diff --git a/app/controllers/admin/authorizations_controller.rb b/app/controllers/admin/authorizations_controller.rb
index 04681242..243dc6c7 100644
--- a/app/controllers/admin/authorizations_controller.rb
+++ b/app/controllers/admin/authorizations_controller.rb
@@ -1,13 +1,13 @@
class Admin::AuthorizationsController < OrbitBackendController
- before_filter :admin_or_manager
+ prepend_before_filter :admin_or_manager
def index
- @module_apps ||= ModuleApp.where(is_authorizable: true).order_by([:title, :asc])
+ @module_apps ||= ModuleApp.any_of({is_authorizable: true}, {is_approvable: true}).order_by([:title, :asc])
if @module_apps && @module_apps.include?(@module_app)
if @type
case @type
- when 'category', 'approval'
+ when 'category_authorization', 'category_approval'
if @module_app.has_category
@objects = @module_app.categories
else
@@ -18,12 +18,12 @@ class Admin::AuthorizationsController < OrbitBackendController
end
unless @objects.blank?
@object ||= @objects.first
- @users = @object.get_object_auth_by_title("#{@type}_#{@module_app.key}").auth_users
+ @users = @object.get_authorization_by_title("#{@type}_#{@module_app.key}").authorized_users rescue nil
else
@error = t(:no_data)
end
else
- @users = @module_app.managing_users
+ @users = @module_app.managers
end
elsif @module_apps
@module_app = @module_apps.first
@@ -33,35 +33,42 @@ class Admin::AuthorizationsController < OrbitBackendController
end
end
- def add(users)
- unless users.blank?
- if @type
- if @object
- object_auth = @object.get_object_auth_by_title("#{@type}_#{@module_app.key}")
- add_users_to_object_auth(object_auth, users)
- else
- @error = t(:no_data)
- end
- else
- add_managers(users) unless users.blank?
- end
+ def add_roles
+ roles = Role.find(params[:role_ids]) rescue []
+ users = []
+ roles.each do |role|
+ users += role.users.all.entries
end
- @users = users
- render 'admin/authorizations/insert_users'
+ unless roles.blank?
+ authorization = get_or_create_authorization
+ add_roles_to_auth(authorization, roles) unless @error
+ end
+ @users = authorization.authorized_users
+ render 'admin/authorizations/reload_users'
+ end
+
+ def add_sub_roles
+ sub_roles = SubRole.find(params[:sub_role_ids]) rescue []
+ users = []
+ sub_roles.each do |sub_role|
+ users += sub_role.users.all.entries
+ end
+ unless sub_roles.blank?
+ authorization = get_or_create_authorization
+ add_sub_roles_to_auth(authorization, sub_roles) unless @error
+ end
+ @users = authorization.authorized_users
+ render 'admin/authorizations/reload_users'
end
def add_users
users = User.find(params[:user_ids]) rescue []
- add(users)
- end
-
- def add_roles
- roles = Role.find(params[:role_ids]) rescue []
- users = roles.inject([]) do |users, role|
- users += role.users.all.entries
- users
+ unless users.blank?
+ authorization = get_or_create_authorization
+ add_users_to_auth(authorization, users) unless @error
end
- add(users)
+ @users = authorization.authorized_users
+ render 'admin/authorizations/reload_users'
end
def modal_select
@@ -70,63 +77,111 @@ class Admin::AuthorizationsController < OrbitBackendController
if @type
@object_id = @object.id if @object
@sorted_users = roles.inject({}) do |users, role|
- users[role] = role.users.where(admin: false).not_guest_user - existing_users - @module_app.managing_users
+ users[role] = role.users.where(admin: false) - existing_users - @module_app.managers
users
end
else
@sorted_users = roles.inject({}) do |users, role|
- users[role] = role.users.where(admin: false).not_guest_user - existing_users
+ users[role] = role.users.where(admin: false) - existing_users
users
end
end
end
+ def remove_roles
+ roles = Role.find(params[:role_ids]) rescue []
+ unless roles.blank?
+ authorization = get_or_create_authorization
+ remove_roles_form_auth(authorization, roles)
+ end
+ @users = authorization.authorized_users
+ render 'admin/authorizations/reload_users'
+ end
+
+ def remove_sub_roles
+ sub_roles = SubRole.find(params[:sub_role_ids]) rescue []
+ unless sub_roles.blank?
+ authorization = get_or_create_authorization
+ remove_sub_roles_from_auth(authorization, sub_roles)
+ end
+ @users = authorization.authorized_users
+ render 'admin/authorizations/reload_users'
+ end
+
def remove_users
@users = User.find(params[:ids]) rescue []
unless @users.blank?
