From c474fa063f8c7c40597cf51d9a5b235f3b943eda Mon Sep 17 00:00:00 2001 From: chris Date: Mon, 19 Aug 2013 18:54:35 +0800 Subject: [PATCH] New authorization --- .../admin/authorizations_controller.rb | 169 ++++++++++++------ .../admin/dashboards_controller.rb | 2 + .../admin/users_new_interface_controller.rb | 11 +- app/controllers/orbit_backend_controller.rb | 32 +--- app/controllers/orbit_member_controller.rb | 32 +--- app/helpers/orbit_backend_helper.rb | 4 +- app/models/auth/auth_approval.rb | 6 + app/models/auth/auth_manager.rb | 4 + app/models/auth/auth_sub_manager.rb | 6 + app/models/auth/authorization.rb | 108 +++++++++++ app/models/category.rb | 2 +- app/models/module_app.rb | 82 ++++++++- app/models/user/user.rb | 10 +- app/views/admin/authorizations/_user.html.erb | 4 +- app/views/admin/authorizations/index.html.erb | 8 +- .../admin/authorizations/insert_users.js.erb | 2 - .../admin/authorizations/reload_users.js.erb | 2 + config/application.rb | 1 + lib/orbit_app/module/registration.rb | 18 +- lib/orbit_category/categorizing.rb | 4 +- lib/orbit_core_lib.rb | 35 ++-- lib/orbit_model/authorizable.rb | 55 ++++++ .../back_end/bulletins_controller.rb | 6 +- .../back_end/page_contexts_controller.rb | 7 +- .../page_content/app/models/page_context.rb | 2 +- 25 files changed, 440 insertions(+), 172 deletions(-) create mode 100644 app/models/auth/auth_approval.rb create mode 100644 app/models/auth/auth_manager.rb create mode 100644 app/models/auth/auth_sub_manager.rb create mode 100644 app/models/auth/authorization.rb delete mode 100644 app/views/admin/authorizations/insert_users.js.erb create mode 100644 app/views/admin/authorizations/reload_users.js.erb create mode 100644 lib/orbit_model/authorizable.rb diff --git a/app/controllers/admin/authorizations_controller.rb b/app/controllers/admin/authorizations_controller.rb index 046812424..243dc6c73 100644 --- a/app/controllers/admin/authorizations_controller.rb +++ b/app/controllers/admin/authorizations_controller.rb @@ -1,13 +1,13 @@ class Admin::AuthorizationsController < OrbitBackendController - before_filter :admin_or_manager + prepend_before_filter :admin_or_manager def index - @module_apps ||= ModuleApp.where(is_authorizable: true).order_by([:title, :asc]) + @module_apps ||= ModuleApp.any_of({is_authorizable: true}, {is_approvable: true}).order_by([:title, :asc]) if @module_apps && @module_apps.include?(@module_app) if @type case @type - when 'category', 'approval' + when 'category_authorization', 'category_approval' if @module_app.has_category @objects = @module_app.categories else @@ -18,12 +18,12 @@ class Admin::AuthorizationsController < OrbitBackendController end unless @objects.blank? @object ||= @objects.first - @users = @object.get_object_auth_by_title("#{@type}_#{@module_app.key}").auth_users + @users = @object.get_authorization_by_title("#{@type}_#{@module_app.key}").authorized_users rescue nil else @error = t(:no_data) end else - @users = @module_app.managing_users + @users = @module_app.managers end elsif @module_apps @module_app = @module_apps.first @@ -33,35 +33,42 @@ class Admin::AuthorizationsController < OrbitBackendController end end - def add(users) - unless users.blank? - if @type - if @object - object_auth = @object.get_object_auth_by_title("#{@type}_#{@module_app.key}") - add_users_to_object_auth(object_auth, users) - else - @error = t(:no_data) - end - else - add_managers(users) unless users.blank? - end + def add_roles + roles = Role.find(params[:role_ids]) rescue [] + users = [] + roles.each do |role| + users += role.users.all.entries end - @users = users - render 'admin/authorizations/insert_users' + unless roles.blank? + authorization = get_or_create_authorization + add_roles_to_auth(authorization, roles) unless @error + end + @users = authorization.authorized_users + render 'admin/authorizations/reload_users' + end + + def add_sub_roles + sub_roles = SubRole.find(params[:sub_role_ids]) rescue [] + users = [] + sub_roles.each do |sub_role| + users += sub_role.users.all.entries + end + unless sub_roles.blank? + authorization = get_or_create_authorization + add_sub_roles_to_auth(authorization, sub_roles) unless @error + end + @users = authorization.authorized_users + render 'admin/authorizations/reload_users' end def add_users users = User.find(params[:user_ids]) rescue [] - add(users) - end - - def add_roles - roles = Role.find(params[:role_ids]) rescue [] - users = roles.inject([]) do |users, role| - users += role.users.all.entries - users + unless users.blank? + authorization = get_or_create_authorization + add_users_to_auth(authorization, users) unless @error end - add(users) + @users = authorization.authorized_users + render 'admin/authorizations/reload_users' end def modal_select @@ -70,63 +77,111 @@ class Admin::AuthorizationsController < OrbitBackendController if @type @object_id = @object.id if @object @sorted_users = roles.inject({}) do |users, role| - users[role] = role.users.where(admin: false).not_guest_user - existing_users - @module_app.managing_users + users[role] = role.users.where(admin: false) - existing_users - @module_app.managers users end else @sorted_users = roles.inject({}) do |users, role| - users[role] = role.users.where(admin: false).not_guest_user - existing_users + users[role] = role.users.where(admin: false) - existing_users users end end end + def remove_roles + roles = Role.find(params[:role_ids]) rescue [] + unless roles.blank? + authorization = get_or_create_authorization + remove_roles_form_auth(authorization, roles) + end + @users = authorization.authorized_users + render 'admin/authorizations/reload_users' + end + + def remove_sub_roles + sub_roles = SubRole.find(params[:sub_role_ids]) rescue [] + unless sub_roles.blank? + authorization = get_or_create_authorization + remove_sub_roles_from_auth(authorization, sub_roles) + end + @users = authorization.authorized_users + render 'admin/authorizations/reload_users' + end + def remove_users @users = User.find(params[:ids]) rescue [] unless @users.blank? - if @type - if @object - object_auth = @object.get_object_auth_by_title("#{@type}_#{@module_app.key}") - remove_users_form_object_auth(object_auth, @users) - else - @error = t(:no_data) - end - else - remove_managers(@users) - end + authorization = get_or_create_authorization + remove_users_from_auth(authorization, @users) end - render 'admin/authorizations/remove_users' + @users = authorization.authorized_users + render 'admin/authorizations/reload_users' end protected - def add_managers(users) - users.each do |user| - @module_app.assign_manager(user, current_user) + def add_managers_to_auth(users) + @module_app.add_managers(users) + end + + def add_roles_to_auth(authorization, roles) + authorization.add_roles(roles) + end + + def add_sub_roles_to_auth(authorization, sub_roles) + authorization.add_sub_roles(sub_roles) + end + + def add_users_to_auth(authorization, users) + authorization.add_users(users) + end + + def get_or_create_authorization + case @type + when 'category_approval' + if @object + @object.auth_approval || @object.create_auth_approval(module_app_id: @module_app.id, title: "#{@type}_#{@module_app.key}") + else + @error = t(:no_data) + end + when 'category_authorization' + if @object + @object.auth_sub_manager || @object.create_auth_sub_manager(module_app_id: @module_app.id, title: "#{@type}_#{@module_app.key}") + else + @error = t(:no_data) + end + when nil + @module_app.auth_manager || @module_app.create_auth_manager(module_app_id: @module_app.id, title: "#{@type}_#{@module_app.key}") + else + auth = @object.get_authorization_by_title("#{@type}_#{@module_app.key}") + unless auth + auth = @object.create_auth_approval(module_app_id: @module_app.id, title: "#{@type}_#{@module_app.key}") if @type.include?('approval') + auth = @object.create_auth_sub_manager(module_app_id: @module_app.id, title: "#{@type}_#{@module_app.key}") if @type.include?('authorization') + end + auth end end - def add_users_to_object_auth(object_auth, users) - users.each do |user| - object_auth.add_user_to_privilege_list(user) - end + def remove_managers_from_auth(users) + @module_app.remove_manager(users) end - def remove_managers(users) - users.each do |user| - @module_app.remove_manager(user) - end + def remove_roles_form_auth(authorization, roles) + authorization.remove_roles(roles) end - def remove_users_form_object_auth(object_auth, users) - users.each do |user| - object_auth.remove_user_from_privilege_list(user) - end + def remove_sub_roles_from_auth(authorization, sub_roles) + authorization.remove_sub_roles(sub_roles) + end + + def remove_users_from_auth(authorization, users) + authorization.remove_users(users) end