Nemcio/Redmine
1
0
Fork 0
mirror of https://github.com/redmine/redmine.git synced 2025-11-11 15:56:03 +01:00
Code Issues Packages Projects Releases Activity

Ability to limit member management to certain roles (#19707).

Browse Source 
git-svn-id: http://svn.redmine.org/redmine/trunk@14293 e93f8b46-1217-0410-a6f0-8f06a7374b81
This commit is contained in:
Jean-Philippe Lang
2015-05-31 07:16:23 +00:00
parent 48d40a8c88
commit ed9f00178c
13 changed files with 260 additions and 28 deletions
Download Patch File Download Diff File Expand all files Collapse all files

16
app/controllers/members_controller.rb
View File

@@ -53,14 +53,12 @@ class MembersController < ApplicationController
def create def create
members = [] members = []
if params[:membership] if params[:membership]
if params[:membership][:user_ids] user_ids = Array.wrap(params[:membership][:user_id] || params[:membership][:user_ids])
attrs = params[:membership].dup user_ids << nil if user_ids.empty?
user_ids = attrs.delete(:user_ids)
user_ids.each do |user_id| user_ids.each do |user_id|
members << Member.new(:role_ids => params[:membership][:role_ids], :user_id => user_id) member = Member.new(:project => @project, :user_id => user_id)
end member.set_editable_role_ids(params[:membership][:role_ids])
else members << member
members << Member.new(:role_ids => params[:membership][:role_ids], :user_id => params[:membership][:user_id])
end end
@project.members << members @project.members << members
end end
@@ -84,7 +82,7 @@ class MembersController < ApplicationController
def update def update
if params[:membership] if params[:membership]
@member.role_ids = params[:membership][:role_ids] @member.set_editable_role_ids(params[:membership][:role_ids])
end end
saved = @member.save saved = @member.save
respond_to do |format| respond_to do |format|
@@ -101,7 +99,7 @@ class MembersController < ApplicationController
end end
def destroy def destroy
if request.delete? && @member.deletable? if @member.deletable?
@member.destroy @member.destroy
end end
respond_to do |format| respond_to do |format|

77
app/models/member.rb
View File

@@ -29,6 +29,12 @@ class Member < ActiveRecord::Base
before_destroy :set_issue_category_nil before_destroy :set_issue_category_nil
alias :base_reload :reload
def reload(*args)
@managed_roles = nil
base_reload(*args)
end
def role def role
end end
@@ -70,22 +76,52 @@ class Member < ActiveRecord::Base
end end
end end
def deletable? # Set member role ids ignoring any change to roles that
member_roles.detect {|mr| mr.inherited_from}.nil? # user is not allowed to manage
def set_editable_role_ids(ids, user=User.current)
ids = (ids || []).collect(&:to_i) - [0]
editable_role_ids = user.managed_roles(project).map(&:id)
untouched_role_ids = self.role_ids - editable_role_ids
touched_role_ids = ids & editable_role_ids
self.role_ids = untouched_role_ids + touched_role_ids
end end
def destroy # Returns true if one of the member roles is inherited
if member_roles.reload.present? def any_inherited_role?
# destroying the last role will destroy another instance member_roles.any? {|mr| mr.inherited_from}
# of the same Member record, #super would then trigger callbacks twice end
member_roles.destroy_all
@destroyed = true # Returns true if the member has the role and if it's inherited
freeze def has_inherited_role?(role)
member_roles.any? {|mr| mr.role_id == role.id && mr.inherited_from.present?}
end
# Returns true if the member's role is editable by user
def role_editable?(role, user=User.current)
if has_inherited_role?(role)
false
else else
user.managed_roles(project).include?(role)
end
end
# Returns true if the member is deletable by user
def deletable?(user=User.current)
if any_inherited_role?
false
else
roles & user.managed_roles(project) == roles
end
end
# Destroys the member
def destroy
member_roles.reload.each(&:destroy_without_member_removal)
super super
end end
end
# Returns true if the member is user or is a group
# that includes user
def include?(user) def include?(user)
if principal.is_a?(Group) if principal.is_a?(Group)
!user.nil? && user.groups.include?(principal) !user.nil? && user.groups.include?(principal)
@@ -102,6 +138,27 @@ class Member < ActiveRecord::Base
end end
end end
# Returns the roles that the member is allowed to manage
# in the project the member belongs to
def managed_roles
@managed_roles ||= begin
if principal.try(:admin?)
Role.givable.to_a
else
members_management_roles = roles.select do |role|
role.has_permission?(:manage_members)
end
if members_management_roles.empty?
[]
elsif members_management_roles.any?(&:all_roles_managed?)
Role.givable.to_a
else
members_management_roles.map(&:managed_roles).reduce(&:|)
end
end
end
end
# Creates memberships for principal with the attributes # Creates memberships for principal with the attributes
# * project_ids : one or more project ids # * project_ids : one or more project ids
# * role_ids : ids of the roles to give to each membership # * role_ids : ids of the roles to give to each membership

