon("pencil")
      - else
        %span.member-access-text= member.human_access
+- if member.ldap
+  %li.alert.alert-member-ldap{ style: "display: none;" }
+    %p
+      = user.name
+      is currently an LDAP user. Editing their permissions will override the settings from the LDAP group sync.
+    .controls
+      %button.btn.btn-warning{ type: "button",
+        "aria-label" => "Change LDAP member permissions" }
+        Change permissions
+      %button.btn.btn-default.js-ldap-permissions{ type: "button",
+        "aria-label" => "Close permissions override",
+        data: { id: dom_id(member) } }
+        = icon("times")