private def admin_or_manager + @override_can_use = true setup_vars authenticate_user! user_is_manager? @@ -136,7 +191,7 @@ class Admin::AuthorizationsController < OrbitBackendController @module_app = ModuleApp.first(conditions: {:key => params[:module]} ) if params[:module] @type = params[:type].underscore if params[:type] if @type - @klass = @type.classify.constantize rescue nil + @klass = @type.gsub('_authorization', '').gsub('_approval', '').classify.constantize rescue nil @object = @klass.find(params[:id]) rescue nil end end diff --git a/app/controllers/admin/dashboards_controller.rb b/app/controllers/admin/dashboards_controller.rb index 7bf36ee3e..ddb23570b 100644 --- a/app/controllers/admin/dashboards_controller.rb +++ b/app/controllers/admin/dashboards_controller.rb @@ -4,6 +4,8 @@ class Admin::DashboardsController < OrbitBackendController #before_filter :authenticate_user!, :except => [:index] # before_filter :is_admin? + prepend_before_filter :set_public + layout "basic_back_end" def index diff --git a/app/controllers/admin/users_new_interface_controller.rb b/app/controllers/admin/users_new_interface_controller.rb index fd62c29f8..813a8d2e1 100644 --- a/app/controllers/admin/users_new_interface_controller.rb +++ b/app/controllers/admin/users_new_interface_controller.rb @@ -2,18 +2,9 @@ class Admin::UsersNewInterfaceController < OrbitMemberController helper MemberHelper - # before_filter :authenticate_user! - # before_filter :set_attribute, :only => [:index, :show, :new, :edit] - - before_filter :force_order_for_visitor,:only=>[:index,:show] - before_filter :force_order_for_user,:except => [:index,:show] before_filter :set_attribute,:except => [:index,:show] + prepend_filter :set_public, :only => [:index, :show] - def setup_vars - # @app_title ||= controller_path.split('/')[1].singularize - # @module_app ||= ModuleApp.first(conditions: {:key => @app_title} ) - # raise ModuleAppError, 'Can not find ModuleApp' if @module_app.nil? - end def index get_tags diff --git a/app/controllers/orbit_backend_controller.rb b/app/controllers/orbit_backend_controller.rb index 2d220cfab..3b83c45f8 100644 --- a/app/controllers/orbit_backend_controller.rb +++ b/app/controllers/orbit_backend_controller.rb @@ -1,7 +1,6 @@ class OrbitBackendController < ApplicationController include OrbitCategory::Categorizing - include OrbitCoreLib::AppBackendUtility - include OrbitCoreLib::PermissionUtility + include OrbitCoreLib::Authorization include OrbitTag::Tagging include AdminHelper include ApplicationHelper @@ -10,12 +9,6 @@ class OrbitBackendController < ApplicationController layout "back_end" - def setup_vars - @app_title ||= controller_path.split('/')[1].singularize - @module_app ||= ModuleApp.first(conditions: {:key => @app_title} ) - raise ModuleAppError, 'Can not find ModuleApp' if @module_app.nil? - end - def get_statuses status = [] status << 'is_top' @@ -28,27 +21,4 @@ class OrbitBackendController < ApplicationController end status end - - private - - def force_order_for_visitor - check_backend_openness - setup_vars - set_current_user - end - - - def force_order_for_user - setup_vars - set_current_user - authenticate_user! - check_user_can_use - end - - def check_user_can_use - unless check_permission - #redirect_to polymorphic_path(['panel',@app_title,'back_end','public']) - redirect_to root_url - end - end end diff --git a/app/controllers/orbit_member_controller.rb b/app/controllers/orbit_member_controller.rb index a018fc002..67af71f55 100644 --- a/app/controllers/orbit_member_controller.rb +++ b/app/controllers/orbit_member_controller.rb @@ -1,7 +1,6 @@ class OrbitMemberController < ApplicationController include OrbitCategory::Categorizing - include OrbitCoreLib::AppBackendUtility - include OrbitCoreLib::PermissionUtility + include OrbitCoreLib::Authorization include OrbitTag::Tagging include AdminHelper include ApplicationHelper @@ -10,12 +9,6 @@ class OrbitMemberController < ApplicationController layout "member" - def setup_vars - @app_title ||= controller_path.split('/')[1].singularize - @module_app ||= ModuleApp.first(conditions: {:key => @app_title} ) - raise ModuleAppError, 'Can not find ModuleApp' if @module_app.nil? - end - def get_statuses status = [] status << 'is_top' @@ -28,27 +21,4 @@ class OrbitMemberController < ApplicationController end status end - - private - - def force_order_for_visitor - check_backend_openness - setup_vars - set_current_user - end - - - def force_order_for_user - setup_vars - set_current_user - authenticate_user! - check_user_can_use - end - - def check_user_can_use - unless check_permission - #redirect_to polymorphic_path(['panel',@app_title,'back_end','public']) - redirect_to root_url - end - end end diff --git a/app/helpers/orbit_backend_helper.rb b/app/helpers/orbit_backend_helper.rb index a673e5d96..4d3fbf6d7 100644 --- a/app/helpers/orbit_backend_helper.rb +++ b/app/helpers/orbit_backend_helper.rb @@ -321,9 +321,9 @@ module OrbitBackendHelper def is_authorized(object) autorized = @module_app.authorizable_models.inject(false) do |autorized, klass| if object.is_a?(klass.constantize) - autorized ||= object.cur_user_is_sub_manager_of("#{klass.underscore}_#{@module_app.key}") + autorized ||= object.user_can_sub_manage?(current_user) else - autorized ||= object.category.cur_user_is_sub_manager_of("category_#{@module_app.key}") + autorized ||= object.category.user_can_sub_manage?(current_user) end autorized end diff --git a/app/models/auth/auth_approval.rb b/app/models/auth/auth_approval.rb new file mode 100644 index 000000000..bdacec730 --- /dev/null +++ b/app/models/auth/auth_approval.rb @@ -0,0 +1,6 @@ +class AuthApproval < Authorization + field :title + + belongs_to :approval_authorizable, polymorphic: true + has_and_belongs_to_many :authorized_users, class_name: 'User', inverse_of: 'approving_apps' +end \ No newline at end of file diff --git a/app/models/auth/auth_manager.rb b/app/models/auth/auth_manager.rb new file mode 100644 index 000000000..6ac3919e0 --- /dev/null +++ b/app/models/auth/auth_manager.rb @@ -0,0 +1,4 @@ +class AuthManager < Authorization + # belongs_to :manager_authorizable, polymorphic: true + has_and_belongs_to_many :authorized_users, class_name: 'User', inverse_of: 'managing_apps' +end \ No newline at end of file diff --git a/app/models/auth/auth_sub_manager.rb b/app/models/auth/auth_sub_manager.rb new file mode 100644 index 000000000..b037bebf2 --- /dev/null +++ b/app/models/auth/auth_sub_manager.rb @@ -0,0 +1,6 @@ +class AuthSubManager < Authorization + field :title + + belongs_to :sub_manager_authorizable, polymorphic: true + has_and_belongs_to_many :authorized_users, class_name: 'User', inverse_of: 'sub_managing_apps' +end \ No newline at end of file diff --git a/app/models/auth/authorization.rb b/app/models/auth/authorization.rb new file mode 100644 index 000000000..26b909e73 --- /dev/null +++ b/app/models/auth/authorization.rb @@ -0,0 +1,108 @@ +class Authorization + include Mongoid::Document + include Mongoid::Timestamps + + field :title + + belongs_to :module_app + + has_and_belongs_to_many :roles + has_and_belongs_to_many :sub_roles + + delegate :update_auth_approval_users, :update_auth_manager_users, :update_auth_sub_manager_users, to: :module_app, prefix: true, allow_nil: true + + after_save :update_module_app + + + def add_roles(roles) + users = [] + roles = Array(roles) + add_operation(:roles, roles) + sub_roles = [] + roles.each{|role| role.sub_roles.each{|sub_role| sub_roles << sub_role.id}} + add_operation(:sub_roles, sub_roles) + roles.each{|role| role.users.where(admin: false).each{|user| users << user}} + add_users(users, false) + end + + def add_sub_roles(sub_roles) + users = [] + sub_roles = Array(sub_roles) + add_operation(:sub_roles, sub_roles) + sub_roles.each do |sub_role| + self.roles << sub_role.role unless self.roles.include?(sub_role.role) + sub_role.users.where(admin: false).each{|user| users << user} + end + add_users(users, false) + end + + def add_users(users, with_parents = true) + users = Array(users) + add_operation(:authorized_users, users) + users.each do |user| + user.roles.each do |role| + self.roles << role unless self.roles.include?(role) + end + user.sub_roles.each do |sub_role| + self.sub_roles << sub_role unless self.sub_roles.include?