- if @type
- if @object
- object_auth = @object.get_object_auth_by_title("#{@type}_#{@module_app.key}")
- remove_users_form_object_auth(object_auth, @users)
- else
- @error = t(:no_data)
- end
- else
- remove_managers(@users)
- end
+ authorization = get_or_create_authorization
+ remove_users_from_auth(authorization, @users)
end
- render 'admin/authorizations/remove_users'
+ @users = authorization.authorized_users
+ render 'admin/authorizations/reload_users'
end
protected
- def add_managers(users)
- users.each do |user|
- @module_app.assign_manager(user, current_user)
+ def add_managers_to_auth(users)
+ @module_app.add_managers(users)
+ end
+
+ def add_roles_to_auth(authorization, roles)
+ authorization.add_roles(roles)
+ end
+
+ def add_sub_roles_to_auth(authorization, sub_roles)
+ authorization.add_sub_roles(sub_roles)
+ end
+
+ def add_users_to_auth(authorization, users)
+ authorization.add_users(users)
+ end
+
+ def get_or_create_authorization
+ case @type
+ when 'category_approval'
+ if @object
+ @object.auth_approval || @object.create_auth_approval(module_app_id: @module_app.id, title: "#{@type}_#{@module_app.key}")
+ else
+ @error = t(:no_data)
+ end
+ when 'category_authorization'
+ if @object
+ @object.auth_sub_manager || @object.create_auth_sub_manager(module_app_id: @module_app.id, title: "#{@type}_#{@module_app.key}")
+ else
+ @error = t(:no_data)
+ end
+ when nil
+ @module_app.auth_manager || @module_app.create_auth_manager(module_app_id: @module_app.id, title: "#{@type}_#{@module_app.key}")
+ else
+ auth = @object.get_authorization_by_title("#{@type}_#{@module_app.key}")
+ unless auth
+ auth = @object.create_auth_approval(module_app_id: @module_app.id, title: "#{@type}_#{@module_app.key}") if @type.include?('approval')
+ auth = @object.create_auth_sub_manager(module_app_id: @module_app.id, title: "#{@type}_#{@module_app.key}") if @type.include?('authorization')
+ end
+ auth
end
end
- def add_users_to_object_auth(object_auth, users)
- users.each do |user|
- object_auth.add_user_to_privilege_list(user)
- end
+ def remove_managers_from_auth(users)
+ @module_app.remove_manager(users)
end
- def remove_managers(users)
- users.each do |user|
- @module_app.remove_manager(user)
- end
+ def remove_roles_form_auth(authorization, roles)
+ authorization.remove_roles(roles)
end
- def remove_users_form_object_auth(object_auth, users)
- users.each do |user|
- object_auth.remove_user_from_privilege_list(user)
- end
+ def remove_sub_roles_from_auth(authorization, sub_roles)
+ authorization.remove_sub_roles(sub_roles)
+ end
+
+ def remove_users_from_auth(authorization, users)
+ authorization.remove_users(users)
end
private
def admin_or_manager
+ @override_can_use = true
setup_vars
authenticate_user!
user_is_manager?
@@ -136,7 +191,7 @@ class Admin::AuthorizationsController < OrbitBackendController
@module_app = ModuleApp.first(conditions: {:key => params[:module]} ) if params[:module]
@type = params[:type].underscore if params[:type]
if @type
- @klass = @type.classify.constantize rescue nil
+ @klass = @type.gsub('_authorization', '').gsub('_approval', '').classify.constantize rescue nil
@object = @klass.find(params[:id]) rescue nil
end
end
diff --git a/app/controllers/admin/dashboards_controller.rb b/app/controllers/admin/dashboards_controller.rb
index 7bf36ee3..ddb23570 100644
--- a/app/controllers/admin/dashboards_controller.rb
+++ b/app/controllers/admin/dashboards_controller.rb
@@ -4,6 +4,8 @@ class Admin::DashboardsController < OrbitBackendController
#before_filter :authenticate_user!, :except => [:index]
# before_filter :is_admin?
+ prepend_before_filter :set_public
+
layout "basic_back_end"
def index
diff --git a/app/controllers/admin/users_new_interface_controller.rb b/app/controllers/admin/users_new_interface_controller.rb
index fd62c29f..813a8d2e 100644
--- a/app/controllers/admin/users_new_interface_controller.rb
+++ b/app/controllers/admin/users_new_interface_controller.rb
@@ -2,18 +2,9 @@ class Admin::UsersNewInterfaceController < OrbitMemberController
helper MemberHelper
- # before_filter :authenticate_user!
