card-mod-permissions 0.11.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: 979a6aa27a0485313d0b7c8716ce592eb4a006d8de7b0d72b93818fcaba9e168
+  data.tar.gz: 4ec1cebed12cc29ae51379cdeb255c43483533f39f3bfc5737f97e603757a55c
+SHA512:
+  metadata.gz: 2561983f02c9b533f50f8e9c3a13f510b83d159d16d75dd5f20173cad22db7451e183cde9ec69f5e83a799c4017e017c8a1c473ff662fbe1ee2e51893e5e4e51
+  data.tar.gz: e536cbe5b71e9f486c224e918b46889a9b23666d7536ad67cdf87237a93830923e193319bac81739e463b9706f0a7a5e403d3f2760b33df9fb54845078175da5

data/set/abstract/permission.rb

@@ -0,0 +1,122 @@
+
+def standardize_items
+  super unless content == "_left"
+end
+
+def options_rule_card
+  Card[:cards_with_account]
+end
+
+format :html do
+  view :pointer_core do
+    wrap_with :div, pointer_items, class: "pointer-list"
+  end
+
+  view :core, cache: :never do
+    if card.content == "_left"
+      core_inherit_content
+    else
+      render! :pointer_core
+    end
+  end
+
+  view :one_line_content, cache: :never do
+    render_core items: { view: :link }
+  end
+
+  view :input do
+    item_names = inheriting? ? [] : card.item_names
+    %(
+      #{_render_hidden_content_field}
+      <div class="perm-editor">
+        #{inheritance_checkbox}
+        <div class="perm-group perm-vals perm-section">
+          <h5 class="text-muted">Groups</h5>
+          #{groups item_names}
+        </div>
+
+        <div class="perm-indiv perm-vals perm-section">
+          <h5 class="text-muted">Individuals</h5>
+          #{list_input item_list: item_names, extra_css_class: 'perm-indiv-ul'}
+        </div>
+      </div>
+    )
+  end
+
+  private
+
+  def groups item_names
+    group_options.map do |option|
+      checked = !item_names.delete(option.name).nil?
+      icon = icon_tag "open_in_new", "link-muted"
+      option_link = link_to_card option.name, icon, target: "decko_role"
+      box = check_box_tag "#{option.key}-perm-checkbox",
+                          option.name, checked, class: "perm-checkbox-button"
+      <<-HTML
+        <div class="form-check checkbox">
+          <label class="form-check-label">
+            #{box} #{option.name} #{option_link}
+          </label>
+        </div>
+      HTML
+    end * "\n"
+  end
+
+  def group_options
+    Auth.as_bot do
+      Card.search({ type_id: RoleID, sort: "name" }, "roles by name")
+    end
+  end
+
+  def inheritable?
+    @inheritable ||=
+      begin
+        set_name = card.name.trunk_name
+        set_card = Card.fetch(set_name)
+        not_set = set_card && set_card.type_id != SetID
+        not_set ? false : set_card.inheritable?
+      end
+  end
+
+  def inheriting?
+    @inheriting ||= inheritable? && card.content == "_left"
+  end
+
+  def inheritance_checkbox
+    return unless inheritable?
+    <<-HTML
+      <div class="perm-inheritance perm-section">
+        #{check_box_tag 'inherit', 'inherit', inheriting?}
+        <label>
+          #{core_inherit_content}
+          #{wrap_with(:a, title: "use left's #{card.name.tag} rule") { '?' }}
+        </label>
+      </div>
+    HTML
+  end
+
+  def core_inherit_content
+    text = if in_context_of_self_set?
+             core_inherit_for_content_for_self_set
+           else
+             "Inherit from left card"
+           end
+    %(<span class="inherit-perm">#{text}</span>)
+  end
+
+  def in_context_of_self_set?
+    return false unless @set_context
+    @set_context.to_name.tag_name.key == Card[:self].key
+  end
+
+  def core_inherit_for_content_for_self_set
+    task = card.tag.codename
+    ancestor = Card[@set_context.trunk_name.trunk_name]
+    links = ancestor.who_can(task).map do |card_id|
+      link_to_card card_id, nil, target: args[:target]
+    end * ", "
+    "Inherit ( #{links} )"
+  rescue
+    "Inherit"
+  end
+end

