Diff
Modified: trunk/Rakefile (3088 => 3089)
--- trunk/Rakefile 2012-08-15 21:52:46 UTC (rev 3088)
+++ trunk/Rakefile 2012-08-19 06:51:23 UTC (rev 3089)
@@ -114,7 +114,7 @@
# Obtain all public workflows
workflows = Workflow.find(:all).select do |workflow|
- Authorization.check(:action ="" 'read', :object => workflow, :user => nil)
+ Authorization.check('view', workflow, nil)
end
# Generate OAI static repository file
Modified: trunk/app/controllers/blobs_controller.rb (3088 => 3089)
--- trunk/app/controllers/blobs_controller.rb 2012-08-15 21:52:46 UTC (rev 3088)
+++ trunk/app/controllers/blobs_controller.rb 2012-08-19 06:51:23 UTC (rev 3089)
@@ -338,7 +338,7 @@
:limit => 20,
:select => 'DISTINCT *')
- files = files.select {|f| Authorization.is_authorized?('view', nil, f, current_user) }
+ files = files.select {|f| Authorization.check('view', f, current_user) }
render :partial => 'contributions/autocomplete_list', :locals => { :contributions => files }
end
@@ -371,10 +371,32 @@
protected
def find_blob_auth
+
+ action_permissions = {
+ "create" => "create",
+ "destroy" => "destroy",
+ "download" => "download",
+ "edit" => "edit",
+ "favourite" => "view",
+ "favourite_delete" => "view",
+ "index" => "view",
+ "named_download" => "download",
+ "named_download_with_version" => "download",
+ "new" => "create",
+ "process_suggestions" => "edit",
+ "rate" => "view",
+ "search" => "view",
+ "show" => "view",
+ "statistics" => "view",
+ "suggestions" => "view",
+ "tag" => "view",
+ "update" => "edit"
+ }
+
begin
blob = Blob.find(params[:id])
- if Authorization.is_authorized?(action_name, nil, blob, current_user)
+ if Authorization.check(action_permissions[action_name], blob, current_user)
@blob = blob
if params[:version]
Modified: trunk/app/controllers/blog_posts_controller.rb (3088 => 3089)
--- trunk/app/controllers/blog_posts_controller.rb 2012-08-15 21:52:46 UTC (rev 3088)
+++ trunk/app/controllers/blog_posts_controller.rb 2012-08-19 06:51:23 UTC (rev 3089)
@@ -75,10 +75,21 @@
protected
def find_blog_auth
+
+ action_permissions = {
+ "create" => "create",
+ "destroy" => "destroy",
+ "edit" => "edit",
+ "index" => "view",
+ "new" => "create",
+ "show" => "view",
+ "update" => "edit"
+ }
+
begin
blog = Blog.find(params[:blog_id])
- if Authorization.is_authorized?(action_name, nil, blog, current_user)
+ if Authorization.check(action_permissions[action_name], blog, current_user)
@blog = blog
else
error("Blog not found (id not authorized)", "is invalid (not authorized)")
Modified: trunk/app/controllers/blogs_controller.rb (3088 => 3089)
--- trunk/app/controllers/blogs_controller.rb 2012-08-15 21:52:46 UTC (rev 3088)
+++ trunk/app/controllers/blogs_controller.rb 2012-08-19 06:51:23 UTC (rev 3089)
@@ -110,10 +110,21 @@
end
def find_blog_auth
+
+ action_permissions = {
+ "create" => "create",
+ "destroy" => "destroy",
+ "edit" => "edit",
+ "index" => "view",
+ "new" => "create",
+ "show" => "view",
+ "update" => "edit",
+ }
+
begin
blog = Blog.find(params[:id])
- if Authorization.is_authorized?(action_name, nil, blog, current_user)
+ if Authorization.check(action_permissions[action_name], blog, current_user)
@blog = blog
else
if logged_in?
Modified: trunk/app/controllers/citations_controller.rb (3088 => 3089)
--- trunk/app/controllers/citations_controller.rb 2012-08-15 21:52:46 UTC (rev 3088)
+++ trunk/app/controllers/citations_controller.rb 2012-08-19 06:51:23 UTC (rev 3089)
@@ -86,11 +86,11 @@
workflow = Workflow.find(params[:workflow_id])
- if Authorization.is_authorized?((["index", "show"].include?(action_name) ? "show" : "edit"), nil, workflow, current_user)
+ if Authorization.check((["index", "show"].include?(action_name) ? "view" : "edit"), workflow, current_user)
@workflow = workflow
# remove workflow data from workflow if the user is not authorized for download
- @workflow.content_blob.data = "" unless Authorization.is_authorized?("download", nil, @workflow, current_user)
+ @workflow.content_blob.data = "" unless Authorization.check("download", @workflow, current_user)
else
if logged_in?