9
app/models/member_role.rb
View File

@@ -36,10 +36,17 @@ class MemberRole < ActiveRecord::Base
!inherited_from.nil? !inherited_from.nil?
end end
# Destroys the MemberRole without destroying its Member if it doesn't have
# any other roles
def destroy_without_member_removal
@member_removal = false
destroy
end
private private
def remove_member_if_empty def remove_member_if_empty
if member.roles.empty? if @member_removal != false && member.roles.empty?
member.destroy member.destroy
end end
end end

4
app/models/role.rb
View File

@@ -64,6 +64,10 @@ class Role < ActiveRecord::Base
end end
has_and_belongs_to_many :custom_fields, :join_table => "#{table_name_prefix}custom_fields_roles#{table_name_suffix}", :foreign_key => "role_id" has_and_belongs_to_many :custom_fields, :join_table => "#{table_name_prefix}custom_fields_roles#{table_name_suffix}", :foreign_key => "role_id"
has_and_belongs_to_many :managed_roles, :class_name => 'Role',
:join_table => "#{table_name_prefix}roles_managed_roles#{table_name_suffix}",
:association_foreign_key => "managed_role_id"
has_many :member_roles, :dependent => :destroy has_many :member_roles, :dependent => :destroy
has_many :members, :through => :member_roles has_many :members, :through => :member_roles
acts_as_list acts_as_list

9
app/models/user.rb
View File

@@ -566,6 +566,15 @@ class User < Principal
@visible_project_ids ||= Project.visible(self).pluck(:id) @visible_project_ids ||= Project.visible(self).pluck(:id)
end end
# Returns the roles that the user is allowed to manage for the given project
def managed_roles(project)
if admin?
Role.givable.to_a
else
membership(project).try(:managed_roles) || []
end
end
# Returns true if user is arg or belongs to arg # Returns true if user is arg or belongs to arg
def is_or_belongs_to?(arg) def is_or_belongs_to?(arg)
if arg.is_a?(User) if arg.is_a?(User)

2
app/views/members/_new_form.html.erb
View File

@@ -9,7 +9,7 @@
<fieldset class="box"> <fieldset class="box">
<legend><%= l(:label_role_plural) %> <%= toggle_checkboxes_link('.roles-selection input') %></legend> <legend><%= l(:label_role_plural) %> <%= toggle_checkboxes_link('.roles-selection input') %></legend>
<div class="roles-selection"> <div class="roles-selection">
<% Role.givable.all.each do |role| %> <% User.current.managed_roles(@project).each do |role| %>
<label><%= check_box_tag 'membership[role_ids][]', role.id, false, :id => nil %> <%= role %></label> <label><%= check_box_tag 'membership[role_ids][]', role.id, false, :id => nil %> <%= role %></label>
<% end %> <% end %>
</div> </div>

