forked from External/greenlight
Change permissions from columns to table entries (#762)
This commit is contained in:
shawn-higgins1
committed by
farhatahmad
farhatahmad
parent
01b8dbbd0e
commit
666231db6c
@ -128,7 +128,7 @@ module Emailer
|
||||
end
|
||||
|
||||
def admin_emails
|
||||
admins = User.all_users_with_roles.where(roles: { can_manage_users: true })
|
||||
admins = User.all_users_with_roles.where(roles: { role_permissions: { name: "can_manage_users", value: "true" } })
|
||||
|
||||
if Rails.configuration.loadbalanced_configuration
|
||||
admins = admins.without_role(:super_admin)
|
||||
|
||||
@ -48,7 +48,7 @@ module Rolify
|
||||
# Updates a user's roles
|
||||
def update_roles(roles)
|
||||
# Check that the user can manage users
|
||||
return true unless current_user.highest_priority_role.can_manage_users
|
||||
return true unless current_user.highest_priority_role.get_permission("can_manage_users")
|
||||
|
||||
new_roles = roles.split(' ').map(&:to_i)
|
||||
old_roles = @user.roles.pluck(:id)
|
||||
@ -89,8 +89,8 @@ module Rolify
|
||||
end
|
||||
|
||||
# Send promoted/demoted emails
|
||||
added_roles.each { |role| send_user_promoted_email(@user, role) if role.send_promoted_email }
|
||||
removed_roles.each { |role| send_user_demoted_email(@user, role) if role.send_demoted_email }
|
||||
added_roles.each { |role| send_user_promoted_email(@user, role) if role.get_permission("send_promoted_email") }
|
||||
removed_roles.each { |role| send_user_demoted_email(@user, role) if role.get_permission("send_demoted_email") }
|
||||
|
||||
# Update the roles
|
||||
@user.roles.delete(removed_roles)
|
||||
@ -143,6 +143,16 @@ module Rolify
|
||||
permission_params = params.require(:role).permit(:can_create_rooms, :send_promoted_email,
|
||||
:send_demoted_email, :can_edit_site_settings, :can_edit_roles, :can_manage_users, :colour)
|
||||
|
||||
permission_params.transform_values! do |v|
|
||||
if v == "0"
|
||||
"false"
|
||||
elsif v == "1"
|
||||
"true"
|
||||
else
|
||||
v
|
||||
end
|
||||
end
|
||||
|
||||
# Role is a default role so users can't change the name
|
||||
role_params[:name] = role.name if Role::RESERVED_ROLE_NAMES.include?(role.name)
|
||||
|
||||
@ -154,7 +164,8 @@ module Rolify
|
||||
return false
|
||||
end
|
||||
|
||||
role.update(permission_params)
|
||||
role.update(colour: permission_params[:colour])
|
||||
role.update_all_role_permissions(permission_params)
|
||||
|
||||
role.save!