error("Workflow not found (id not authorized)", "is invalid (not authorized)")
Modified: trunk/app/controllers/comments_controller.rb (3088 => 3089)
--- trunk/app/controllers/comments_controller.rb 2012-08-15 21:52:46 UTC (rev 3088)
+++ trunk/app/controllers/comments_controller.rb 2012-08-19 06:51:23 UTC (rev 3089)
@@ -72,7 +72,7 @@
@comment = Comment.find_by_id(params[:id])
return error if @comment.nil? || @context.nil? || @comment.commentable != @context
- return error if Authorization.is_authorized?('view', nil, @context, current_user) == false
+ return error if Authorization.check('view', @context, current_user) == false
end
def find_resource_context
@@ -80,7 +80,7 @@
@context = extract_resource_context(params)
return error if @context.nil?
- return error if Authorization.is_authorized?('view', nil, @context, current_user) == false
+ return error if Authorization.check('view', @context, current_user) == false
end
def error
Modified: trunk/app/controllers/content_types_controller.rb (3088 => 3089)
--- trunk/app/controllers/content_types_controller.rb 2012-08-15 21:52:46 UTC (rev 3088)
+++ trunk/app/controllers/content_types_controller.rb 2012-08-19 06:51:23 UTC (rev 3089)
@@ -50,7 +50,7 @@
# PUT /content_types/1
def update
- if !Authorization.check(:action ="" 'edit', :object => @content_type, :user => current_user)
+ if !Authorization.check('edit', @content_type, current_user)
error("You do not have the authorisation to edit.", "is unauthorised")
return
end
Modified: trunk/app/controllers/contributions_controller.rb (3088 => 3089)
--- trunk/app/controllers/contributions_controller.rb 2012-08-15 21:52:46 UTC (rev 3088)
+++ trunk/app/controllers/contributions_controller.rb 2012-08-19 06:51:23 UTC (rev 3089)
@@ -28,7 +28,7 @@
return error if @contributable.nil?
# Abort if we're not allowed to see this contributable
- return error unless Authorization.check(:action ="" 'view', :object => @contributable, :user => current_user)
+ return error unless Authorization.check('view', @contributable, current_user)
rescue
Modified: trunk/app/controllers/experiments_controller.rb (3088 => 3089)
--- trunk/app/controllers/experiments_controller.rb 2012-08-15 21:52:46 UTC (rev 3088)
+++ trunk/app/controllers/experiments_controller.rb 2012-08-19 06:51:23 UTC (rev 3089)
@@ -114,9 +114,20 @@
end
def find_experiment_auth
+
+ action_permissions = {
+ "create" => "create",
+ "destroy" => "destroy",
+ "edit" => "edit",
+ "index" => "view",
+ "new" => "create",
+ "show" => "view",
+ "update" => "edit"
+ }
+
experiment = Experiment.find(:first, :conditions => ["id = ?", params[:id]])
- if experiment and Authorization.is_authorized?(action_name, nil, experiment, current_user)
+ if experiment and Authorization.check(action_permissions[action_name], experiment, current_user)
@experiment = experiment
else
error("Experiment not found or action not authorized", "is invalid (not authorized)")
Modified: trunk/app/controllers/jobs_controller.rb (3088 => 3089)
--- trunk/app/controllers/jobs_controller.rb 2012-08-15 21:52:46 UTC (rev 3088)
+++ trunk/app/controllers/jobs_controller.rb 2012-08-19 06:51:23 UTC (rev 3089)
@@ -23,14 +23,14 @@
end
def show
- unless Authorization.is_authorized?(action_name, nil, @job.runnable, current_user)
+ unless Authorization.check("view", @job.runnable, current_user)
flash[:error] = "<p>You will not be able to submit this Job, but you can still see the details of it."