data/set/all/permissions.rb

@@ -0,0 +1,227 @@
+module ClassMethods
+  def repair_all_permissions
+    Card.where("(read_rule_class is null or read_rule_id is null) and trash is false")
+        .each do |broken_card|
+      broken_card.include_set_modules
+      broken_card.repair_permissions!
+    end
+  end
+end
+
+def repair_permissions!
+  rule_id, rule_class = permission_rule_id_and_class :read
+  update_columns read_rule_id: rule_id, read_rule_class: rule_class
+end
+
+# ok? and ok! are public facing methods to approve one action at a time
+#
+#   fetching: if the optional :trait parameter is supplied, it is passed
+#      to fetch and the test is perfomed on the fetched card, therefore:
+#
+#      trait: :account      would fetch this card plus a tag codenamed :account
+#      trait: :roles, new: {} would initialize a new card with default ({})
+# options.
+
+def ok? action
+  @ok ||= {}
+  aok = @ok[Auth.as_id] ||= {}
+  if (cached = aok[action])
+    cached
+  else
+    aok[action] = send "ok_to_#{action}"
+  end
+end
+
+def ok! action
+  raise Card::Error::PermissionDenied, self unless ok? action
+end
+
+def who_can action
+  permission_rule_card(action).item_cards.map(&:id)
+end
+
+def anyone_can? action
+  who_can(action).include? AnyoneID
+end
+
+def direct_rule_card action
+  direct_rule_id = rule_card_id action
+  require_permission_rule! direct_rule_id, action
+  Card.quick_fetch direct_rule_id
+end
+
+def permission_rule_id action
+  if junction? && rule(action).match?(/^\[?\[?_left\]?\]?$/)
+    left_permission_rule_id action
+  else
+    rule_card_id(action)
+  end
+end
+
+def permission_rule_id_and_class action
+  [permission_rule_id(action), direct_rule_card(action).rule_class_name]
+end
+
+def left_permission_rule_id action
+  lcard = left_or_new(skip_virtual: true, skip_modules: true)
+  if action == :create && lcard.real? && lcard.action != :create
+    action = :update
+  end
+  lcard.permission_rule_id action
+end
+
+def permission_rule_card action
+  Card.fetch permission_rule_id(action)
+end
+
+def require_permission_rule! rule_id, action
+  return if rule_id
+  # RULE missing.  should not be possible.
+  # generalize this to handling of all required rules
+  errors.add :permission_denied, tr(:error_no_action_rule, action: action, name: name)
+  raise Card::Error::PermissionDenied, self
+end
+
+def rule_class_name
+  trunk.type_id == SetID ? name.trunk_name.tag : nil
+end
+
+def you_cant what
+  "You don't have permission to #{what}"
+end
+
+def deny_because why
+  @permission_errors << why if @permission_errors
+  false
+end
+
+def permitted? action
+  return false if Card.config.read_only # :read does not call #permit
+  return true if Auth.always_ok?
+
+  Auth.as_card.among? who_can(action)
+end
+
+def permit action, verb=nil
+  # not called by ok_to_read
+  if Card.config.read_only
+    deny_because "Currently in read-only mode"
+    return false
+  end
+
+  return true if permitted? action
+  verb ||= action.to_s
+  deny_because you_cant("#{verb} #{name.present? ? name : 'this'}")
+end
+
+def ok_to_create