4
app/views/projects/settings/_members.html.erb
View File

@@ -32,9 +32,7 @@
<%= check_box_tag('membership[role_ids][]', <%= check_box_tag('membership[role_ids][]',
role.id, member.roles.include?(role), role.id, member.roles.include?(role),
:id => nil, :id => nil,
:disabled => member.member_roles.detect { :disabled => !member.role_editable?(role)) %> <%= role %>
|mr| mr.role_id == role.id && !mr.inherited_from.nil?
} ) %> <%= role %>
</label><br /> </label><br />
<% end %> <% end %>
</p> </p>

33
app/views/roles/_form.html.erb
View File

@@ -16,6 +16,28 @@
<p><%= f.select :users_visibility, Role::USERS_VISIBILITY_OPTIONS.collect {|v| [l(v.last), v.first]} %></p> <p><%= f.select :users_visibility, Role::USERS_VISIBILITY_OPTIONS.collect {|v| [l(v.last), v.first]} %></p>
<% unless @role.builtin? %>
<p id="manage_members_options">
<label>Gestion des membres</label>
<label class="block">
<%= radio_button_tag 'role[all_roles_managed]', 1, @role.all_roles_managed?, :id => 'role_all_roles_managed_on',
:data => {:disables => '.role_managed_role input'} %>
tous les rôles
</label>
<label class="block">
<%= radio_button_tag 'role[all_roles_managed]', 0, !@role.all_roles_managed?, :id => 'role_all_roles_managed_off',
:data => {:enables => '.role_managed_role input'} %>
ces rôles uniquement:
</label>
<% Role.givable.sorted.each do |role| %>
<label class="block role_managed_role" style="padding-left:2em;">
<%= check_box_tag 'role[managed_role_ids][]', role.id, @role.managed_roles.include?(role), :id => nil %>
<%= role.name %>
</label>
<% end %>
<%= hidden_field_tag 'role[managed_role_ids][]', '' %>
<% end %>
<% if @role.new_record? && @roles.any? %> <% if @role.new_record? && @roles.any? %>
<p><label for="copy_workflow_from"><%= l(:label_copy_workflow_from) %></label> <p><label for="copy_workflow_from"><%= l(:label_copy_workflow_from) %></label>
<%= select_tag(:copy_workflow_from, content_tag("option") + options_from_collection_for_select(@roles, :id, :name, params[:copy_workflow_from] || @copy_from.try(:id))) %></p> <%= select_tag(:copy_workflow_from, content_tag("option") + options_from_collection_for_select(@roles, :id, :name, params[:copy_workflow_from] || @copy_from.try(:id))) %></p>
@@ -29,7 +51,8 @@
<fieldset><legend><%= mod.blank? ? l(:label_project) : l_or_humanize(mod, :prefix => 'project_module_') %></legend> <fieldset><legend><%= mod.blank? ? l(:label_project) : l_or_humanize(mod, :prefix => 'project_module_') %></legend>
<% perms_by_module[mod].each do |permission| %> <% perms_by_module[mod].each do |permission| %>
<label class="floating"> <label class="floating">
<%= check_box_tag 'role[permissions][]', permission.name, (@role.permissions.include? permission.name), :id => nil %> <%= check_box_tag 'role[permissions][]', permission.name, (@role.permissions.include? permission.name),
:id => "role_permissions_#{permission.name}" %>
<%= l_or_humanize(permission.name, :prefix => 'permission_') %> <%= l_or_humanize(permission.name, :prefix => 'permission_') %>
</label> </label>
<% end %> <% end %>
@@ -38,3 +61,11 @@
<br /><%= check_all_links 'permissions' %> <br /><%= check_all_links 'permissions' %>
<%= hidden_field_tag 'role[permissions][]', '' %> <%= hidden_field_tag 'role[permissions][]', '' %>
</div> </div>
<%= javascript_tag do %>
$(document).ready(function(){
$("#role_permissions_manage_members").change(function(){
$("#manage_members_options").toggle($(this).is(":checked"));
}).change();
});
<% end %>