|
||||
end
|
||||
|
||||
@ -58,7 +58,7 @@ class RecordingsController < ApplicationController
|
||||
# Ensure the user is logged into the room they are accessing.
|
||||
def verify_room_ownership
|
||||
if !current_user || (!@room.owned_by?(current_user) &&
|
||||
!current_user.highest_priority_role.can_edit_site_settings &&
|
||||
!current_user.highest_priority_role.get_permission("can_edit_site_settings") &&
|
||||
!current_user.has_role?(:super_admin))
|
||||
redirect_to root_path
|
||||
end
|
||||
|
||||
@ -63,7 +63,7 @@ class RoomsController < ApplicationController
|
||||
|
||||
# If its the current user's room
|
||||
if current_user && @room.owned_by?(current_user)
|
||||
if current_user.highest_priority_role.can_create_rooms
|
||||
if current_user.highest_priority_role.get_permission("can_create_rooms")
|
||||
# User is allowed to have rooms
|
||||
@search, @order_column, @order_direction, recs =
|
||||
recordings(@room.bbb_id, params.permit(:search, :column, :direction), true)
|
||||
|
||||
@ -26,20 +26,21 @@ class Ability
|
||||
can :manage, :all
|
||||
else
|
||||
highest_role = user.highest_priority_role
|
||||
if highest_role.can_edit_site_settings
|
||||
if highest_role.get_permission("can_edit_site_settings")
|
||||
can [:index, :site_settings, :server_recordings, :update_settings, :coloring, :registration_method], :admin
|
||||
end
|
||||
|
||||
if highest_role.can_edit_roles
|
||||
if highest_role.get_permission("can_edit_roles")
|
||||
can [:index, :roles, :new_role, :change_role_order, :update_role, :delete_role], :admin
|
||||
end
|
||||
|
||||
if highest_role.can_manage_users
|
||||
if highest_role.get_permission("can_manage_users")
|
||||
can [:index, :roles, :edit_user, :promote, :demote, :ban_user, :unban_user,
|
||||
:approve, :invite, :reset], :admin
|
||||
end
|
||||
|
||||
if !highest_role.can_edit_site_settings && !highest_role.can_edit_roles && !highest_role.can_manage_users
|
||||
if !highest_role.get_permission("can_edit_site_settings") && !highest_role.get_permission("can_edit_roles") &&
|
||||
!highest_role.get_permission("can_manage_users")
|
||||
cannot :manage, AdminsController
|
||||
end
|
||||
end
|
||||
|
||||
@ -18,6 +18,7 @@
|
||||
|
||||
class Role < ApplicationRecord
|
||||
has_and_belongs_to_many :users, join_table: :users_roles
|
||||
has_many :role_permissions
|
||||
|
||||
default_scope { order(:priority) }
|
||||
scope :by_priority, -> { order(:priority) }
|
||||
@ -30,15 +31,18 @@ class Role < ApplicationRecord
|
||||
end
|
||||
|
||||
def self.create_default_roles(provider)
|
||||
Role.create(name: "user", provider: provider, priority: 1, can_create_rooms: true, colour: "#868e96")
|
||||
Role.create(name: "admin", provider: provider, priority: 0, can_create_rooms: true, send_promoted_email: true,
|
||||
Role.create(name: "user", provider: provider, priority: 1, colour: "#868e96")
|
||||
.update_all_role_permissions(can_create_rooms: true)
|
||||
Role.create(name: "admin", provider: provider, priority: 0, colour: "#f1c40f")
|
||||
.update_all_role_permissions(can_create_rooms: true, send_promoted_email: true,
|
||||
send_demoted_email: true, can_edit_site_settings: true,
|
||||
can_edit_roles: true, can_manage_users: true, colour: "#f1c40f")
|
||||
Role.create(name: "pending", provider: provider, priority: -1, colour: "#17a2b8")
|
||||
Role.create(name: "denied", provider: provider, priority: -1, colour: "#343a40")
|
||||
Role.create(name: "super_admin", provider: provider, priority: -2, can_create_rooms: true,
|
||||
can_edit_roles: true, can_manage_users: true)
|
||||
Role.create(name: "pending", provider: provider, priority: -1, colour: "#17a2b8").update_all_role_permissions
|