(sub_role) + end + end if with_parents + self.save + end + + def remove_roles(roles) + users = [] + sub_roles = [] + roles = Array(roles) + remove_operation(:roles, roles) + roles.each do |role| + role.sub_roles.each{|sub_role| sub_roles << sub_role} + role.users.where(admin: false).each{|user| users << user} + end + remove_operation(:sub_role_ids, sub_roles) + remove_operation(:authorized_user_ids, users) + add_roles(self.roles) + end + + def remove_sub_roles(sub_roles) + users = [] + sub_roles = Array(sub_roles) + remove_operation(:sub_roles, sub_roles) + sub_roles.each do |sub_role| + users << sub_role.users.where(admin: false) + end + remove_operation(:authorized_user_ids, users) + add_roles(self.roles) + end + + def remove_users(users) + users = Array(users) + remove_operation(:authorized_user_ids, users) + self.save + end + + protected + + def add_operation(db_field, objs) + objs.each do |obj| + self.send(db_field) << obj unless self.send(db_field).include?(obj) + end + end + + def remove_operation(db_field, obj) + self.write_attribute(db_field, self.send(db_field) - obj.map{|y| y.id}) + end + + private + + def update_module_app + case self._type + when "AuthApproval" + self.module_app_update_auth_approval_users + when "AuthManager" + self.module_app_update_auth_manager_users + when "AuthSubManager" + self.module_app_update_auth_sub_manager_users + end + end +end \ No newline at end of file diff --git a/app/models/category.rb b/app/models/category.rb index 42d51bc37..027b86e00 100644 --- a/app/models/category.rb +++ b/app/models/category.rb @@ -1,7 +1,7 @@ class Category include Mongoid::Document include Mongoid::Timestamps - include OrbitCoreLib::ObjectAuthable + include OrbitModel::Authorizable field :disable, type: Boolean, default: false field :title, localize: true diff --git a/app/models/module_app.rb b/app/models/module_app.rb index 3fe38bdf0..282840537 100644 --- a/app/models/module_app.rb +++ b/app/models/module_app.rb @@ -1,16 +1,26 @@ class ModuleApp include Mongoid::Document include Mongoid::Timestamps - include OrbitCoreLib::ObjectTokenUtility - include OrbitApp::ModuleAppMembershipTools + # include OrbitCoreLib::ObjectTokenUtility + # include OrbitApp::ModuleAppMembershipTools + field :auth_approval_users, type: Array, default: nil + field :auth_manager_users, type: Array, default: nil + field :auth_sub_manager_users, type: Array, default: nil field :key field :title field :sidebar_order,type: Integer,default: 0 + has_one :auth_manager, dependent: :destroy + has_many :auth_approvals, dependent: :destroy + has_many :auth_sub_managers, dependent: :destroy has_many :categories, dependent: :destroy has_many :module_tags, dependent: :destroy + has_many :approvals #to remove + + delegate :authorized_users, to: :auth_manager, prefix: true, allow_nil: true + def refetch_setting!(reg) # %w{module_label category base_url version organization author intro update_info create_date}.each do |field| # self[field.to_sym] = reg.send field @@ -24,6 +34,7 @@ class ModuleApp self[:has_category] = reg.get_has_category self[:is_approvable] = reg.get_is_approvable self[:is_authorizable] = reg.get_is_authorizable + self[:approvable_models] = reg.get_approvable_models self[:authorizable_models] = reg.get_authorizable_models end @@ -168,4 +179,71 @@ class ModuleApp self.module_tags.map{|t| t.tag } end + + # authorization + def update_auth_approval_users + user_ids = self.auth_approvals.inject([]) do |users, auth| + users += auth.authorized_users.map{|user| user.id} + end + update_attribute(:auth_approval_users, user_ids.uniq) + end + + def update_auth_manager_users + update_attribute(:auth_manager_users, self.auth_manager_authorized_users.map{|user| user.id}) + end + + def update_auth_sub_manager_users + user_ids = self.auth_sub_managers.inject([]) do |users, auth| + users += auth.authorized_users.map{|user| user.id} + end + update_attribute(:auth_sub_manager_users, user_ids.uniq) + end + + def managers + auth_manager_authorized_users || [] + end + + def user_can_manage?(user) + managers.include?(user) + end + + def add_managers(users) + users = Array(users) + if auth_manager = self.auth_manager + auth_manager.update_attribute(:authorized_users, (auth_manager.authorized_users + users).uniq) + else + self.create_auth_manager(authorized_users: users) + end + end + + def remove_managers(users) + users = Array(users) + users = users.delete_if{|user| user == current_user || is_admin?} + self.auth_manager.update_attribute(:authorized_users, auth_manager.authorized_users - users) + end + + def is_manager?(user) + if user && !auth_manager_users.blank? + auth_manager_users.include?(user.id) + else + false + end + end + + def is_sub_manager?