+  return false unless permit :create
+  return true if simple?
+
+  %i[left right].find { |side| !ok_to_create_side side } ? false : true
+end
+
+def ok_to_create_side side
+  # left is supercard; create permissions will get checked there.
+  return true if side == :left && superleft
+  part_card = send side, new: {}
+  # if no card, there must be other errors
+  return true unless part_card&.new_card? && !part_card.ok?(:create)
+
+  deny_because you_cant("create #{part_card.name}")
+  false
+end
+
+def ok_to_read
+  return true if Auth.always_ok?
+
+  self.read_rule_id ||= permission_rule_id :read
+  return true if Auth.as_card.read_rules_hash[read_rule_id]
+
+  deny_because you_cant "read this"
+end
+
+def ok_to_update
+  return false unless permit(:update)
+  return true unless type_id_changed? && !permitted?(:create)
+  deny_because you_cant("change to this type (need create permission)")
+end
+
+def ok_to_delete
+  permit :delete
+end
+
+# don't know why we introduced this
+# but we have to preserve read rules to make
+# delete acts visible in recent changes -pk
+# event :clear_read_rule, :store, on: :delete do
+#   self.read_rule_id = self.read_rule_class = nil
+# end
+
+event :set_read_rule, :store, on: :save, changed: %i[type_id name] do
+  read_rule_id, read_rule_class = permission_rule_id_and_class(:read)
+  self.read_rule_id = read_rule_id
+  self.read_rule_class = read_rule_class
+end
+
+event :set_field_read_rules, after: :set_read_rule, on: :update, changed: :type_id do
+  each_field_as_bot(&:update_read_rule)
+end
+
+def update_field_read_rules
+  return unless type_id_changed? || read_rule_id_changed?
+  each_field_as_bot do |field|
+    field.update_read_rule if field.rule(:read) == "_left"
+  end
+end
+
+def each_field_as_bot
+  # find all cards with me as trunk and update their read_rule
+  # (because of *type plus right)
+  # skip if name is updated because will already be resaved
+  Auth.as_bot do
+    fields.each { |field| yield field }
+  end
+end
+
+def without_timestamps
+  Card.record_timestamps = false
+  yield
+ensure
+  Card.record_timestamps = true
+end
+
+event :update_read_rule do
+  without_timestamps do
+    reset_patterns # why is this needed?
+    rcard_id, rclass = permission_rule_id_and_class :read
+    # these two are just to make sure vals are correct on current object
+    self.read_rule_id = rcard_id
+    self.read_rule_class = rclass
+    Card.where(id: id).update_all read_rule_id: rcard_id, read_rule_class: rclass
+    expire :hard
+    update_field_read_rules
+  end
+end
+
+def add_to_read_rule_update_queue updates
+  @read_rule_update_queue = Array.wrap(@read_rule_update_queue).concat updates
+end
+
+event :check_permissions, :validate do
+  track_permission_errors do
+    ok? action_for_permission_check
+  end
+end
+
+def action_for_permission_check
+  commenting? ? :update : action
+end
+
+def track_permission_errors
+  @permission_errors = []
+  result = yield
+  @permission_errors.each { |msg| errors.add :permission_denied, msg }
+  @permission_errors = nil
+  result
+end