||||
Role.create(name: "denied", provider: provider, priority: -1, colour: "#343a40").update_all_role_permissions
|
||||
Role.create(name: "super_admin", provider: provider, priority: -2, colour: "#cd201f")
|
||||
.update_all_role_permissions(can_create_rooms: true,
|
||||
send_promoted_email: true, send_demoted_email: true, can_edit_site_settings: true,
|
||||
can_edit_roles: true, can_manage_users: true, colour: "#cd201f")
|
||||
can_edit_roles: true, can_manage_users: true)
|
||||
end
|
||||
|
||||
def self.create_new_role(role_name, provider)
|
||||
@ -56,4 +60,37 @@ class Role < ApplicationRecord
|
||||
|
||||
role
|
||||
end
|
||||
|
||||
def update_all_role_permissions(permissions = {})
|
||||
update_permission("can_create_rooms", permissions[:can_create_rooms].to_s)
|
||||
update_permission("send_promoted_email", permissions[:send_promoted_email].to_s)
|
||||
update_permission("send_demoted_email", permissions[:send_demoted_email].to_s)
|
||||
update_permission("can_edit_site_settings", permissions[:can_edit_site_settings].to_s)
|
||||
update_permission("can_edit_roles", permissions[:can_edit_roles].to_s)
|
||||
update_permission("can_manage_users", permissions[:can_manage_users].to_s)
|
||||
end
|
||||
|
||||
# Updates the value of the permission and enables it
|
||||
def update_permission(name, value)
|
||||
permission = role_permissions.find_or_create_by!(name: name)
|
||||
|
||||
permission.update_attributes(value: value, enabled: true)
|
||||
end
|
||||
|
||||
# Returns the value if enabled or the default if not enabled
|
||||
def get_permission(name, return_boolean = true)
|
||||
permission = role_permissions.find_or_create_by!(name: name)
|
||||
|
||||
value = if permission[:enabled]
|
||||
permission[:value]
|
||||
else
|
||||
"false"
|
||||
end
|
||||
|
||||
if return_boolean
|
||||
value == "true"
|
||||
else
|
||||
value
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
5
app/models/role_permission.rb
Normal file
5
app/models/role_permission.rb
Normal file
@ -0,0 +1,5 @@
|
||||
# frozen_string_literal: true
|
||||
|
||||
class RolePermission < ApplicationRecord
|
||||
belongs_to :role
|
||||
end
|
||||
@ -29,7 +29,7 @@ class User < ApplicationRecord
|
||||
has_many :rooms
|
||||
belongs_to :main_room, class_name: 'Room', foreign_key: :room_id, required: false
|
||||
|
||||
has_and_belongs_to_many :roles, join_table: :users_roles
|
||||
has_and_belongs_to_many :roles, -> { includes :role_permissions }, join_table: :users_roles
|
||||
|
||||
validates :name, length: { maximum: 256 }, presence: true
|
||||
validates :provider, presence: true
|
||||
@ -163,11 +163,11 @@ class User < ApplicationRecord
|
||||
if has_role? :super_admin
|
||||
id != user.id
|
||||
else
|
||||
highest_priority_role.can_manage_users && (id != user.id) && (provider == user.provider) &&
|
||||
highest_priority_role.get_permission("can_manage_users") && (id != user.id) && (provider == user.provider) &&
|
||||
(!user.has_role? :super_admin)
|
||||
end
|
||||
else
|
||||
(highest_priority_role.can_manage_users || (has_role? :super_admin)) && (id != user.id)
|
||||
(highest_priority_role.get_permission("can_manage_users") || (has_role? :super_admin)) && (id != user.id)
|
||||
end
|
||||
end
|
||||
|
||||
@ -230,7 +230,7 @@ class User < ApplicationRecord
|
||||
|
||||
def self.all_users_with_roles
|
||||
User.joins("INNER JOIN users_roles ON users_roles.user_id = users.id INNER JOIN roles " \
|
||||
"ON roles.id = users_roles.role_id")
|
||||
"ON roles.id = users_roles.role_id INNER JOIN role_permissions ON roles.id = role_permissions.role_id").distinct
|
||||
end
|
||||
|
||||
private
|
||||
|
||||
@ -16,12 +16,12 @@
|
||||