5
db/migrate/20150528084820_add_roles_all_roles_managed.rb Normal file
View File

@@ -0,0 +1,5 @@
class AddRolesAllRolesManaged < ActiveRecord::Migration
def change
add_column :roles, :all_roles_managed, :boolean, :default => true, :null => false
end
end

8
db/migrate/20150528092912_create_roles_managed_roles.rb Normal file
View File

@@ -0,0 +1,8 @@
class CreateRolesManagedRoles < ActiveRecord::Migration
def change
create_table :roles_managed_roles, :id => false do |t|
t.integer :role_id, :null => false
t.integer :managed_role_id, :null => false
end
end
end

5
db/migrate/20150528093249_add_unique_index_on_roles_managed_roles.rb Normal file
View File

@@ -0,0 +1,5 @@
class AddUniqueIndexOnRolesManagedRoles < ActiveRecord::Migration
def change
add_index :roles_managed_roles, [:role_id, :managed_role_id], :unique => true
end
end

83
test/functional/members_controller_test.rb
View File

@@ -30,6 +30,20 @@ class MembersControllerTest < ActionController::TestCase
assert_response :success assert_response :success
end end
def test_new_should_propose_managed_roles_only
role = Role.find(1)
role.update! :all_roles_managed => false
role.managed_roles = Role.where(:id => [2, 3]).to_a
get :new, :project_id => 1
assert_response :success
assert_select 'div.roles-selection' do
assert_select 'label', :text => 'Manager', :count => 0
assert_select 'label', :text => 'Developer'
assert_select 'label', :text => 'Reporter'
end
end
def test_xhr_new def test_xhr_new
xhr :get, :new, :project_id => 1 xhr :get, :new, :project_id => 1
assert_response :success assert_response :success
@@ -52,6 +66,29 @@ class MembersControllerTest < ActionController::TestCase
assert User.find(7).member_of?(Project.find(1)) assert User.find(7).member_of?(Project.find(1))
end end
def test_create_should_ignore_unmanaged_roles
role = Role.find(1)
role.update! :all_roles_managed => false
role.managed_roles = Role.where(:id => [2, 3]).to_a
assert_difference 'Member.count' do
post :create, :project_id => 1, :membership => {:role_ids => [1, 2], :user_id => 7}
end
member = Member.order(:id => :desc).first
assert_equal [2], member.role_ids
end
def test_create_should_be_allowed_for_admin_without_role
User.find(1).members.delete_all
@request.session[:user_id] = 1
assert_difference 'Member.count' do
post :create, :project_id => 1, :membership => {:role_ids => [1, 2], :user_id => 7}
end
member = Member.order(:id => :desc).first
assert_equal [1, 2], member.role_ids
end
def test_xhr_create def test_xhr_create
assert_difference 'Member.count', 3 do assert_difference 'Member.count', 3 do
xhr :post, :create, :project_id => 1, :membership => {:role_ids => [1], :user_ids => [7, 8, 9]} xhr :post, :create, :project_id => 1, :membership => {:role_ids => [1], :user_ids => [7, 8, 9]}
@@ -75,14 +112,34 @@ class MembersControllerTest < ActionController::TestCase
assert_match /alert/, response.body, "Alert message not sent" assert_match /alert/, response.body, "Alert message not sent"
end end
def test_edit def test_update
assert_no_difference 'Member.count' do assert_no_difference 'Member.count' do
put :update, :id => 2, :membership => {:role_ids => [1], :user_id => 3} put :update, :id => 2, :membership => {:role_ids => [1], :user_id => 3}
end end
assert_redirected_to '/projects/ecookbook/settings/members' assert_redirected_to '/projects/ecookbook/settings/members'
end end
def test_xhr_edit def test_update_should_not_add_unmanaged_roles
role = Role.find(1)
role.update! :all_roles_managed => false
role.managed_roles = Role.where(:id => [2, 3]).to_a
member = Member.create!(:user => User.find(9), :role_ids => [3], :project_id => 1)
put :update, :id => member.id, :membership => {:role_ids => [1, 2, 3]}
assert_equal [2, 3], member.reload.role_ids.sort
end
def test_update_should_not_remove_unmanaged_roles
role = Role.find(1)
role.update! :all_roles_managed => false
role.managed_roles = Role.where(:id => [2, 3]).to_a
member = Member.create!(:user => User.find(9), :role_ids => [1, 3], :project_id => 1)
put :update, :id => member.id, :membership => {:role_ids => [2]}
assert_equal [1, 2], member.reload.role_ids.sort
end
def test_xhr_update
assert_no_difference 'Member.count' do assert_no_difference 'Member.count' do
xhr :put, :update, :id => 2, :membership => {:role_ids => [1], :user_id => 3} xhr :put, :update, :id => 2, :membership => {:role_ids => [1], :user_id => 3}
assert_response :success assert_response :success
@@ -103,6 +160,28 @@ class MembersControllerTest < ActionController::TestCase
assert !User.find(3).member_of?(Project.find(1)) assert !User.find(3).member_of?(Project.find(1))
end end
def test_destroy_should_fail_with_unmanaged_roles
role = Role.find(1)
role.update! :all_roles_managed => false
role.managed_roles = Role.where(:id => [2, 3]).to_a
member = Member.create!(:user => User.find(9), :role_ids => [1, 3], :project_id => 1)
assert_no_difference 'Member.count' do
delete :destroy, :id => member.id
end
end
def test_destroy_should_succeed_with_managed_roles_only
role = Role.find(1)
role.update! :all_roles_managed => false
role.managed_roles = Role.where(:id => [2, 3]).to_a
member = Member.create!(:user => User.find(9), :role_ids => [3], :project_id => 1)
assert_difference 'Member.count', -1 do
delete :destroy, :id => member.id
end
end
def test_xhr_destroy def test_xhr_destroy
assert_difference 'Member.count', -1 do assert_difference 'Member.count', -1 do
xhr :delete, :destroy, :id => 2 xhr :delete, :destroy, :id => 2

