Skip to content

Commit

Permalink
Merge pull request #14118 from opf/work-package-permission-fixes
Browse files Browse the repository at this point in the history
Fixes to allow access to work packages without project membership
  • Loading branch information
oliverguenther authored Nov 27, 2023
2 parents c4d5799 + e7fa8d5 commit b0c42b4
Show file tree
Hide file tree
Showing 87 changed files with 822 additions and 458 deletions.
21 changes: 17 additions & 4 deletions app/components/members/user_filter_component.rb
Original file line number Diff line number Diff line change
Expand Up @@ -52,8 +52,10 @@ def extra_user_status_options
end

def status_members_query(status)
params = { project_id: project.id,
status: }
params = {
project_id: project.id,
status:
}

self.class.filter(params)
end
Expand All @@ -62,8 +64,19 @@ def filter_path
project_members_path(project)
end

def self.base_query
Queries::Members::MemberQuery
class << self
def base_query
Queries::Members::MemberQuery
end

protected

def apply_filters(params, query)
super(params, query)
query.where(:only_project_member, '=', 't')

query
end
end
end
end
29 changes: 24 additions & 5 deletions app/contracts/base_contract.rb
Original file line number Diff line number Diff line change
Expand Up @@ -239,7 +239,7 @@ def reduce_by_writable_conditions(attributes)
attributes
end

def reduce_by_writable_permissions(attributes) # rubocop:disable Metrics/PerceivedComplexity, Metrics/AbcSize
def reduce_by_writable_permissions(attributes)
attribute_permissions = collect_ancestor_attributes(:attribute_permissions)

attributes.reject do |attribute|
Expand All @@ -251,15 +251,34 @@ def reduce_by_writable_permissions(attributes) # rubocop:disable Metrics/Perceiv

next unless permissions

# This will break once a model that does not respond to project is used.
# This is intended to be worked on then with the additional knowledge.
next if model.project.present? && permissions.any? { |perm| user.allowed_in_project?(perm, model.project) }
next if model.project.blank? && permissions.any? { |perm| user.allowed_in_any_project?(perm) }
next if permissions.any? do |perm|
user.allowed_based_on_permission_context?(
perm,
project: project_for_permission_check,
entity: entity_for_permission_check
)
end

true
end
end

def project_for_permission_check
if model.is_a?(Project)
model
else
model.respond_to?(:project) ? model.project : nil
end
end

def entity_for_permission_check
if model.is_a?(Project)
nil
else
model
end
end

def with_merged_former_errors
former_errors = errors.dup

Expand Down
6 changes: 1 addition & 5 deletions app/contracts/queries/update_contract.rb
Original file line number Diff line number Diff line change
Expand Up @@ -57,11 +57,7 @@ def user_allowed_to_change_public
end

def user_allowed_to_edit_work_packages?
if model.project
user.allowed_in_project?(:edit_work_packages, model.project)
else
user.allowed_in_any_project?(:edit_work_packages)
end
user.allowed_in_any_work_package?(:edit_work_packages, in_project: model.project)
end

def user_allowed_to_save_queries?
Expand Down
2 changes: 1 addition & 1 deletion app/contracts/relations/base_contract.rb
Original file line number Diff line number Diff line change
Expand Up @@ -78,7 +78,7 @@ def visible_work_packages
end

def manage_relations?
user.allowed_in_project?(:manage_work_package_relations, model.from.project)
user.allowed_in_work_package?(:manage_work_package_relations, model.from)
end
end
end
2 changes: 1 addition & 1 deletion app/contracts/relations/delete_contract.rb
Original file line number Diff line number Diff line change
Expand Up @@ -28,6 +28,6 @@

module Relations
class DeleteContract < ::DeleteContract
delete_permission -> { user.allowed_in_project?(:manage_work_package_relations, model.from.project) }
delete_permission -> { user.allowed_in_work_package?(:manage_work_package_relations, model.from) }
end
end
6 changes: 1 addition & 5 deletions app/controllers/work_packages_controller.rb
Original file line number Diff line number Diff line change
Expand Up @@ -135,11 +135,7 @@ def protect_from_unauthorized_export
end

def user_allowed_to_export?
if @project
User.current.allowed_in_project?(:export_work_packages, @project)
else
User.current.allowed_in_any_project?(:export_work_packages)
end
User.current.allowed_in_any_work_package?(:export_work_packages, in_project: @project)
end

def supported_list_formats
Expand Down
142 changes: 0 additions & 142 deletions app/models/authorization/scopes/allowed_to.rb

This file was deleted.

Loading

0 comments on commit b0c42b4

Please sign in to comment.