RubyGems - decidim-participatory_processes - Versions diffs - 0.11.2 → 0.12.0.pre - Mend

decidim-participatory_processes 0.11.2 → 0.12.0.pre

Files changed (66) hide show

data/app/controllers/decidim/participatory_processes/admin/participatory_process_user_roles_controller.rb CHANGED Viewed

@@ -9,17 +9,17 @@ module Decidim
         include Concerns::ParticipatoryProcessAdmin
         def index
-          authorize! :read, Decidim::ParticipatoryProcessUserRole
+          enforce_permission_to :read, :process_user_role
           @participatory_process_user_roles = collection
         end
         def new
-          authorize! :create, Decidim::ParticipatoryProcessUserRole
+          enforce_permission_to :create, :process_user_role
           @form = form(ParticipatoryProcessUserRoleForm).instance
         end
         def create
-          authorize! :create, Decidim::ParticipatoryProcessUserRole
+          enforce_permission_to :create, :process_user_role
           @form = form(ParticipatoryProcessUserRoleForm).from_params(params)
           CreateParticipatoryProcessAdmin.call(@form, current_user, current_participatory_process) do
@@ -36,13 +36,13 @@ module Decidim
         def edit
           @user_role = collection.find(params[:id])
-          authorize! :update, @user_role
+          enforce_permission_to :update, :process_user_role, process_user_role: @user_role
           @form = form(ParticipatoryProcessUserRoleForm).from_model(@user_role.user)
         end
         def update
           @user_role = collection.find(params[:id])
-          authorize! :update, @user_role
+          enforce_permission_to :update, :process_user_role, process_user_role: @user_role
           @form = form(ParticipatoryProcessUserRoleForm).from_params(params)
           UpdateParticipatoryProcessAdmin.call(@form, @user_role) do
@@ -60,7 +60,7 @@ module Decidim
         def destroy
           @participatory_process_user_role = collection.find(params[:id])
-          authorize! :destroy, @participatory_process_user_role
+          enforce_permission_to :destroy, :process_user_role, process_user_role: @participatory_process_user_role
           DestroyParticipatoryProcessAdmin.call(@participatory_process_user_role, current_user) do
             on(:ok) do
@@ -72,7 +72,7 @@ module Decidim
         def resend_invitation
           @user_role = collection.find(params[:id])
-          authorize! :invite, @user_role
+          enforce_permission_to :invite, :process_user_role, process_user_role: @user_role
           InviteUserAgain.call(@user_role.user, "invite_admin") do
             on(:ok) do

data/app/controllers/decidim/participatory_processes/admin/participatory_processes_controller.rb CHANGED Viewed

@@ -5,7 +5,7 @@ module Decidim
     module Admin
       # Controller that allows managing participatory processes.
       #
-      class ParticipatoryProcessesController < Decidim::Admin::ApplicationController
+      class ParticipatoryProcessesController < Decidim::ParticipatoryProcesses::Admin::ApplicationController
         include Decidim::Admin::ParticipatorySpaceAdminContext
         participatory_space_admin_layout only: [:edit]
@@ -16,17 +16,17 @@ module Decidim
         layout "decidim/admin/participatory_processes"
         def index
-          authorize! :index, Decidim::ParticipatoryProcess
+          enforce_permission_to :read, :process_list
           @participatory_processes = collection
         end
         def new
-          authorize! :new, Decidim::ParticipatoryProcess
+          enforce_permission_to :create, :process
           @form = form(ParticipatoryProcessForm).instance
         end
         def create
-          authorize! :new, Decidim::ParticipatoryProcess
+          enforce_permission_to :create, :process
           @form = form(ParticipatoryProcessForm).from_params(params)
           CreateParticipatoryProcess.call(@form) do
@@ -43,13 +43,13 @@ module Decidim
         end
         def edit
-          authorize! :update, current_participatory_process
+          enforce_permission_to :update, :process, process: current_participatory_process
           @form = form(ParticipatoryProcessForm).from_model(current_participatory_process)
           render layout: "decidim/admin/participatory_process"
         end
         def update
-          authorize! :update, current_participatory_process
+          enforce_permission_to :update, :process, process: current_participatory_process
           @form = form(ParticipatoryProcessForm).from_params(
             participatory_process_params,
             process_id: current_participatory_process.id
@@ -69,7 +69,7 @@ module Decidim
         end
         def destroy
-          authorize! :destroy, current_participatory_process
+          enforce_permission_to :destroy, :process, process: current_participatory_process
           current_participatory_process.destroy!
           flash[:notice] = I18n.t("participatory_processes.destroy.success", scope: "decidim.admin")
@@ -78,7 +78,7 @@ module Decidim
         end
         def copy
-          authorize! :create, Decidim::ParticipatoryProcess
+          enforce_permission_to :create, Decidim::ParticipatoryProcess
         end
         private
@@ -95,10 +95,6 @@ module Decidim
           @collection ||= Decidim::ParticipatoryProcessesWithUserRole.for(current_user)
         end
-        def ability_context
-          super.merge(current_participatory_space: current_participatory_process)
-        end
         def participatory_process_params
           {
             id: params[:slug],

data/app/controllers/decidim/participatory_processes/admin/participatory_space_private_users_controller.rb CHANGED Viewed