flash[:error] = "<p>The runnable item (address@hidden) is not authorized - you need download priviledges to run it.</p>"
end
# TODO: check that runnable version still exists
- unless Authorization.is_authorized?(action_name, nil, @job, current_user)
+ unless Authorization.check("view", @job, current_user)
flash[:error] = "You will not be able to submit this Job, but you can still see the details of it." unless flash[:error]
flash[:error] += "<p>The runner is not authorized - you need to either own it or be part of a Group that owns it.</p>"
end
@@ -112,7 +112,7 @@
end
end
- if not runnable or not Authorization.is_authorized?('download', nil, runnable, user)
+ if not runnable or not Authorization.check('download', runnable, user)
success = false
@job.errors.add(:runnable_id, "not valid or not authorized")
else
@@ -126,7 +126,7 @@
# Check runner is a valid and authorized one
# (for now we can assume it's a TavernaEnactor)
runner = TavernaEnactor.find(:first, :conditions => ["id = ?", params[:job][:runner_id]])
- if not runner or not Authorization.is_authorized?('execute', nil, runner, user)
+ if not runner or not Authorization.check('execute', runner, user)
success = false
@job.errors.add(:runner_id, "not valid or not authorized")
end
@@ -227,12 +227,12 @@
errors_text = ''
# Authorize the runnable and runner
- unless Authorization.is_authorized?(action_name, nil, @job, current_user)
+ unless Authorization.check("download", @job.runnable, current_user)
success = false;
errors_text += "<p>The runnable item (address@hidden) is not authorized - you need download priviledges to run it.</p>"
end
- unless Authorization.is_authorized?(action_name, nil, @job, current_user)
+ unless Authorization.check("edit", @job, current_user)
success = false;
errors_text += "<p>The runner is not authorized - you need to either own it or be part of a Group that owns it.</p>"
end
@@ -325,7 +325,7 @@
job.experiment = Experiment.new(:title => Experiment.default_title(user), :contributor => user)
elsif params[:change_experiment] == 'existing'
experiment = Experiment.find(params[:change_experiment_id])
- if experiment and Authorization.is_authorized?('edit', nil, experiment, user)
+ if experiment and Authorization.check('edit', experiment, user)
job.experiment = experiment
else
flash[:error] = "Job could not be created because could not assign the parent Experiment."
@@ -349,9 +349,20 @@
end
def find_experiment_auth
+
+ action_permissions = {
+ "create" => "create",
+ "destroy" => "destroy",
+ "edit" => "edit",
+ "index" => "view",
+ "new" => "create",
+ "show" => "view",
+ "update" => "edit"
+ }
+
experiment = Experiment.find(:first, :conditions => ["id = ?", params[:experiment_id]])
- if experiment and Authorization.is_authorized?(action_name, nil, experiment, current_user)
+ if experiment and Authorization.check(action_permissions[action_name], experiment, current_user)
@experiment = experiment
else
# New and Create actions are allowed to run outside of the context of an Experiment
@@ -366,9 +377,28 @@
end
def find_job_auth
+
+ action_permissions = {
+ "create" => "create",
+ "destroy" => "destroy",
+ "edit" => "edit",
+ "index" => "view",
+ "new" => "create",
+ "outputs_package" => "download",
+ "outputs_xml" => "download",
+ "refresh_outputs" => "download",
+ "refresh_status" => "download",
+ "render_output" => "download",
+ "rerun" => "download",
+ "save_inputs" => "download",
+ "show" => "view",
+ "submit_job" => "download",
+ "update" => "edit",
+ }
+
job = Job.find(:first, :conditions => ["id = ?", params[:id]])
- if job and job.experiment.id == @experiment.id and Authorization.is_authorized?(action_name, nil, job, current_user)
+ if job and job.experiment.id == @experiment.id and Authorization.check(action_permissions[action_name], job, current_user)
@job = job
else
error("Job not found or action not authorized", "is invalid (not authorized)")
Modified: trunk/app/controllers/linked_data_controller.rb (3088 => 3089)
--- trunk/app/controllers/linked_data_controller.rb 2012-08-15 21:52:46 UTC (rev 3088)
+++ trunk/app/controllers/linked_data_controller.rb 2012-08-19 06:51:23 UTC (rev 3089)
@@ -161,7 +161,7 @@
return not_found if tag.nil?
return not_found if tagging.nil?
return not_found if tagging.tag != tag
- return not_auth if Authorization.is_authorized?('view', nil, tagging.taggable, current_user) == false
+ return not_auth if Authorization.check('view', tagging.taggable, current_user) == false
respond_to do |format|
if Conf.rdfgen_enable
@@ -183,7 +183,7 @@
end
return not_found if @contributable.nil?
