take whether a module is disabled into account when checking for admin

opf · Jun 20, 2024 · 73b1200 · 73b1200
1 parent e4f8794
commit 73b1200
Show file tree

Hide file tree

Showing 3 changed files with 122 additions and 10 deletions.
diff --git a/app/services/authorization/user_permissible_service.rb b/app/services/authorization/user_permissible_service.rb
@@ -9,7 +9,6 @@ def initialize(user)
     def allowed_globally?(permission)
       perms = contextual_permissions(permission, :global)
       return false unless authorizable_user?
-      return true if admin_and_all_granted_to_admin?(perms)
 
       cached_permissions(nil).intersect?(perms.map(&:name))
     end
@@ -19,17 +18,14 @@ def allowed_in_project?(permission, projects_to_check)
       return false if projects_to_check.blank?
       return false unless authorizable_user?
 
-      projects = Array(projects_to_check)
-
-      projects.all? do |project|
+      Array(projects_to_check).all? do |project|
         allowed_in_single_project?(perms, project)
       end
     end
 
     def allowed_in_any_project?(permission)
       perms = contextual_permissions(permission, :project)
       return false unless authorizable_user?
-      return true if admin_and_all_granted_to_admin?(perms)
 
       cached_in_any_project?(perms)
     end
@@ -51,7 +47,6 @@ def allowed_in_any_entity?(permission, entity_class, in_project: nil)
       perms = contextual_permissions(permission, context_name(entity_class))
       return false unless authorizable_user?
       return false if in_project && !(in_project.active? || in_project.being_archived?)
-      return true if admin_and_all_granted_to_admin?(perms)
 
       if entity_is_project_scoped?(entity_class)
         allowed_in_any_project_scoped_entity?(perms, entity_class, in_project:)
@@ -64,7 +59,25 @@ def allowed_in_any_entity?(permission, entity_class, in_project: nil)
 
     def cached_permissions(context)
       @cached_permissions ||= Hash.new do |hash, context_key|
-        hash[context_key] = user.all_permissions_for(context_key)
+        hash[context_key] = if user.admin?
+                              permissible_key = case context_key
+                                                when WorkPackage
+                                                  :work_package
+                                                when Project
+                                                  :project
+                                                when nil
+                                                  :global
+                                                else
+                                                  raise "Unknown context key: #{context_key}"
+                                                end
+
+                              OpenProject::AccessControl
+                                .permissions
+                                .select { |p| p.permissible_on?(permissible_key) && p.grant_to_admin? }
+                                .map(&:name)
+                            else
+                              user.all_permissions_for(context_key)
+                            end
       end
 
       @cached_permissions[context]
@@ -85,7 +98,6 @@ def allowed_in_single_project?(permissions, project)
       permissions_filtered_for_project = permissions_by_enabled_project_modules(project, permissions)
 
       return false if permissions_filtered_for_project.empty?
-      return true if admin_and_all_granted_to_admin?(permissions)
 
       cached_permissions(project).intersect?(permissions_filtered_for_project)
     end
@@ -106,7 +118,6 @@ def allowed_in_single_project_scoped_entity?(permissions, entity)
       permissions_filtered_for_project = permissions_by_enabled_project_modules(entity.project, permissions)
 
       return false if permissions_filtered_for_project.empty?
-      return true if admin_and_all_granted_to_admin?(permissions)
 
       # The combination of this is better then doing
       # EntityClass.allowed_to(user, permission).exists?.

diff --git a/spec/models/work_packages/scopes/allowed_to_spec.rb b/spec/models/work_packages/scopes/allowed_to_spec.rb
@@ -106,6 +106,16 @@
         expect(subject).to be_empty
       end
     end
+
+    context "when the module the permission belongs to is disabled" do
+      before do
+        private_project.enabled_module_names = private_project.enabled_module_names - ["work_package_tracking"]
+      end
+
+      it "excludes work packages where the module is disabled in" do
+        expect(subject).to contain_exactly(work_package_in_public_project)
+      end
+    end
   end
 
   context "when the user has the permission directly on the work package" do

diff --git a/spec/services/authorization/user_permissible_service_spec.rb b/spec/services/authorization/user_permissible_service_spec.rb
@@ -2,6 +2,7 @@
 