@@ -17,7 +17,7 @@ module Decidim
         end
         def authorization_object
-          @participatory_space_private_user || ParticipatorySpacePrivateUser
+          @participatory_space_private_user
         end
       end
     end

data/app/controllers/decidim/participatory_processes/application_controller.rb CHANGED Viewed

@@ -6,6 +6,22 @@ module Decidim
     # this engine inherit.
     class ApplicationController < Decidim::ApplicationController
       helper Decidim::ParticipatoryProcesses::ApplicationHelper
+      include NeedsPermission
+      private
+      def permission_class_chain
+        [
+          Decidim::ParticipatoryProcesses::Permissions,
+          Decidim::Admin::Permissions,
+          Decidim::Permissions
+        ]
+      end
+      def permission_scope
+        :public
+      end
     end
   end
 end

data/app/controllers/decidim/participatory_processes/participatory_process_groups_controller.rb CHANGED Viewed

@@ -8,8 +8,12 @@ module Decidim
       before_action :set_group
+      def index
+        enforce_permission_to :list, :process_group
+      end
       def show
-        authorize! :read, ParticipatoryProcessGroup
+        enforce_permission_to :read, :process_group, process_group: @group
       end
       private

data/app/controllers/decidim/participatory_processes/participatory_processes_controller.rb CHANGED Viewed

@@ -21,8 +21,8 @@ module Decidim
       def index
         redirect_to "/404" if published_processes.none?
-        authorize! :read, ParticipatoryProcess
-        authorize! :read, ParticipatoryProcessGroup
+        enforce_permission_to :list, :process
+        enforce_permission_to :list, :process_group
       end
       def show

data/app/models/decidim/participatory_process.rb CHANGED Viewed

@@ -70,6 +70,11 @@ module Decidim
       Decidim::ParticipatoryProcesses::AdminLog::ParticipatoryProcessPresenter
     end
+    def past?
+      return false if end_date.blank?
+      end_date < Time.current
+    end
     def hashtag
       attributes["hashtag"].to_s.delete("#")
     end
@@ -81,5 +86,11 @@ module Decidim
     def self.private_processes
       where(private_space: true)
     end
+    def can_participate?(user)
+      return true unless private_space?
+      return true if private_space? && users.include?(user)
+      false
+    end
   end
 end

data/app/models/decidim/participatory_process_group.rb CHANGED Viewed

@@ -2,6 +2,8 @@
 module Decidim
   class ParticipatoryProcessGroup < ApplicationRecord
+    include Decidim::Resourceable
     has_many :participatory_processes,
              foreign_key: "decidim_participatory_process_group_id",
              class_name: "Decidim::ParticipatoryProcess",