- # before_filter :set_attribute, :only => [:index, :show, :new, :edit]
-
- before_filter :force_order_for_visitor,:only=>[:index,:show]
- before_filter :force_order_for_user,:except => [:index,:show]
before_filter :set_attribute,:except => [:index,:show]
+ prepend_filter :set_public, :only => [:index, :show]
- def setup_vars
- # @app_title ||= controller_path.split('/')[1].singularize
- # @module_app ||= ModuleApp.first(conditions: {:key => @app_title} )
- # raise ModuleAppError, 'Can not find ModuleApp' if @module_app.nil?
- end
def index
get_tags
diff --git a/app/controllers/orbit_backend_controller.rb b/app/controllers/orbit_backend_controller.rb
index 2d220cfa..3b83c45f 100644
--- a/app/controllers/orbit_backend_controller.rb
+++ b/app/controllers/orbit_backend_controller.rb
@@ -1,7 +1,6 @@
class OrbitBackendController < ApplicationController
include OrbitCategory::Categorizing
- include OrbitCoreLib::AppBackendUtility
- include OrbitCoreLib::PermissionUtility
+ include OrbitCoreLib::Authorization
include OrbitTag::Tagging
include AdminHelper
include ApplicationHelper
@@ -10,12 +9,6 @@ class OrbitBackendController < ApplicationController
layout "back_end"
- def setup_vars
- @app_title ||= controller_path.split('/')[1].singularize
- @module_app ||= ModuleApp.first(conditions: {:key => @app_title} )
- raise ModuleAppError, 'Can not find ModuleApp' if @module_app.nil?
- end
-
def get_statuses
status = []
status << 'is_top'
@@ -28,27 +21,4 @@ class OrbitBackendController < ApplicationController
end
status
end
-
- private
-
- def force_order_for_visitor
- check_backend_openness
- setup_vars
- set_current_user
- end
-
-
- def force_order_for_user
- setup_vars
- set_current_user
- authenticate_user!
- check_user_can_use
- end
-
- def check_user_can_use
- unless check_permission
- #redirect_to polymorphic_path(['panel',@app_title,'back_end','public'])
- redirect_to root_url
- end
- end
end
diff --git a/app/controllers/orbit_member_controller.rb b/app/controllers/orbit_member_controller.rb
index a018fc00..67af71f5 100644
--- a/app/controllers/orbit_member_controller.rb
+++ b/app/controllers/orbit_member_controller.rb
@@ -1,7 +1,6 @@
class OrbitMemberController < ApplicationController
include OrbitCategory::Categorizing
- include OrbitCoreLib::AppBackendUtility
- include OrbitCoreLib::PermissionUtility
+ include OrbitCoreLib::Authorization
include OrbitTag::Tagging
include AdminHelper
include ApplicationHelper
@@ -10,12 +9,6 @@ class OrbitMemberController < ApplicationController
layout "member"
- def setup_vars
- @app_title ||= controller_path.split('/')[1].singularize
- @module_app ||= ModuleApp.first(conditions: {:key => @app_title} )
- raise ModuleAppError, 'Can not find ModuleApp' if @module_app.nil?
- end
-
def get_statuses
status = []
status << 'is_top'
@@ -28,27 +21,4 @@ class OrbitMemberController < ApplicationController
end
status
end
-
- private
-
- def force_order_for_visitor
- check_backend_openness
- setup_vars
- set_current_user
- end
-
-
- def force_order_for_user
- setup_vars
- set_current_user
- authenticate_user!