<div class="list-group list-group-transparent mb-0">
|
||||
<% highest_role = current_user.highest_priority_role %>
|
||||
<% highest_role.name %>
|
||||
<% if highest_role.can_manage_users || highest_role.name == "super_admin" %>
|
||||
<% if highest_role.get_permission("can_manage_users") || highest_role.name == "super_admin" %>
|
||||
<%= link_to admins_path, class: "list-group-item list-group-item-action dropdown-item #{"active" if active_page == "index"}" do %>
|
||||
<span class="icon mr-3"><i class="fas fa-users"></i></span><%= t("administrator.users.title") %>
|
||||
<% end %>
|
||||
<% end %>
|
||||
<% if highest_role.can_edit_site_settings || highest_role.name == "super_admin" %>
|
||||
<% if highest_role.get_permission("can_edit_site_settings") || highest_role.name == "super_admin" %>
|
||||
<%= link_to admin_recordings_path, class: "list-group-item list-group-item-action dropdown-item #{"active" if active_page == "server_recordings"}" do %>
|
||||
<span class="icon mr-4"><i class="fas fa-video"></i></i></span><%= t("administrator.recordings.title") %>
|
||||
<% end %>
|
||||
@ -29,7 +29,7 @@
|
||||
<span class="icon mr-4"><i class="fas fa-cogs"></i></span><%= t("administrator.site_settings.title") %>
|
||||
<% end %>
|
||||
<% end %>
|
||||
<% if highest_role.can_edit_roles || highest_role.name == "super_admin" %>
|
||||
<% if highest_role.get_permission("can_edit_roles") || highest_role.name == "super_admin" %>
|
||||
<%= link_to admin_roles_path, class: "list-group-item list-group-item-action dropdown-item #{"active" if active_page == "roles"}" do %>
|
||||
<span class="icon mr-4"><i class="fas fa-user-tag"></i></i></span><%= t("administrator.roles.title") %>
|
||||
<% end %>
|
||||
|
||||
@ -33,7 +33,7 @@
|
||||
</div>
|
||||
</div>
|
||||
<div class="col-lg-9 <%="form-disable" if edit_disabled %>">
|
||||
<%= form_for(@selected_role, url: admin_update_role_path(@selected_role.id), method: :post) do |f| %>
|
||||
<%= form_with model: @selected_role, url: admin_update_role_path(@selected_role.id), method: :post do |f| %>
|
||||
<%= f.label t('administrator.roles.name'), class: "form-label" %>
|
||||
<%= f.text_field :name, class: 'form-control mb-3', value: translated_role_name(@selected_role), readonly: edit_disabled || @selected_role.name == "user" || @selected_role.name == "admin", required: true %>
|
||||
|
||||
@ -48,34 +48,34 @@
|
||||
</div>
|
||||
</div>
|
||||
|
||||
<label class="custom-switch pl-0 mt-3 mb-3 w-100 text-left d-inline-block <%="form-disable" if !current_role.can_create_rooms %>">
|
||||
<label class="custom-switch pl-0 mt-3 mb-3 w-100 text-left d-inline-block <%="form-disable" if !current_role.get_permission("can_create_rooms") %>">
|
||||
<span class="ml-0 custom-switch-description"><%= t("administrator.roles.can_create_rooms")%></span>
|
||||
<%= f.check_box :can_create_rooms, class: "custom-switch-input", disabled: edit_disabled || !current_role.can_create_rooms %>
|
||||
<%= f.check_box :can_create_rooms, checked: @selected_role.get_permission("can_create_rooms"), class: "custom-switch-input", disabled: edit_disabled || !current_role.get_permission("can_create_rooms") %>
|
||||
<span class="custom-switch-indicator float-right"></span>
|
||||
</label>
|
||||
<label class="custom-switch pl-0 mt-3 mb-3 w-100 text-left d-inline-block <%="form-disable" if !current_role.send_promoted_email %>">
|
||||
<label class="custom-switch pl-0 mt-3 mb-3 w-100 text-left d-inline-block <%="form-disable" if !current_role.get_permission("send_promoted_email") %>">
|
||||
<span class="ml-0 custom-switch-description"><%= t("administrator.roles.promote_email")%></span>
|
||||