(user) + if user && !auth_sub_manager_users.blank? + auth_sub_manager_users.include?(user.id) + else + false + end + end + + def can_approve?(user) + if user && !auth_approval_users.blank? + auth_approval_users.include?(user.id) + else + false + end + end + end diff --git a/app/models/user/user.rb b/app/models/user/user.rb index 0c547fd46..97142cf87 100644 --- a/app/models/user/user.rb +++ b/app/models/user/user.rb @@ -19,12 +19,16 @@ class User field :cache_dept,type: Hash field :status_record,type: Hash + has_and_belongs_to_many :approving_apps, class_name: 'AuthApproval', inverse_of: 'authorized_users' + has_and_belongs_to_many :managing_apps, class_name: 'AuthManager', inverse_of: 'authorized_users' + has_and_belongs_to_many :sub_managing_apps, class_name: 'AuthSubManager', inverse_of: 'authorized_users' + has_many :attribute_values, :autosave => true, :dependent => :destroy has_many :app_auths,as: :privilege_apps,:inverse_of => :privilege_lists has_many :blocked_apps, :inverse_of => :blocked_users, :class_name => "AppAuth", :dependent => :destroy has_many :privilege_apps, :inverse_of => :privilege_users, :class_name => "AppAuth", :dependent => :destroy - has_many :managing_apps,:class_name => "AppManager", :dependent => :destroy + # has_many :managing_apps,:class_name => "AppManager", :dependent => :destroy has_one :desktop, :autosave => true, :dependent => :destroy has_one :facebook, :autosave => true, :dependent => :destroy has_many :other_accounts, :autosave => true, :dependent => :destroy @@ -273,8 +277,8 @@ class User end def managed_module_apps - self.managing_apps.inject([]) do |managed_apps, app_manager| - managed_apps << app_manager.managing_app unless app_manager.managing_app.blank? + self.managing_apps.inject([]) do |managed_apps, auth_manager| + managed_apps << auth_manager.module_app managed_apps end end diff --git a/app/views/admin/authorizations/_user.html.erb b/app/views/admin/authorizations/_user.html.erb index 2723234e2..7a3ac794a 100644 --- a/app/views/admin/authorizations/_user.html.erb +++ b/app/views/admin/authorizations/_user.html.erb @@ -1,10 +1,10 @@ -
  • +
  • - <% unless user == current_user || is_admin? %> + <% unless user == current_user || user.admin %> <% end %>
  • \ No newline at end of file diff --git a/app/views/admin/authorizations/index.html.erb b/app/views/admin/authorizations/index.html.erb index 6e98df123..1f81d9458 100644 --- a/app/views/admin/authorizations/index.html.erb +++ b/app/views/admin/authorizations/index.html.erb @@ -13,11 +13,13 @@
    - <%= link_to t(:module_authorization), admin_authorizations_path(@module_app.key) %> + <%= link_to t(:module_authorization), admin_authorizations_path(@module_app.key) if @module_app.is_authorizable %> <% @module_app.authorizable_models.each do |authorizable_model| %> - <%= link_to (authorizable_model.eql?('Category') ? t(:category_auth) : "#{authorizable_model.underscore.humanize.capitalize} #{t(:authorization_)}"), admin_authorizations_path(@module_app.key, type: authorizable_model.underscore) %> + <%= link_to (authorizable_model.eql?('Category') ? t(:category_auth) : "#{authorizable_model.underscore.humanize.capitalize} #{t(:authorization_)}"), admin_authorizations_path(@module_app.key, type: "#{authorizable_model.underscore}_authorization") %> + <% end %> + <% @module_app.approvable_models.each do |approvable_model| %> + <%= link_to (approvable_model.eql?('Category') ? t(:approval_) : "#{approvable_model.underscore.humanize.capitalize} #{t(:approval_)}"), admin_authorizations_path(@module_app.key, type: "#{approvable_model.underscore}_approval") %> <% end %> - <%= link_to t(:approval_), admin_authorizations_path(@module_app.key, type: 'approval') if @module_app.is_approvable %> <% if @error %> <%= @error %> <% else %> diff --git a/app/views/admin/authorizations/insert_users.js.erb b/app/views/admin/authorizations/insert_users.js.erb deleted file mode 100644 index bb9ecf882..000000000 --- a/app/views/admin/authorizations/insert_users.js.erb +++ /dev/null @@ -1,2 +0,0 @@ -$("#card-list").append("<%= j render partial: 'user', collection: @users %>"); -$("#member-filter").modal('hide'); \ No newline at end of file diff --git a/app/views/admin/authorizations/reload_users.js.erb b/app/views/admin/authorizations/reload_users.js.erb new file mode 100644 index 000000000..47e4fc3d2 --- /dev/null +++ b/app/views/admin/authorizations/reload_users.js.erb @@ -0,0 +1,2 @@ +$("#card-list").html("<%= j render partial: 'user', collection: @users %>"); +$("#member-filter").modal('hide'); \ No newline at end of file diff --git a/config/application.rb b/config/application.rb index 84e8d974f..a543b8080 100644 --- a/config/application.rb +++ b/config/application.rb @@ -27,6 +27,7 @@ module Orbit # Custom directories with classes and modules you want to be autoloadable. # config.autoload_paths += %W(#{config.root}/extras) + config.autoload_paths += %W(#{config.root}/app/models/auth) config.autoload_paths += %W(#{config.root}/app/models/ckeditor) config.autoload_paths += %W(#{config.root}/app/models/design) config.autoload_paths += %W(#{config.root}/app/models/desktop) diff --git a/lib/orbit_app/module/registration.rb b/lib/orbit_app/module/registration.rb index 902efe6c7..60b62a395 100644 --- a/lib/orbit_app/module/registration.rb +++ b/lib/orbit_app/module/registration.rb @@ -28,7 +28,7 @@ module OrbitApp end class DataSheet - attr_reader :name,:key,:base_path,:module_label,:data_count, :has_category, :has_tag, :authorizable_models, :is_approvable, :is_authorizable + attr_reader :name,:key,:base_path,:module_label,:data_count, :has_category, :has_tag, :approvable_models, :authorizable_models, :is_approvable, :is_authorizable def initialize(name, &block) @name = name @@ -39,6 +39,7 @@ module OrbitApp @data_count = 1..15 # as default @has_category = nil @has_tag = nil + @approvable_models = [] @authorizable_models = [] @is_approvable = nil @is_authorizable = nil @@ -145,8 +146,13 @@ module OrbitApp define_method(field){|var| instance_variable_set( "@" + field, var)} end - def approvable(link=true) + def approvable(link=true, &block) @is_approvable = {:with_link => link} + if block + block.call + else + approvable_on + end end def authorizable(link=true, &block) @@ -158,6 +164,10 @@ module OrbitApp end end + def approvable_on(klass = 'Category') + @approvable_models << klass + end + def authorizable_on(klass = 'Category') @authorizable_models << klass end @@ -170,6 +180,10 @@ module OrbitApp @has_tag = true end + def get_approvable_models + @approvable_models + end + def get_authorizable_models @authorizable_models end diff --git a/lib/orbit_category/categorizing.rb b/lib/orbit_category/categorizing.rb index 1b11f5206..04e4aae53 100644 --- a/lib/orbit_category/categorizing.rb +++ b/lib/orbit_category/categorizing.rb @@ -9,11 +9,11 @@ module OrbitCategory end end - def get_categories_for_form(func_authed_for_sub_manager = "category_#{@module_app.key}") + def get_categories_for_form categories = if is_manager? || is_admin? @module_app.categories.enabled elsif is_sub_manager? - @module_app.categories.enabled.authed_for_user(current_user, func_authed_for_sub_manager) + @module_app.categories.enabled.entries.delete_if{|category| !category.user_can_sub_manage?(current_user)} end if categories.empty? flash[:alert] = t(:no_category) diff --git a/lib/orbit_core_lib.rb b/lib/orbit_core_lib.rb index a657eaccb..53eb5d79a 100644 --- a/lib/orbit_core_lib.rb +++ b/lib/orbit_core_lib.rb @@ -140,30 +140,39 @@ module OrbitCoreLib end end - module AppBackendUtility + module Authorization + def self.included(base) + base.class_eval do + before_filter :can_use + end + end + def setup_vars @app_title ||= controller_path.split('/')[1].singularize @module_app ||= ModuleApp.first(conditions: {:key => @app_title} ) + # raise ModuleAppError, 'Can not find ModuleApp' if @module_app.nil? end private - def force_order_for_visitor - setup_vars - set_current_user + def can_use + unless @override_can_use + check_backend_openness if @public + setup_vars + set_current_user + unless @public + authenticate_user! + check_user_can_use + end + end end - - def force_order_for_user - setup_vars - set_current_user - authenticate_user! - check_user_can_use + def set_public + @public = true end - def check_user_can_use - unless check_permission - #redirect_to polymorphic_path(['panel',@app_title,'back_end','public']) + def check_user_can_use + unless current_or_guest_user.admin? || @module_app.is_manager?(current_or_guest_user) || @module_app.is_sub_manager?(current_or_guest_user) || @module_app.can_approve?