- check_user_can_use
- end
-
- def check_user_can_use
- unless check_permission
- #redirect_to polymorphic_path(['panel',@app_title,'back_end','public'])
- redirect_to root_url
- end
- end
end
diff --git a/app/helpers/orbit_backend_helper.rb b/app/helpers/orbit_backend_helper.rb
index a673e5d9..4d3fbf6d 100644
--- a/app/helpers/orbit_backend_helper.rb
+++ b/app/helpers/orbit_backend_helper.rb
@@ -321,9 +321,9 @@ module OrbitBackendHelper
def is_authorized(object)
autorized = @module_app.authorizable_models.inject(false) do |autorized, klass|
if object.is_a?(klass.constantize)
- autorized ||= object.cur_user_is_sub_manager_of("#{klass.underscore}_#{@module_app.key}")
+ autorized ||= object.user_can_sub_manage?(current_user)
else
- autorized ||= object.category.cur_user_is_sub_manager_of("category_#{@module_app.key}")
+ autorized ||= object.category.user_can_sub_manage?(current_user)
end
autorized
end
diff --git a/app/models/auth/auth_approval.rb b/app/models/auth/auth_approval.rb
new file mode 100644
index 00000000..bdacec73
--- /dev/null
+++ b/app/models/auth/auth_approval.rb
@@ -0,0 +1,6 @@
+class AuthApproval < Authorization
+ field :title
+
+ belongs_to :approval_authorizable, polymorphic: true
+ has_and_belongs_to_many :authorized_users, class_name: 'User', inverse_of: 'approving_apps'
+end
\ No newline at end of file
diff --git a/app/models/auth/auth_manager.rb b/app/models/auth/auth_manager.rb
new file mode 100644
index 00000000..6ac3919e
--- /dev/null
+++ b/app/models/auth/auth_manager.rb
@@ -0,0 +1,4 @@
+class AuthManager < Authorization
+ # belongs_to :manager_authorizable, polymorphic: true
+ has_and_belongs_to_many :authorized_users, class_name: 'User', inverse_of: 'managing_apps'
+end
\ No newline at end of file
diff --git a/app/models/auth/auth_sub_manager.rb b/app/models/auth/auth_sub_manager.rb
new file mode 100644
index 00000000..b037bebf
--- /dev/null
+++ b/app/models/auth/auth_sub_manager.rb
@@ -0,0 +1,6 @@
+class AuthSubManager < Authorization
+ field :title
+
+ belongs_to :sub_manager_authorizable, polymorphic: true
+ has_and_belongs_to_many :authorized_users, class_name: 'User', inverse_of: 'sub_managing_apps'
+end
\ No newline at end of file
diff --git a/app/models/auth/authorization.rb b/app/models/auth/authorization.rb
new file mode 100644
index 00000000..26b909e7
--- /dev/null
+++ b/app/models/auth/authorization.rb
@@ -0,0 +1,108 @@
+class Authorization
+ include Mongoid::Document
+ include Mongoid::Timestamps
+
+ field :title
+
+ belongs_to :module_app
+
+ has_and_belongs_to_many :roles
+ has_and_belongs_to_many :sub_roles
+
+ delegate :update_auth_approval_users, :update_auth_manager_users, :update_auth_sub_manager_users, to: :module_app, prefix: true, allow_nil: true
+
+ after_save :update_module_app
+
+
+ def add_roles(roles)
+ users = []
+ roles = Array(roles)
+ add_operation(:roles, roles)
+ sub_roles = []
+ roles.each{|role| role.sub_roles.each{|sub_role| sub_roles << sub_role.id}}
+ add_operation(:sub_roles, sub_roles)
+ roles.each{|role| role.users.where(admin: false).each{|user| users << user}}
+ add_users(users, false)
+ end
+
+ def add_sub_roles(sub_roles)
+ users = []
+ sub_roles = Array(sub_roles)
+ add_operation(:sub_roles, sub_roles)
+ sub_roles.each do |sub_role|
+ self.roles << sub_role.role unless self.roles.include?(sub_role.role)
+ sub_role.users.where(admin: false).each{|user| users << user}
+ end
+ add_users(users, false)
+ end
+
+ def add_users(users, with_parents = true)
+ users = Array(users)
+ add_operation(:authorized_users, users)
+ users.each do |user|
+ user.roles.each do |role|
+ self.roles << role unless self.roles.include?(role)
+ end
+ user.sub_roles.each do |sub_role|
+ self.sub_roles << sub_role unless self.sub_roles.include?(sub_role)
+ end
+ end if with_parents
+ self.save
+ end
+
+ def remove_roles(roles)
+ users = []
+ sub_roles = []
+ roles = Array(roles)
+ remove_operation(:roles, roles)
+ roles.each do |role|
+ role.sub_roles.each{|sub_role| sub_roles << sub_role}
+ role.users.where(admin: false).each{|user| users << user}
+ end
+ remove_operation(:sub_role_ids, sub_roles)
+ remove_operation(:authorized_user_ids, users)
+ add_roles(self.roles)
+ end
+
+ def remove_sub_roles(sub_roles)
+ users = []
+ sub_roles = Array(sub_roles)
+ remove_operation(:sub_roles, sub_roles)