- return not_auth if Authorization.is_authorized?('view', nil, @contributable, current_user) == false
+ return not_auth if Authorization.check('view', @contributable, current_user) == false
end
def not_found
Modified: trunk/app/controllers/oauth_controller.rb (3088 => 3089)
--- trunk/app/controllers/oauth_controller.rb 2012-08-15 21:52:46 UTC (rev 3088)
+++ trunk/app/controllers/oauth_controller.rb 2012-08-19 06:51:23 UTC (rev 3089)
@@ -161,6 +161,15 @@
private
def find_client_application_auth
+
+ action_permissions = {
+ "access_token" => "view",
+ "authorize" => "view",
+ "index" => "view",
+ "request_token" => "view",
+ "test_request" => "view"
+ }
+
if action_name == 'update'
id = params[:client_application][:id]
else
@@ -168,7 +177,7 @@
end
begin
client_app=ClientApplication.find(id)
- if Authorization.is_authorized?(action_name, nil, client_app, current_user)
+ if Authorization.check(action_permissions[action_name], client_app, current_user)
@client_application = client_app
else
error("Client Application not found (id not authorized)", "is invalid (not authorized)")
Modified: trunk/app/controllers/packs_controller.rb (3088 => 3089)
--- trunk/app/controllers/packs_controller.rb 2012-08-15 21:52:46 UTC (rev 3088)
+++ trunk/app/controllers/packs_controller.rb 2012-08-19 06:51:23 UTC (rev 3089)
@@ -416,14 +416,39 @@
end
def find_pack_auth
+
+ action_permissions = {
+ "create" => "create",
+ "create_item" => "edit",
+ "destroy" => "destroy",
+ "destroy_item" => "destroy",
+ "download" => "download",
+ "edit" => "edit",
+ "edit_item" => "edit",
+ "favourite" => "view",
+ "favourite_delete" => "view",
+ "index" => "view",
+ "items" => "view",
+ "new" => "create",
+ "new_item" => "edit",
+ "quick_add" => "edit",
+ "resolve_link" => "edit",
+ "search" => "view",
+ "show" => "view",
+ "statistics" => "view",
+ "tag" => "view",
+ "update" => "edit",
+ "update_item" => "edit"
+ }
+
begin
pack = Pack.find(params[:id])
- if Authorization.is_authorized?(action_name, nil, pack, current_user)
+ if Authorization.check(action_permissions[action_name], pack, current_user)
@pack = pack
- @authorised_to_edit = logged_in? && Authorization.is_authorized?("edit", nil, @pack, current_user)
- @authorised_to_download = Authorization.is_authorized?("download", nil, @pack, current_user)
+ @authorised_to_edit = logged_in? && Authorization.check("edit", @pack, current_user)
+ @authorised_to_download = Authorization.check("download", @pack, current_user)
@pack_entry_url = url_for : false,
:host => base_host,
Modified: trunk/app/controllers/previews_controller.rb (3088 => 3089)
--- trunk/app/controllers/previews_controller.rb 2012-08-15 21:52:46 UTC (rev 3088)
+++ trunk/app/controllers/previews_controller.rb 2012-08-19 06:51:23 UTC (rev 3089)
@@ -36,7 +36,7 @@
auth_object = @context
end
- if Authorization.check(:action ="" 'view', :object => auth_object, :user => user) == false
+ if Authorization.check('view', auth_object, user) == false
render :nothing => true, :status => "401 Unauthorized"
response.headers['WWW-Authenticate'] = "Basic realm=\"#{Conf.sitename} REST API\""
return
Modified: trunk/app/controllers/relationships_controller.rb (3088 => 3089)
--- trunk/app/controllers/relationships_controller.rb 2012-08-15 21:52:46 UTC (rev 3088)
+++ trunk/app/controllers/relationships_controller.rb 2012-08-19 06:51:23 UTC (rev 3089)
@@ -53,7 +53,7 @@
# DELETE /:context_type/:context_id/relationships/:id
def destroy
- if Authorization.is_authorized?('destroy', nil, @relationship, current_user)
+ if Authorization.check('destroy', @relationship, current_user)
@relationship.destroy
end
@@ -69,7 +69,7 @@
@relationship = Relationship.find_by_id(params[:id])
return error if @relationship.nil? || @context.nil? || @relationship.context != @context
- return error if Authorization.is_authorized?('view', nil, @context, current_user) == false
+ return error if Authorization.check('view', @context, current_user) == false
end
def find_resource_context
@@ -77,7 +77,7 @@
@context = extract_resource_context(params)
return false if @context.nil?
- return false if Authorization.is_authorized?('view', nil, @context, current_user) == false
+ return false if Authorization.check('view', @context, current_user) == false
end
def error
Modified: trunk/app/controllers/reviews_controller.rb (3088 => 3089)
--- trunk/app/controllers/reviews_controller.rb 2012-08-15 21:52:46 UTC (rev 3088)
+++ trunk/app/controllers/reviews_controller.rb 2012-08-19 06:51:23 UTC (rev 3089)
@@ -128,9 +128,9 @@
workflow = Workflow.find(params[:workflow_id])
- if Authorization.is_authorized?('show', nil, workflow, current_user)
+ if Authorization.check('view', workflow, current_user)
# remove workflow data from workflow if the user is not authorized for download
- workflow.content_blob.data = "" unless Authorization.is_authorized?('download', nil, workflow, current_user)
+ workflow.content_blob.data = "" unless Authorization.check('download', workflow, current_user)
@reviewable = workflow
else
if logged_in?