data/app/permissions/decidim/participatory_processes/permissions.rb ADDED Viewed

@@ -0,0 +1,261 @@
+# frozen_string_literal: true
+module Decidim
+  module ParticipatoryProcesses
+    class Permissions < Decidim::DefaultPermissions
+      def permissions
+        user_can_enter_processes_space_area?
+        user_can_enter_process_groups_space_area?
+        return permission_action if process && !process.is_a?(Decidim::ParticipatoryProcess)
+        if permission_action.scope == :public
+          public_list_processes_action?
+          public_list_process_groups_action?
+          public_read_process_group_action?
+          public_read_process_action?
+          public_report_content_action?
+          return permission_action
+        end
+        return permission_action unless user
+        if !has_manageable_processes? && !user.admin?
+          disallow!
+          return permission_action
+        end
+        return permission_action unless permission_action.scope == :admin
+        valid_process_group_action?
+        if read_admin_dashboard_action?
+          user_can_read_admin_dashboard?
+          return permission_action
+        end
+        user_can_read_process_list?
+        user_can_read_current_process?
+        user_can_create_process?
+        user_can_destroy_process?
+        # org admins and space admins can do everything in the admin section
+        org_admin_action?
+        return permission_action unless process
+        moderator_action?
+        collaborator_action?
+        process_admin_action?
+        permission_action
+      end
+      private
+      # It's an admin user if it's an organization admin or is a space admin
+      # for the current `process`.
+      def admin_user?
+        user.admin? || (process ? can_manage_process?(role: :admin) : has_manageable_processes?)
+      end
+      # Checks if it has any manageable process, with any possible role.
+      def has_manageable_processes?(role: :any)
+        return unless user
+        participatory_processes_with_role_privileges(role).any?
+      end
+      # Whether the user can manage the given process or not.
+      def can_manage_process?(role: :any)
+        return unless user
+        participatory_processes_with_role_privileges(role).include? process
+      end
+      # Returns a collection of Participatory processes where the given user has the
+      # specific role privilege.
+      def participatory_processes_with_role_privileges(role)
+        Decidim::ParticipatoryProcessesWithUserRole.for(user, role)
+      end
+      def public_list_processes_action?
+        return unless permission_action.action == :list &&
+                      permission_action.subject == :process
+        allow!
+      end
+      def public_list_process_groups_action?
+        return unless permission_action.action == :list &&
+                      permission_action.subject == :process_group
+        allow!
+      end
+      def public_read_process_group_action?
+        return unless permission_action.action == :read &&
+                      permission_action.subject == :process_group &&
+                      process_group
+        allow!
+      end
+      def public_read_process_action?
+        return unless permission_action.action == :read &&
+                      [:process, :participatory_space].include?(permission_action.subject) &&
+                      process
+        return allow! if user&.admin?
+        return allow! if process.published?
+        toggle_allow(can_manage_process?)
+      end
+      def public_report_content_action?
+        return unless permission_action.action == :create &&
+                      permission_action.subject == :moderation
+        allow!
+      end
+      # Only organization admins can enter the process groups space area.
+      def user_can_enter_process_groups_space_area?
+        return unless permission_action.action == :enter &&
+                      permission_action.scope == :admin &&
+                      permission_action.subject == :space_area &&
+                      context.fetch(:space_name, nil) == :process_groups
+        toggle_allow(user.admin?)
+      end
+      # All users with a relation to a process and organization admins can enter
+      # the processes space area.
+      def user_can_enter_processes_space_area?
+        return unless permission_action.action == :enter &&
+                      permission_action.scope == :admin &&
+                      permission_action.subject == :space_area &&
+                      context.fetch(:space_name, nil) == :processes
+        toggle_allow(user.admin? || has_manageable_processes?)
+      end
+      # Only organization admins can manage process groups.
+      def valid_process_group_action?
+        return unless permission_action.subject == :process_group
+        toggle_allow(user.admin?)
+      end
+      # Checks if the permission_action is to read in the admin or not.
+      def admin_read_permission_action?
+        permission_action.action == :read
+      end
+      def read_admin_dashboard_action?
+        permission_action.action == :read &&
+          permission_action.subject == :admin_dashboard
+      end
+      # Any user that can enter the space area can read the admin dashboard.
+      def user_can_read_admin_dashboard?
+        toggle_allow(user.admin? || has_manageable_processes?)
+      end
+      # Only organization admins can create a process
+      def user_can_create_process?
+        return unless permission_action.action == :create &&
+                      permission_action.subject == :process
+        toggle_allow(user.admin?)
+      end
+      # Only organization admins can destroy a process
+      def user_can_destroy_process?
+        return unless permission_action.action == :destroy &&
+                      permission_action.subject == :process
+        toggle_allow(user.admin?)
+      end
+      # Everyone can read the process list
+      def user_can_read_process_list?
+        return unless read_process_list_permission_action?
+        toggle_allow(user.admin? || has_manageable_processes?)
+      end
+      def user_can_read_current_process?
+        return unless read_process_list_permission_action?
+        return if permission_action.subject == :process_list
+        toggle_allow(user.admin? || can_manage_process?)
+      end
+      # A moderator needs to be able to read the process they are assigned to,
+      # and needs to perform all actions for the moderations of that process.
+      def moderator_action?
+        return unless can_manage_process?(role: :moderator)
+        allow! if permission_action.subject == :moderation
+      end
+      # Collaborators can read/preview everything inside their process.
+      def collaborator_action?
+        return unless can_manage_process?(role: :collaborator)
+        allow! if permission_action.action == :read || permission_action.action == :preview
+      end
+      # Process admins can eprform everything *inside* that process. They cannot
+      # create a process or perform actions on process groups or other
+      # processes. They cannot destroy their process either.
+      def process_admin_action?
+        return unless can_manage_process?(role: :admin)
+        return if user.admin?
+        return disallow! if permission_action.action == :create &&
+                            permission_action.subject == :process
+        return disallow! if permission_action.action == :destroy &&
+                            permission_action.subject == :process
+        is_allowed = [
+          :attachment,
+          :attachment_collection,
+          :category,
+          :component,
+          :component_data,
+          :moderation,
+          :process,
+          :process_step,
+          :process_user_role
+        ].include?(permission_action.subject)
+        allow! if is_allowed
+      end
+      def org_admin_action?
+        return unless user.admin?
+        is_allowed = [
+          :attachment,
+          :attachment_collection,
+          :category,
+          :component,
+          :component_data,
+          :moderation,
+          :process,
+          :process_step,
+          :process_user_role,
+          :space_private_user
+        ].include?(permission_action.subject)
+        allow! if is_allowed
+      end
+      # Checks if the permission_action is to read the admin processes list or
+      # not.
+      def read_process_list_permission_action?
+        permission_action.action == :read &&
+          [:process, :participatory_space, :process_list].include?(permission_action.subject)
+      end
+      def process
+        @process ||= context.fetch(:current_participatory_space, nil) || context.fetch(:process, nil)
+      end
+      def process_group
+        @process_group ||= context.fetch(:process_group, nil)
+      end
+    end
+  end
+end