+ sub_roles.each do |sub_role|
+ users << sub_role.users.where(admin: false)
+ end
+ remove_operation(:authorized_user_ids, users)
+ add_roles(self.roles)
+ end
+
+ def remove_users(users)
+ users = Array(users)
+ remove_operation(:authorized_user_ids, users)
+ self.save
+ end
+
+ protected
+
+ def add_operation(db_field, objs)
+ objs.each do |obj|
+ self.send(db_field) << obj unless self.send(db_field).include?(obj)
+ end
+ end
+
+ def remove_operation(db_field, obj)
+ self.write_attribute(db_field, self.send(db_field) - obj.map{|y| y.id})
+ end
+
+ private
+
+ def update_module_app
+ case self._type
+ when "AuthApproval"
+ self.module_app_update_auth_approval_users
+ when "AuthManager"
+ self.module_app_update_auth_manager_users
+ when "AuthSubManager"
+ self.module_app_update_auth_sub_manager_users
+ end
+ end
+end
\ No newline at end of file
diff --git a/app/models/category.rb b/app/models/category.rb
index 42d51bc3..027b86e0 100644
--- a/app/models/category.rb
+++ b/app/models/category.rb
@@ -1,7 +1,7 @@
class Category
include Mongoid::Document
include Mongoid::Timestamps
- include OrbitCoreLib::ObjectAuthable
+ include OrbitModel::Authorizable
field :disable, type: Boolean, default: false
field :title, localize: true
diff --git a/app/models/module_app.rb b/app/models/module_app.rb
index 3fe38bdf..28284053 100644
--- a/app/models/module_app.rb
+++ b/app/models/module_app.rb
@@ -1,16 +1,26 @@
class ModuleApp
include Mongoid::Document
include Mongoid::Timestamps
- include OrbitCoreLib::ObjectTokenUtility
- include OrbitApp::ModuleAppMembershipTools
+ # include OrbitCoreLib::ObjectTokenUtility
+ # include OrbitApp::ModuleAppMembershipTools
+ field :auth_approval_users, type: Array, default: nil
+ field :auth_manager_users, type: Array, default: nil
+ field :auth_sub_manager_users, type: Array, default: nil
field :key
field :title
field :sidebar_order,type: Integer,default: 0
+ has_one :auth_manager, dependent: :destroy
+ has_many :auth_approvals, dependent: :destroy
+ has_many :auth_sub_managers, dependent: :destroy
has_many :categories, dependent: :destroy
has_many :module_tags, dependent: :destroy
+ has_many :approvals #to remove
+
+ delegate :authorized_users, to: :auth_manager, prefix: true, allow_nil: true
+
def refetch_setting!(reg)
# %w{module_label category base_url version organization author intro update_info create_date}.each do |field|
# self[field.to_sym] = reg.send field
@@ -24,6 +34,7 @@ class ModuleApp
self[:has_category] = reg.get_has_category
self[:is_approvable] = reg.get_is_approvable
self[:is_authorizable] = reg.get_is_authorizable
+ self[:approvable_models] = reg.get_approvable_models
self[:authorizable_models] = reg.get_authorizable_models
end
@@ -168,4 +179,71 @@ class ModuleApp
self.module_tags.map{|t| t.tag }
end
+
+ # authorization
+ def update_auth_approval_users
+ user_ids = self.auth_approvals.inject([]) do |users, auth|
+ users += auth.authorized_users.map{|user| user.id}
+ end
+ update_attribute(:auth_approval_users, user_ids.uniq)
+ end
+
+ def update_auth_manager_users
+ update_attribute(:auth_manager_users, self.auth_manager_authorized_users.map{|user| user.id})
+ end
+
+ def update_auth_sub_manager_users
+ user_ids = self.auth_sub_managers.inject([]) do |users, auth|
+ users += auth.authorized_users.map{|user| user.id}
+ end
+ update_attribute(:auth_sub_manager_users, user_ids.uniq)
+ end
+
+ def managers
+ auth_manager_authorized_users || []
+ end
+
+ def user_can_manage?(user)
+ managers.include?(user)
+ end
+
+ def add_managers(users)
+ users = Array(users)
+ if auth_manager = self.auth_manager
+ auth_manager.update_attribute(:authorized_users, (auth_manager.authorized_users + users).uniq)
+ else
+ self.create_auth_manager(authorized_users: users)
+ end
+ end
+
+ def remove_managers(users)
+ users = Array(users)
+ users = users.delete_if{|user| user == current_user || is_admin?}
+ self.auth_manager.update_attribute(:authorized_users, auth_manager.authorized_users - users)
+ end
+
+ def is_manager?(user)
+ if user && !auth_manager_users.blank?
+ auth_manager_users.include?(user.id)
+ else
+ false
+ end
+ end
+
+ def is_sub_manager?(user)
+ if user && !auth_sub_manager_users.blank?
+ auth_sub_manager_users.include?(user.id)
+ else
+ false
+ end
+ end
+
+ def can_approve?(user)
+ if user && !auth_approval_users.blank?
