GRN2-xx: Admin actions are now dictated by the correct role permission (#1140)

* Admin actions are now dictated by the correct role permission * Rspec fix Co-authored-by: Jesus Federico <jesus@123it.ca>
2020-04-01 10:58:13 -04:00
parent c72d77dbcb
commit 348713d4df
9 changed files with 144 additions and 27 deletions
--- a/app/models/ability.rb
+++ b/app/models/ability.rb
@ -27,19 +27,19 @@ class Ability
    else
      highest_role = user.highest_priority_role
      if highest_role.get_permission("can_edit_site_settings")
-        can [:index, :site_settings, :update_settings, :coloring, :registration_method], :admin
+        can [:site_settings, :update_settings, :coloring, :registration_method], :admin
      end

      if highest_role.get_permission("can_edit_roles")
-        can [:index, :roles, :new_role, :change_role_order, :update_role, :delete_role], :admin
+        can [:roles, :new_role, :change_role_order, :update_role, :delete_role], :admin
      end

      if highest_role.get_permission("can_manage_users")
-        can [:index, :roles, :edit_user, :promote, :demote, :ban_user, :unban_user,
+        can [:index, :edit_user, :promote, :demote, :ban_user, :unban_user,
             :approve, :invite, :reset, :undelete, :merge_user], :admin
      end

-      can [:index, :server_recordings, :server_rooms], :admin if highest_role.get_permission("can_manage_rooms_recordings")
+      can [:server_recordings, :server_rooms], :admin if highest_role.get_permission("can_manage_rooms_recordings")

      if !highest_role.get_permission("can_edit_site_settings") && !highest_role.get_permission("can_edit_roles") &&
         !highest_role.get_permission("can_manage_users") && !highest_role.get_permission("can_manage_rooms_recordings")
--- a/app/models/user.rb
+++ b/app/models/user.rb
@ -163,17 +163,12 @@ class User < ApplicationRecord
    update_attributes(activation_digest: User.digest(activation_token))
  end

-  def admin_of?(user)
-    if Rails.configuration.loadbalanced_configuration
-      if has_role? :super_admin
-        id != user.id
-      else
-        highest_priority_role.get_permission("can_manage_users") && (id != user.id) && (provider == user.provider) &&
-          (!user.has_role? :super_admin)
-      end
-    else
-      (highest_priority_role.get_permission("can_manage_users") || (has_role? :super_admin)) && (id != user.id)
-    end
+  def admin_of?(user, permission)
+    has_correct_permission = highest_priority_role.get_permission(permission) && id != user.id
+
+    return has_correct_permission unless Rails.configuration.loadbalanced_configuration
+    return id != user.id if has_role? :super_admin
+    has_correct_permission && provider == user.provider && !user.has_role?(:super_admin)
  end

  def self.digest(string)