 RSpec.describe Authorization::UserPermissibleService do
   shared_let(:user) { create(:user) }
+  shared_let(:admin) { create(:admin) }
   shared_let(:anonymous_user) { create(:anonymous) }
   shared_let(:project) { create(:project) }
   shared_let(:work_package) { create(:work_package, project:) }
@@ -161,6 +162,27 @@
             it { is_expected.to be_allowed_in_project(permission, project) }
           end
         end
+
+        context "and the user is admin" do
+          let(:queried_user) { admin }
+
+          it { is_expected.to be_allowed_in_project(permission, project) }
+
+          context "and the account is locked" do
+            before { admin.locked! }
+
+            it { is_expected.not_to be_allowed_in_project(permission, project) }
+          end
+
+          context "and the module the permission belongs to is disabled" do
+            before do
+              project.enabled_module_names = project.enabled_module_names - ["work_package_tracking"]
+              project.reload
+            end
+
+            it { is_expected.not_to be_allowed_in_project(permission, project) }
+          end
+        end
       end
 
       context "and the user is a member of a project" do
@@ -226,6 +248,27 @@
             it { is_expected.not_to be_allowed_in_any_project(permission) }
           end
         end
+
+        context "and the user is admin" do
+          let(:queried_user) { admin }
+
+          it { is_expected.to be_allowed_in_any_project(permission) }
+
+          context "and the account is locked" do
+            before { admin.locked! }
+
+            it { is_expected.not_to be_allowed_in_any_project(permission) }
+          end
+
+          context "and the module the permission belongs to is disabled" do
+            before do
+              project.enabled_module_names = project.enabled_module_names - ["work_package_tracking"]
+              project.reload
+            end
+
+            it { is_expected.not_to be_allowed_in_any_project(permission) }
+          end
+        end
       end
 
       context "and the user is a member of a project" do
@@ -292,6 +335,27 @@
         it { is_expected.not_to be_allowed_in_entity(permission, work_package, WorkPackage) }
       end
 
+      context "and the user is admin" do
+        let(:queried_user) { admin }
+
+        it { is_expected.to be_allowed_in_entity(permission, work_package, WorkPackage) }
+
+        context "and the account is locked" do
+          before { admin.locked! }
+
+          it { is_expected.not_to be_allowed_in_entity(permission, work_package, WorkPackage) }
+        end
+
+        context "and the module the permission belongs to is disabled" do
+          before do
+            project.enabled_module_names = project.enabled_module_names - ["work_package_tracking"]
+            project.reload
+          end
+
+          it { is_expected.not_to be_allowed_in_entity(permission, work_package, WorkPackage) }
+        end
+      end
+
       context "and the user is a member of the project" do
         let(:role) { create(:project_role, permissions: [permission]) }
         let!(:project_member) { create(:member, user:, project:, roles: [role]) }
@@ -305,7 +369,10 @@
         end
 
         context "without the module enabled in the project" do
-          before { project.enabled_module_names = project.enabled_modules - [:work_package_tracking] }
+          before do
+            project.enabled_module_names = project.enabled_module_names - ["work_package_tracking"]
+            project.reload
+          end
 
           it { is_expected.not_to be_allowed_in_entity(permission, work_package, WorkPackage) }
         end
@@ -369,6 +436,30 @@
         it { is_expected.not_to be_allowed_in_any_entity(permission, WorkPackage) }
       end
 
+      context "and the user is admin" do
+        let(:queried_user) { admin }
+
+        it { is_expected.to be_allowed_in_any_entity(permission, WorkPackage) }
+        it { is_expected.to be_allowed_in_any_entity(permission, WorkPackage, in_project: project) }
+
+        context "and the account is locked" do
+          before { admin.locked! }
+
+          it { is_expected.not_to be_allowed_in_any_entity(permission, WorkPackage) }
+          it { is_expected.not_to be_allowed_in_any_entity(permission, WorkPackage, in_project: project) }
+        end
+
+        context "and the module the permission belongs to is disabled" do
+          before do
+            project.enabled_module_names = project.enabled_module_names - ["work_package_tracking"]
+            project.reload
+          end
+
+          it { is_expected.not_to be_allowed_in_any_entity(permission, WorkPackage) }
+          it { is_expected.not_to be_allowed_in_any_entity(permission, WorkPackage, in_project: project) }
+        end
+      end
+
       context "and the user is a member of a project" do
         let(:role) { create(:project_role, permissions: [permission]) }
         let!(:project_member) { create(:member, user:, project:, roles: [role]) }