<%= f.check_box :send_promoted_email, class: "custom-switch-input", disabled: edit_disabled || !current_role.send_promoted_email %>
|
||||
<%= f.check_box :send_promoted_email, checked: @selected_role.get_permission("send_promoted_email"), class: "custom-switch-input", disabled: edit_disabled || !current_role.get_permission("send_promoted_email") %>
|
||||
<span class="custom-switch-indicator float-right"></span>
|
||||
</label>
|
||||
<label class="custom-switch pl-0 mt-3 mb-3 w-100 text-left d-inline-block <%="form-disable" if !current_role.send_demoted_email %>">
|
||||
<label class="custom-switch pl-0 mt-3 mb-3 w-100 text-left d-inline-block <%="form-disable" if !current_role.get_permission("send_demoted_email") %>">
|
||||
<span class="ml-0 custom-switch-description"><%= t("administrator.roles.demote_email")%></span>
|
||||
<%= f.check_box :send_demoted_email, class: "custom-switch-input", disabled: edit_disabled || !current_role.send_demoted_email %>
|
||||
<%= f.check_box :send_demoted_email, checked: @selected_role.get_permission("send_demoted_email"), class: "custom-switch-input", disabled: edit_disabled || !current_role.get_permission("send_demoted_email") %>
|
||||
<span class="custom-switch-indicator float-right"></span>
|
||||
</label>
|
||||
<label class="custom-switch pl-0 mt-3 mb-3 w-100 text-left d-inline-block <%="form-disable" if !current_role.can_edit_site_settings %>">
|
||||
<label class="custom-switch pl-0 mt-3 mb-3 w-100 text-left d-inline-block <%="form-disable" if !current_role.get_permission("can_edit_site_settings") %>">
|
||||
<span class="ml-0 custom-switch-description"><%= t("administrator.roles.edit_site_settings")%></span>
|
||||
<%= f.check_box :can_edit_site_settings, class: "custom-switch-input", disabled: edit_disabled || !current_role.can_edit_site_settings %>
|
||||
<%= f.check_box :can_edit_site_settings, checked: @selected_role.get_permission("can_edit_site_settings"), class: "custom-switch-input", disabled: edit_disabled || !current_role.get_permission("can_edit_site_settings") %>
|
||||
<span class="custom-switch-indicator float-right"></span>
|
||||
</label>
|
||||
<label class="custom-switch pl-0 mt-3 mb-3 w-100 text-left d-inline-block <%="form-disable" if !current_role.can_edit_roles %>">
|
||||
<label class="custom-switch pl-0 mt-3 mb-3 w-100 text-left d-inline-block <%="form-disable" if !current_role.get_permission("can_edit_roles") %>">
|
||||
<span class="ml-0 custom-switch-description"><%= t("administrator.roles.edit_roles")%></span>
|
||||
<%= f.check_box :can_edit_roles, class: "custom-switch-input", disabled: edit_disabled || !current_role.can_edit_roles %>
|
||||
<%= f.check_box :can_edit_roles, checked: @selected_role.get_permission("can_edit_roles"), class: "custom-switch-input", disabled: edit_disabled || !current_role.get_permission("can_edit_roles") %>
|
||||
<span class="custom-switch-indicator float-right"></span>
|
||||
</label>
|
||||
<label class="custom-switch pl-0 mt-3 mb-3 w-100 text-left d-inline-block <%="form-disable" if !current_role.can_manage_users %>">
|
||||
<label class="custom-switch pl-0 mt-3 mb-3 w-100 text-left d-inline-block <%="form-disable" if !current_role.get_permission("can_manage_users") %>">
|
||||
<span class="ml-0 custom-switch-description"><%= t("administrator.roles.manage_users")%></span>
|
||||
<%= f.check_box :can_manage_users, class: "custom-switch-input", disabled: edit_disabled || !current_role.can_manage_users %>
|
||||
<%= f.check_box :can_manage_users, checked: @selected_role.get_permission("can_manage_users"), class: "custom-switch-input", disabled: edit_disabled || !current_role.get_permission("can_manage_users") %>
|
||||
<span class="custom-switch-indicator float-right"></span>