+ auth_approval_users.include?(user.id)
+ else
+ false
+ end
+ end
+
end
diff --git a/app/models/user/user.rb b/app/models/user/user.rb
index 0c547fd4..97142cf8 100644
--- a/app/models/user/user.rb
+++ b/app/models/user/user.rb
@@ -19,12 +19,16 @@ class User
field :cache_dept,type: Hash
field :status_record,type: Hash
+ has_and_belongs_to_many :approving_apps, class_name: 'AuthApproval', inverse_of: 'authorized_users'
+ has_and_belongs_to_many :managing_apps, class_name: 'AuthManager', inverse_of: 'authorized_users'
+ has_and_belongs_to_many :sub_managing_apps, class_name: 'AuthSubManager', inverse_of: 'authorized_users'
+
has_many :attribute_values, :autosave => true, :dependent => :destroy
has_many :app_auths,as: :privilege_apps,:inverse_of => :privilege_lists
has_many :blocked_apps, :inverse_of => :blocked_users, :class_name => "AppAuth", :dependent => :destroy
has_many :privilege_apps, :inverse_of => :privilege_users, :class_name => "AppAuth", :dependent => :destroy
- has_many :managing_apps,:class_name => "AppManager", :dependent => :destroy
+ # has_many :managing_apps,:class_name => "AppManager", :dependent => :destroy
has_one :desktop, :autosave => true, :dependent => :destroy
has_one :facebook, :autosave => true, :dependent => :destroy
has_many :other_accounts, :autosave => true, :dependent => :destroy
@@ -273,8 +277,8 @@ class User
end
def managed_module_apps
- self.managing_apps.inject([]) do |managed_apps, app_manager|
- managed_apps << app_manager.managing_app unless app_manager.managing_app.blank?
+ self.managing_apps.inject([]) do |managed_apps, auth_manager|
+ managed_apps << auth_manager.module_app
managed_apps
end
end
diff --git a/app/views/admin/authorizations/_user.html.erb b/app/views/admin/authorizations/_user.html.erb
index 2723234e..7a3ac794 100644
--- a/app/views/admin/authorizations/_user.html.erb
+++ b/app/views/admin/authorizations/_user.html.erb
@@ -1,10 +1,10 @@
-
+
- <% unless user == current_user || is_admin? %>
+ <% unless user == current_user || user.admin %>
<% end %>
\ No newline at end of file
diff --git a/app/views/admin/authorizations/index.html.erb b/app/views/admin/authorizations/index.html.erb
index 6e98df12..1f81d945 100644
--- a/app/views/admin/authorizations/index.html.erb
+++ b/app/views/admin/authorizations/index.html.erb
@@ -13,11 +13,13 @@
- <%= link_to t(:module_authorization), admin_authorizations_path(@module_app.key) %>
+ <%= link_to t(:module_authorization), admin_authorizations_path(@module_app.key) if @module_app.is_authorizable %>
<% @module_app.authorizable_models.each do |authorizable_model| %>
- <%= link_to (authorizable_model.eql?('Category') ? t(:category_auth) : "#{authorizable_model.underscore.humanize.capitalize} #{t(:authorization_)}"), admin_authorizations_path(@module_app.key, type: authorizable_model.underscore) %>
+ <%= link_to (authorizable_model.eql?('Category') ? t(:category_auth) : "#{authorizable_model.underscore.humanize.capitalize} #{t(:authorization_)}"), admin_authorizations_path(@module_app.key, type: "#{authorizable_model.underscore}_authorization") %>
+ <% end %>
+ <% @module_app.approvable_models.each do |approvable_model| %>
+ <%= link_to (approvable_model.eql?('Category') ? t(:approval_) : "#{approvable_model.underscore.humanize.capitalize} #{t(:approval_)}"), admin_authorizations_path(@module_app.key, type: "#{approvable_model.underscore}_approval") %>
<% end %>
- <%= link_to t(:approval_), admin_authorizations_path(@module_app.key, type: 'approval') if @module_app.is_approvable %>
<% if @error %>
<%= @error %>
<% else %>
diff --git a/app/views/admin/authorizations/insert_users.js.erb b/app/views/admin/authorizations/insert_users.js.erb
deleted file mode 100644
index bb9ecf88..00000000
--- a/app/views/admin/authorizations/insert_users.js.erb
+++ /dev/null
@@ -1,2 +0,0 @@
-$("#card-list").append("<%= j render partial: 'user', collection: @users %>");
-$("#member-filter").modal('hide');
\ No newline at end of file
diff --git a/app/views/admin/authorizations/reload_users.js.erb b/app/views/admin/authorizations/reload_users.js.erb
new file mode 100644
index 00000000..47e4fc3d
--- /dev/null
+++ b/app/views/admin/authorizations/reload_users.js.erb
@@ -0,0 +1,2 @@
+$("#card-list").html("<%= j render partial: 'user', collection: @users %>");
+$("#member-filter").modal('hide');