31
test/unit/member_test.rb
View File

@@ -159,4 +159,35 @@ class MemberTest < ActiveSupport::TestCase
assert_equal -1, a <=> b assert_equal -1, a <=> b
assert_equal 1, b <=> a assert_equal 1, b <=> a
end end
def test_managed_roles_should_return_all_roles_for_role_with_all_roles_managed
member = Member.new
member.roles << Role.generate!(:permissions => [:manage_members], :all_roles_managed => true)
assert_equal Role.givable.all, member.managed_roles
end
def test_managed_roles_should_return_all_roles_for_admins
member = Member.new(:user => User.find(1))
member.roles << Role.generate!
assert_equal Role.givable.all, member.managed_roles
end
def test_managed_roles_should_return_limited_roles_for_role_without_all_roles_managed
member = Member.new
member.roles << Role.generate!(:permissions => [:manage_members], :all_roles_managed => false, :managed_role_ids => [2, 3])
assert_equal [2, 3], member.managed_roles.map(&:id).sort
end
def test_managed_roles_should_cumulated_managed_roles
member = Member.new
member.roles << Role.generate!(:permissions => [:manage_members], :all_roles_managed => false, :managed_role_ids => [3])
member.roles << Role.generate!(:permissions => [:manage_members], :all_roles_managed => false, :managed_role_ids => [2])
assert_equal [2, 3], member.managed_roles.map(&:id).sort
end
def test_managed_roles_should_return_no_roles_for_role_without_permission
member = Member.new
member.roles << Role.generate!(:all_roles_managed => true)
assert_equal [], member.managed_roles
end
end end