|
||||
</label>
|
||||
|
||||
|
||||
@ -34,7 +34,7 @@
|
||||
<i class="fas fa-home pr-1 "></i> <%= t("header.dropdown.home") %>
|
||||
<% end %>
|
||||
|
||||
<% if current_user.highest_priority_role.can_create_rooms %>
|
||||
<% if current_user.highest_priority_role.get_permission("can_create_rooms") %>
|
||||
<% all_rec_page = params[:controller] == "users" && params[:action] == "recordings" ? "active" : "" %>
|
||||
<%= link_to get_user_recordings_path(current_user), class: "px-3 mx-1 mt-1 header-nav #{all_rec_page}" do %>
|
||||
<i class="fas fa-video pr-1"></i> <%= t("header.all_recordings") %>
|
||||
@ -59,15 +59,15 @@
|
||||
<i class="dropdown-icon fas fa-id-card mr-3"></i><%= t("header.dropdown.settings") %>
|
||||
<% end %>
|
||||
<% highest_role = current_user.highest_priority_role %>
|
||||
<% if highest_role.can_manage_users || highest_role.name == "super_admin" %>
|
||||
<% if highest_role.get_permission("can_manage_users") || highest_role.name == "super_admin" %>
|
||||
<%= link_to admins_path, class: "dropdown-item" do %>
|
||||
<i class="dropdown-icon fas fa-user-tie mr-3"></i><%= t("header.dropdown.account_settings") %>
|
||||
<% end %>
|
||||
<% elsif highest_role.can_edit_site_settings %>
|
||||
<% elsif highest_role.get_permission("can_edit_site_settings") %>
|
||||
<%= link_to admin_site_settings_path, class: "dropdown-item" do %>
|
||||
<i class="dropdown-icon fas fa-user-tie mr-3"></i><%= t("header.dropdown.account_settings") %>
|
||||
<% end %>
|
||||
<% elsif highest_role.can_edit_roles%>
|
||||
<% elsif highest_role.get_permission("can_edit_roles")%>
|
||||
<%= link_to admin_roles_path, class: "dropdown-item" do %>
|
||||
<i class="dropdown-icon fas fa-user-tie mr-3"></i><%= t("header.dropdown.account_settings") %>
|
||||
<% end %>
|
||||
|
||||
@ -46,7 +46,7 @@
|
||||
<% @user.roles.by_priority.each do |role| %>
|
||||
<span id="<%= "user-role-tag_#{role.id}" %>" style="<%= "background-color: #{role_colour(role)};border-color: #{role_colour(role)};" %>" class="tag user-role-tag">
|
||||
<%= translated_role_name(role) %>
|
||||
<% if (current_user_role.can_manage_users || current_user_role.name == "super_admin") && (role.priority > current_user_role.priority || current_user_role.name == "admin") %>
|
||||
<% if (current_user_role.get_permission("can_manage_users") || current_user_role.name == "super_admin") && (role.priority > current_user_role.priority || current_user_role.name == "admin") %>
|
||||
<a data-role-id="<%= role.id %>" class="tag-addon clear-role">
|
||||
<i data-role-id="<%= role.id %>" class="fas fa-times"></i>
|
||||
</a>
|
||||
@ -54,11 +54,11 @@
|
||||
</span>
|
||||
<% end %>
|
||||
</div>
|
||||
<% if current_user_role.can_manage_users || current_user_role.name == "super_admin" %>
|
||||
<% if current_user_role.get_permission("can_manage_users") || current_user_role.name == "super_admin" %>
|
||||
<% provider = Rails.configuration.loadbalanced_configuration ? current_user.provider : "greenlight" %>
|
||||
<%= f.select :roles, Role.editable_roles(@user_domain).map{|role| [translated_role_name(role), role.id, {'data-colour' => role_colour(role)}]}.unshift(["", nil, {'data-colour' => nil}]), {disabled: disabled_roles(@user)}, { class: "form-control custom-select", id: "role-select-dropdown" } %>
|
||||
<% end %>
|
||||
<%= f.hidden_field :role_ids, id: "user_role_ids", value: @user.roles.by_priority.pluck(:id) %>
|
||||
<%= f.hidden_field :role_ids, id: "user_role_ids", value: @user.roles.by_priority.pluck(:id).uniq %>
|
||||
|
||||
<%= f.label t("settings.account.image"), class: "form-label mt-5" %>
|
||||
<div class="row">
|
||||
|
||||
Reference in New Issue
Block a user