(current_or_guest_user) redirect_to root_url end end diff --git a/lib/orbit_model/authorizable.rb b/lib/orbit_model/authorizable.rb new file mode 100644 index 000000000..47e31d1be --- /dev/null +++ b/lib/orbit_model/authorizable.rb @@ -0,0 +1,55 @@ +module OrbitModel + + module Authorizable + + def self.included(base) + base.class_eval do + has_one :auth_approval, as: :approval_authorizable, dependent: :destroy + has_one :auth_sub_manager, as: :sub_manager_authorizable, dependent: :destroy + delegate :authorized_users, to: :auth_approval, prefix: true, allow_nil: true + delegate :authorized_users, to: :auth_sub_manager, prefix: true, allow_nil: true + send :include, InstanceMethods + end + end + + module InstanceMethods + + # Normal case + # Use of categories to define approval and sub-manager + def approval_users + auth_approval_authorized_users + end + + def sub_managers + auth_sub_manager_authorized_users + end + + def user_can_approve?(user) + approval_users.include?(user) if approval_users + end + + def user_can_sub_manage?(user) + sub_managers.include?(user) if sub_managers + end + + # Specific case + # Approval or sub-manager is defined on something else than categories + def authorized_users_by_title(title) + approval_users if auth_approval && auth_approval.title.eql?(title) + sub_managers if auth_sub_manager && auth_sub_manager.title.eql?(title) + end + + def get_authorization_by_title(title) + auth_approval if auth_approval && auth_approval.title.eql?(title) + auth_sub_manager if auth_sub_manager && auth_sub_manager.title.eql?(title) + end + + def user_is_authorized_by_title?(user, title) + authorized_users_by_title(title).include?(user) + end + + end + + end + +end diff --git a/vendor/built_in_modules/announcement/app/controllers/panel/announcement/back_end/bulletins_controller.rb b/vendor/built_in_modules/announcement/app/controllers/panel/announcement/back_end/bulletins_controller.rb index 43fce5e35..5d11350dc 100644 --- a/vendor/built_in_modules/announcement/app/controllers/panel/announcement/back_end/bulletins_controller.rb +++ b/vendor/built_in_modules/announcement/app/controllers/panel/announcement/back_end/bulletins_controller.rb @@ -3,11 +3,7 @@ class Panel::Announcement::BackEnd::BulletinsController < OrbitBackendController before_filter :clean_values, :only => [:create, :update] - # before_filter :for_admin_only,:only => [:] - # before_filter :for_app_manager,:only => [:index,:show,] - before_filter :force_order_for_visitor,:only=>[:index,:show,:get_sorted_and_filtered_bulletins] - before_filter :force_order_for_user,:except => [:index,:show,:get_sorted_and_filtered_bulletins] - before_filter :for_app_sub_manager,:except => [:index,:show,:get_sorted_and_filtered_bulletins] + prepend_before_filter :set_public, :only => [:index, :show, :get_sorted_and_filtered_bulletins] before_filter :only => [ :new, :create, :edit, :update ] do |controller| @categories = get_categories_for_form diff --git a/vendor/built_in_modules/page_content/app/controllers/panel/page_content/back_end/page_contexts_controller.rb b/vendor/built_in_modules/page_content/app/controllers/panel/page_content/back_end/page_contexts_controller.rb index 9b67fff07..8c4528c8b 100644 --- a/vendor/built_in_modules/page_content/app/controllers/panel/page_content/back_end/page_contexts_controller.rb +++ b/vendor/built_in_modules/page_content/app/controllers/panel/page_content/back_end/page_contexts_controller.rb @@ -1,9 +1,6 @@ class Panel::PageContent::BackEnd::PageContextsController < OrbitBackendController - before_filter :force_order_for_visitor,:only=>[:index] - before_filter :force_order_for_user,:except => [:index] - - before_filter :for_app_manager,:except => [:index] - before_filter :for_app_sub_manager,:except => [:index] + + prepend_before_filter :set_public, :only => [:index] #before_filter :is_admin? diff --git a/vendor/built_in_modules/page_content/app/models/page_context.rb b/vendor/built_in_modules/page_content/app/models/page_context.rb index e854c09eb..78b572fb0 100644 --- a/vendor/built_in_modules/page_content/app/models/page_context.rb +++ b/vendor/built_in_modules/page_content/app/models/page_context.rb @@ -5,7 +5,7 @@ class PageContext include Mongoid::Timestamps include Mongoid::MultiParameterAttributes include Impressionist::Impressionable - include OrbitCoreLib::ObjectAuthable + include OrbitModel::Authorizable is_impressionable :counter_cache => { :column_name => :view_count }