data/set/all/update_read_rules.rb

@@ -0,0 +1,12 @@
+
+# FIXME: the following don't really belong here, but they have to come after
+# the reference stuff.  we need to organize a bit!
+
+event :update_rule_cache, :finalize, when: :is_rule? do
+  Card::Rule.clear_rule_cache
+end
+
+event :expire_related, :finalize do
+  reset_patterns
+  structuree_names.each { |name| Director.expirees << name } if is_structure?
+end

data/set/right/create.rb

@@ -0,0 +1 @@
+include_set Abstract::Permission

data/set/right/delete.rb

@@ -0,0 +1 @@
+include_set Abstract::Permission

data/set/right/read.rb

@@ -0,0 +1,79 @@
+include Abstract::Permission
+
+format :html do include Abstract::Permission::HtmlFormat end
+
+event :cascade_read_rule, :finalize, after: :update_rule_cache, when: :is_rule? do
+  return unless name_is_changing? || trash_is_changing?
+
+  update_read_ruled_cards
+end
+
+def update_read_ruled_cards
+  Card::Rule.clear_read_rule_cache
+  Card.cache.reset # maybe be more surgical, just Auth.user related
+  expire # probably shouldn't be necessary,
+  # but was sometimes getting cached version when card should be in the
+  # trash.  could be related to other bugs?
+
+  processed = update_read_rules_of_set_members
+  update_cards_with_read_rule_id processed unless new?
+end
+
+def update_read_rules_of_set_members
+  return unless rule_pattern_index
+
+  each_member do |member, processed|
+    processed << member.key
+    member.update_read_rule unless member_has_overriding_rule?(member)
+  end
+end
+
+def member_has_overriding_rule? member
+  pattern_index(Card.fetch_id(member.read_rule_class)) < rule_pattern_index
+end
+
+# cards with this card as a read_rule_id
+# These may include cards that are no longer set members if the card was renamed
+# (edge case)
+def update_cards_with_read_rule_id processed
+  processed ||= ::Set.new
+  Card::Auth.as_bot do
+    Card.search(read_rule_id: id) do |card|
+      card.update_read_rule unless processed.include?(card.key)
+    end
+  end
+end
+
+def each_member
+  Auth.as_bot do
+    all_members.each_with_object(::Set.new) do |member, processed|
+      yield member, processed
+    end
+  end
+end
+
+def all_members
+  rule_set.item_cards limit: 0
+end
+
+def rule_pattern_index
+  return if trash
+
+  @rule_pattern_index ||= pattern_index rule_set&.tag&.id
+end
+
+def pattern_index pattern_id
+  pattern_ids.index(pattern_id) || invalid_pattern_id(pattern_id)
+end
+
+def pattern_ids
+  @pattern_ids ||= set_patterns.map(&:pattern_id)
+end
+
+def invalid_pattern_id pattern_id
+  Rails.logger.info "invalid pattern id for read rule: #{pattern_id}"
+end
+
+event :process_read_rule_update_queue, :finalize do
+  left&.update_read_rule
+end

data/set/right/update.rb

@@ -0,0 +1 @@
+include_set Abstract::Permission

data/set/self/create.rb

@@ -0,0 +1,3 @@
+setting_opts group: :permission, position: 1, rule_type_editable: false,
+             short_help_text: "who can create cards",
+             help_text: "Who can create new cards"

data/set/self/delete.rb

@@ -0,0 +1,3 @@
+setting_opts group: :permission, position: 4, rule_type_editable: false,
+             short_help_text: "who can delete cards",
+             help_text: "Who can delete cards"

data/set/self/read.rb

@@ -0,0 +1,3 @@
+setting_opts group: :permission, position: 2, rule_type_editable: false,
+             short_help_text: "who can view cards",
+             help_text: "Who can view cards in the [[set]]."

data/set/self/update.rb

@@ -0,0 +1,3 @@
+setting_opts group: :permission, position: 3, rule_type_editable: false,
+             short_help_text: "who can update cards",
+             help_text: "Who can update cards"

metadata

@@ -0,0 +1,71 @@
+--- !ruby/object:Gem::Specification
+name: card-mod-permissions
+version: !ruby/object:Gem::Version
+  version: 0.11.0
+platform: ruby
+authors:
+- Ethan McCutchen
+- Philipp Kühl
+- Gerry Gleason
+autorequire:
+bindir: bin
+cert_chain: []
+date: 2020-12-24 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: card
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - '='
+      - !ruby/object:Gem::Version
+        version: 1.101.0
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - '='
+      - !ruby/object:Gem::Version
+        version: 1.101.0
+description: ''
+email:
+- info@decko.org
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- set/abstract/permission.rb
+- set/all/permissions.rb
+- set/all/update_read_rules.rb
+- set/right/create.rb
+- set/right/delete.rb
+- set/right/read.rb
+- set/right/update.rb
+- set/self/create.rb
+- set/self/delete.rb
+- set/self/read.rb
+- set/self/update.rb
+homepage: http://decko.org
+licenses:
+- GPL-3.0
+metadata:
+  card-mod: permissions
+post_install_message:
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '2.5'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubygems_version: 3.0.3
+signing_key:
+specification_version: 4
+summary: decko permissions
+test_files: []