\ No newline at end of file
diff --git a/config/application.rb b/config/application.rb
index 84e8d974..a543b808 100644
--- a/config/application.rb
+++ b/config/application.rb
@@ -27,6 +27,7 @@ module Orbit
# Custom directories with classes and modules you want to be autoloadable.
# config.autoload_paths += %W(#{config.root}/extras)
+ config.autoload_paths += %W(#{config.root}/app/models/auth)
config.autoload_paths += %W(#{config.root}/app/models/ckeditor)
config.autoload_paths += %W(#{config.root}/app/models/design)
config.autoload_paths += %W(#{config.root}/app/models/desktop)
diff --git a/lib/orbit_app/module/registration.rb b/lib/orbit_app/module/registration.rb
index 902efe6c..60b62a39 100644
--- a/lib/orbit_app/module/registration.rb
+++ b/lib/orbit_app/module/registration.rb
@@ -28,7 +28,7 @@ module OrbitApp
end
class DataSheet
- attr_reader :name,:key,:base_path,:module_label,:data_count, :has_category, :has_tag, :authorizable_models, :is_approvable, :is_authorizable
+ attr_reader :name,:key,:base_path,:module_label,:data_count, :has_category, :has_tag, :approvable_models, :authorizable_models, :is_approvable, :is_authorizable
def initialize(name, &block)
@name = name
@@ -39,6 +39,7 @@ module OrbitApp
@data_count = 1..15 # as default
@has_category = nil
@has_tag = nil
+ @approvable_models = []
@authorizable_models = []
@is_approvable = nil
@is_authorizable = nil
@@ -145,8 +146,13 @@ module OrbitApp
define_method(field){|var| instance_variable_set( "@" + field, var)}
end
- def approvable(link=true)
+ def approvable(link=true, &block)
@is_approvable = {:with_link => link}
+ if block
+ block.call
+ else
+ approvable_on
+ end
end
def authorizable(link=true, &block)
@@ -158,6 +164,10 @@ module OrbitApp
end
end
+ def approvable_on(klass = 'Category')
+ @approvable_models << klass
+ end
+
def authorizable_on(klass = 'Category')
@authorizable_models << klass
end
@@ -170,6 +180,10 @@ module OrbitApp
@has_tag = true
end
+ def get_approvable_models
+ @approvable_models
+ end
+
def get_authorizable_models
@authorizable_models
end
diff --git a/lib/orbit_category/categorizing.rb b/lib/orbit_category/categorizing.rb
index 1b11f520..04e4aae5 100644
--- a/lib/orbit_category/categorizing.rb
+++ b/lib/orbit_category/categorizing.rb
@@ -9,11 +9,11 @@ module OrbitCategory
end
end
- def get_categories_for_form(func_authed_for_sub_manager = "category_#{@module_app.key}")
+ def get_categories_for_form
categories = if is_manager? || is_admin?
@module_app.categories.enabled
elsif is_sub_manager?
- @module_app.categories.enabled.authed_for_user(current_user, func_authed_for_sub_manager)
+ @module_app.categories.enabled.entries.delete_if{|category| !category.user_can_sub_manage?(current_user)}
end
if categories.empty?
flash[:alert] = t(:no_category)
diff --git a/lib/orbit_core_lib.rb b/lib/orbit_core_lib.rb
index a657eacc..53eb5d79 100644
--- a/lib/orbit_core_lib.rb
+++ b/lib/orbit_core_lib.rb
@@ -140,30 +140,39 @@ module OrbitCoreLib
end
end
- module AppBackendUtility
+ module Authorization
+ def self.included(base)
+ base.class_eval do
+ before_filter :can_use
+ end
+ end
+
def setup_vars
@app_title ||= controller_path.split('/')[1].singularize
@module_app ||= ModuleApp.first(conditions: {:key => @app_title} )
+ # raise ModuleAppError, 'Can not find ModuleApp' if @module_app.nil?
end
private
- def force_order_for_visitor
- setup_vars
- set_current_user
+ def can_use
+ unless @override_can_use
+ check_backend_openness if @public
+ setup_vars
+ set_current_user
+ unless @public
+ authenticate_user!
+ check_user_can_use
+ end
+ end
end
-
- def force_order_for_user
- setup_vars
- set_current_user
- authenticate_user!
