Fix member permissions for service pages

3scale · Nov 5, 2024 · c969ffb · c969ffb
1 parent cfdc09c
commit c969ffb
Show file tree

Hide file tree

Showing 5 changed files with 37 additions and 4 deletions.
diff --git a/app/models/service.rb b/app/models/service.rb
@@ -115,9 +115,11 @@ def cinstance
   scope :permitted_for, ->(user = nil) {
     next all unless user
 
+    next none if user.no_services_allowed?
+
     account = user.account
     account_services = (account.provider? ? account : account.provider_account).services
-    self.merge(
+    merge(
       account_services.merge(user.forbidden_some_services? ? where(id: user.member_permission_service_ids) : {})
     )
   }

diff --git a/app/models/user/permissions.rb b/app/models/user/permissions.rb
@@ -80,6 +80,7 @@ def existing_service_ids
   # returns [] if no services are enabled, and nil if all (current and future) services are enabled
   def member_permission_service_ids
     return nil if admin? || !services_member_permission
+
     permitted_service_ids = services_member_permission.try(:service_ids) || []
     permitted_service_ids & existing_service_ids
   end
@@ -96,15 +97,23 @@ def has_access_to_service?(service)
   # Lack of the services section means it is the old permission system where everyone had access
   # to every service. So to limit the scope only for new users, we start adding this permission.
   def has_access_to_all_services?
-    !admin_sections.include?(:services) || admin?
+    admin? || (service_permissions_selected? && member_permission_service_ids.nil?)
+  end
+
+  def no_services_allowed?
+    !service_permissions_selected? || member_permission_service_ids == []
   end
 
   def forbidden_some_services?
     !has_access_to_all_services? && account.provider_can_use?(:service_permissions)
   end
 
+  def service_permissions_selected?
+    (member_permission_ids & AdminSection::SERVICE_PERMISSIONS).any?
+  end
+
   def access_to_service_admin_sections?
-    (member_permission_ids & AdminSection::SERVICE_PERMISSIONS).any? && accessible_services?
+    service_permissions_selected? && accessible_services?
   end
 
   def reload(*)

diff --git a/config/abilities/provider_any.rb b/config/abilities/provider_any.rb
@@ -21,7 +21,8 @@
     cannot %i[destroy update_role], user
 
     # Services
-    can %i[read show edit update], Service, user.accessible_services.where_values_hash
+    user_accessible_services = user.accessible_services
+    can %i[read show edit update], Service, user_accessible_services.where_values_hash unless user_accessible_services.is_a? ActiveRecord::NullRelation
 
     #
     # Events

diff --git a/test/integration/api/policies_controller_test.rb b/test/integration/api/policies_controller_test.rb
@@ -55,4 +55,15 @@ def setup
     get edit_admin_service_policies_path(@service)
     assert_response :service_unavailable
   end
+
+  test 'policies edit for members with no permissions' do
+    Policies::PoliciesListService.unstub(:call!)
+    Policies::PoliciesListService.expects(:call!).never
+    member = FactoryBot.create(:member, account: @provider, state: 'active')
+    logout! && login!(@provider, user: member)
+
+    get edit_admin_service_policies_path(@service)
+
+    assert_response :not_found
+  end
 end
diff --git a/test/integration/api/proxy_configs_controller_test.rb b/test/integration/api/proxy_configs_controller_test.rb
@@ -56,4 +56,14 @@ def setup
     assert_response :success
     assert_equal '{"foo":"bar"}', response.body
   end
+
+  test 'proxy configs index for members with no permissions' do
+    member = FactoryBot.create(:member, account: @provider, state: 'active')
+    logout! && login!(@provider, user: member)
+
+    get admin_service_proxy_configs_path(service_id: service, environment: 'sandbox')
+
+    # TODO: maybe this should be be a :forbidden
+    assert_response :not_found
+  end
 end