Skip to content

Commit

Permalink
Fix member permissions for service pages
Browse files Browse the repository at this point in the history
  • Loading branch information
mayorova committed Oct 25, 2024
1 parent 63181b9 commit 8b81c48
Show file tree
Hide file tree
Showing 5 changed files with 37 additions and 4 deletions.
4 changes: 3 additions & 1 deletion app/models/service.rb
Original file line number Diff line number Diff line change
Expand Up @@ -115,9 +115,11 @@ def cinstance
scope :permitted_for, ->(user = nil) {
next all unless user

next none if user.no_services_allowed?

account = user.account
account_services = (account.provider? ? account : account.provider_account).services
self.merge(
merge(
account_services.merge(user.forbidden_some_services? ? where(id: user.member_permission_service_ids) : {})
)
}
Expand Down
13 changes: 11 additions & 2 deletions app/models/user/permissions.rb
Original file line number Diff line number Diff line change
Expand Up @@ -80,6 +80,7 @@ def existing_service_ids
# returns [] if no services are enabled, and nil if all (current and future) services are enabled
def member_permission_service_ids
return nil if admin? || !services_member_permission

permitted_service_ids = services_member_permission.try(:service_ids) || []
permitted_service_ids & existing_service_ids
end
Expand All @@ -96,15 +97,23 @@ def has_access_to_service?(service)
# Lack of the services section means it is the old permission system where everyone had access
# to every service. So to limit the scope only for new users, we start adding this permission.
def has_access_to_all_services?
!admin_sections.include?(:services) || admin?
admin? || (service_permissions_selected? && member_permission_service_ids.nil?)
end

def no_services_allowed?
!service_permissions_selected? || member_permission_service_ids == []
end

def forbidden_some_services?
!has_access_to_all_services? && account.provider_can_use?(:service_permissions)
end

def service_permissions_selected?
(member_permission_ids & AdminSection::SERVICE_PERMISSIONS).any?
end

def access_to_service_admin_sections?
(member_permission_ids & AdminSection::SERVICE_PERMISSIONS).any? && accessible_services?
service_permissions_selected? && accessible_services?
end

def reload(*)
Expand Down
3 changes: 2 additions & 1 deletion config/abilities/provider_any.rb
Original file line number Diff line number Diff line change
Expand Up @@ -21,7 +21,8 @@
cannot %i[destroy update_role], user

# Services
can %i[read show edit update], Service, user.accessible_services.where_values_hash
user_accessible_services = user.accessible_services
can %i[read show edit update], Service, user_accessible_services.where_values_hash unless user_accessible_services.is_a? ActiveRecord::NullRelation

#
# Events
Expand Down
11 changes: 11 additions & 0 deletions test/integration/api/policies_controller_test.rb
Original file line number Diff line number Diff line change
Expand Up @@ -55,4 +55,15 @@ def setup
get edit_admin_service_policies_path(@service)
assert_response :service_unavailable
end

test 'policies edit for members with no permissions' do
Policies::PoliciesListService.unstub(:call!)
Policies::PoliciesListService.expects(:call!).never
member = FactoryBot.create(:member, account: @provider, state: 'active')
logout! && login!(@provider, user: member)

get edit_admin_service_policies_path(@service)

assert_response :not_found
end
end
10 changes: 10 additions & 0 deletions test/integration/api/proxy_configs_controller_test.rb
Original file line number Diff line number Diff line change
Expand Up @@ -56,4 +56,14 @@ def setup
assert_response :success
assert_equal '{"foo":"bar"}', response.body
end

test 'proxy configs index for members with no permissions' do
member = FactoryBot.create(:member, account: @provider, state: 'active')
logout! && login!(@provider, user: member)

get admin_service_proxy_configs_path(service_id: service, environment: 'sandbox')

# TODO: maybe this should be be a :forbidden
assert_response :not_found
end
end

0 comments on commit 8b81c48

Please sign in to comment.