- check_user_can_use
+ def set_public
+ @public = true
end
- def check_user_can_use
- unless check_permission
- #redirect_to polymorphic_path(['panel',@app_title,'back_end','public'])
+ def check_user_can_use
+ unless current_or_guest_user.admin? || @module_app.is_manager?(current_or_guest_user) || @module_app.is_sub_manager?(current_or_guest_user) || @module_app.can_approve?(current_or_guest_user)
redirect_to root_url
end
end
diff --git a/lib/orbit_model/authorizable.rb b/lib/orbit_model/authorizable.rb
new file mode 100644
index 00000000..47e31d1b
--- /dev/null
+++ b/lib/orbit_model/authorizable.rb
@@ -0,0 +1,55 @@
+module OrbitModel
+
+ module Authorizable
+
+ def self.included(base)
+ base.class_eval do
+ has_one :auth_approval, as: :approval_authorizable, dependent: :destroy
+ has_one :auth_sub_manager, as: :sub_manager_authorizable, dependent: :destroy
+ delegate :authorized_users, to: :auth_approval, prefix: true, allow_nil: true
+ delegate :authorized_users, to: :auth_sub_manager, prefix: true, allow_nil: true
+ send :include, InstanceMethods
+ end
+ end
+
+ module InstanceMethods
+
+ # Normal case
+ # Use of categories to define approval and sub-manager
+ def approval_users
+ auth_approval_authorized_users
+ end
+
+ def sub_managers
+ auth_sub_manager_authorized_users
+ end
+
+ def user_can_approve?(user)
+ approval_users.include?(user) if approval_users
+ end
+
+ def user_can_sub_manage?(user)
+ sub_managers.include?(user) if sub_managers
+ end
+
+ # Specific case
+ # Approval or sub-manager is defined on something else than categories
+ def authorized_users_by_title(title)
+ approval_users if auth_approval && auth_approval.title.eql?(title)
+ sub_managers if auth_sub_manager && auth_sub_manager.title.eql?(title)
+ end
+
+ def get_authorization_by_title(title)
+ auth_approval if auth_approval && auth_approval.title.eql?(title)
+ auth_sub_manager if auth_sub_manager && auth_sub_manager.title.eql?(title)
+ end
+
+ def user_is_authorized_by_title?(user, title)
+ authorized_users_by_title(title).include?(user)
+ end
+
+ end
+
+ end
+
+end
diff --git a/vendor/built_in_modules/announcement/app/controllers/panel/announcement/back_end/bulletins_controller.rb b/vendor/built_in_modules/announcement/app/controllers/panel/announcement/back_end/bulletins_controller.rb
index 43fce5e3..5d11350d 100644
--- a/vendor/built_in_modules/announcement/app/controllers/panel/announcement/back_end/bulletins_controller.rb
+++ b/vendor/built_in_modules/announcement/app/controllers/panel/announcement/back_end/bulletins_controller.rb
@@ -3,11 +3,7 @@ class Panel::Announcement::BackEnd::BulletinsController < OrbitBackendController
before_filter :clean_values, :only => [:create, :update]
- # before_filter :for_admin_only,:only => [:]
- # before_filter :for_app_manager,:only => [:index,:show,]
- before_filter :force_order_for_visitor,:only=>[:index,:show,:get_sorted_and_filtered_bulletins]
- before_filter :force_order_for_user,:except => [:index,:show,:get_sorted_and_filtered_bulletins]
- before_filter :for_app_sub_manager,:except => [:index,:show,:get_sorted_and_filtered_bulletins]
+ prepend_before_filter :set_public, :only => [:index, :show, :get_sorted_and_filtered_bulletins]
before_filter :only => [ :new, :create, :edit, :update ] do |controller|
@categories = get_categories_for_form
diff --git a/vendor/built_in_modules/page_content/app/controllers/panel/page_content/back_end/page_contexts_controller.rb b/vendor/built_in_modules/page_content/app/controllers/panel/page_content/back_end/page_contexts_controller.rb
index 9b67fff0..8c4528c8 100644
--- a/vendor/built_in_modules/page_content/app/controllers/panel/page_content/back_end/page_contexts_controller.rb
+++ b/vendor/built_in_modules/page_content/app/controllers/panel/page_content/back_end/page_contexts_controller.rb
@@ -1,9 +1,6 @@
class Panel::PageContent::BackEnd::PageContextsController < OrbitBackendController
- before_filter :force_order_for_visitor,:only=>[:index]
- before_filter :force_order_for_user,:except => [:index]
-
- before_filter :for_app_manager,:except => [:index]
- before_filter :for_app_sub_manager,:except => [:index]
+
+ prepend_before_filter :set_public, :only => [:index]
#before_filter :is_admin?
diff --git a/vendor/built_in_modules/page_content/app/models/page_context.rb b/vendor/built_in_modules/page_content/app/models/page_context.rb
index e854c09e..78b572fb 100644
--- a/vendor/built_in_modules/page_content/app/models/page_context.rb
+++ b/vendor/built_in_modules/page_content/app/models/page_context.rb
@@ -5,7 +5,7 @@ class PageContext
include Mongoid::Timestamps
include Mongoid::MultiParameterAttributes
include Impressionist::Impressionable
- include OrbitCoreLib::ObjectAuthable
+ include OrbitModel::Authorizable
is_impressionable :counter_cache => { :column_name => :view_count }