Modified: trunk/app/controllers/runners_controller.rb (3088 => 3089)
--- trunk/app/controllers/runners_controller.rb 2012-08-15 21:52:46 UTC (rev 3088)
+++ trunk/app/controllers/runners_controller.rb 2012-08-19 06:51:23 UTC (rev 3089)
@@ -124,9 +124,21 @@
end
def find_runner_auth
+
+ action_permissions = {
+ "create" => "create",
+ "destroy" => "destroy",
+ "edit" => "edit",
+ "index" => "view",
+ "new" => "create",
+ "show" => "view",
+ "update" => "edit",
+ "verify" => "view"
+ }
+
runner = TavernaEnactor.find(:first, :conditions => ["id = ?", params[:id]])
- if runner and Authorization.is_authorized?(action_name, nil, runner, current_user)
+ if runner and Authorization.check(action_permissions[action_name], runner, current_user)
@runner = runner
else
error("Runner not found or action not authorized", "is invalid (not authorized)")
Modified: trunk/app/controllers/tags_controller.rb (3088 => 3089)
--- trunk/app/controllers/tags_controller.rb 2012-08-15 21:52:46 UTC (rev 3088)
+++ trunk/app/controllers/tags_controller.rb 2012-08-19 06:51:23 UTC (rev 3089)
@@ -79,7 +79,7 @@
# Authorise entries now
taggings.each do |t|
if t.taggable.respond_to?(:contribution)
- @tagged_with << t.taggable if Authorization.is_authorized?('show', nil, t.taggable.contribution, current_user)
+ @tagged_with << t.taggable if Authorization.check('view', t.taggable.contribution, current_user)
else
@tagged_with << t.taggable
end
Modified: trunk/app/controllers/user_reports_controller.rb (3088 => 3089)
--- trunk/app/controllers/user_reports_controller.rb 2012-08-15 21:52:46 UTC (rev 3088)
+++ trunk/app/controllers/user_reports_controller.rb 2012-08-19 06:51:23 UTC (rev 3089)
@@ -28,7 +28,7 @@
return error if object.nil?
# ensure that the object is visible to the user
- return error unless Authorization.check(:action ="" 'read', :object => object, :user => current_user)
+ return error unless Authorization.check('view', object, current_user)
@object = object
Modified: trunk/app/controllers/users_controller.rb (3088 => 3089)
--- trunk/app/controllers/users_controller.rb 2012-08-15 21:52:46 UTC (rev 3088)
+++ trunk/app/controllers/users_controller.rb 2012-08-19 06:51:23 UTC (rev 3089)
@@ -277,7 +277,7 @@
# DELETE /users/1
def destroy
- unless Authorization.check(:action ="" 'destroy', :object => @user, :user => current_user)
+ unless Authorization.check('destroy', @user, current_user)
flash[:notice] = 'You do not have permission to delete this user.'
redirect_to :action ="" :index
return
Modified: trunk/app/controllers/workflows_controller.rb (3088 => 3089)
--- trunk/app/controllers/workflows_controller.rb 2012-08-15 21:52:46 UTC (rev 3088)
+++ trunk/app/controllers/workflows_controller.rb 2012-08-19 06:51:23 UTC (rev 3089)
@@ -235,7 +235,7 @@
end
@contributions_with_similar_services = @workflow.workflows_with_similar_services.select do |w|
- Authorization.is_authorized?('view', nil, w, current_user)
+ Authorization.check('view', w, current_user)
end.map do |w|
w.contribution
end
@@ -661,7 +661,7 @@
:limit => 20,
:select => 'DISTINCT *')
- wfs = wfs.select {|w| Authorization.is_authorized?('view', nil, w, current_user) }
+ wfs = wfs.select {|w| Authorization.check('view', w, current_user) }
render :partial => 'contributions/autocomplete_list', :locals => { :contributions => wfs }
end
@@ -696,6 +696,34 @@
end
def find_workflow_auth
+
+ action_permissions = {
+ "create" => "create",
+ "create_version" => "edit",
+ "destroy" => "destroy",
+ "destroy_version" => "edit",
+ "download" => "download",
+ "edit" => "edit",
+ "edit_version" => "edit",
+ "favourite" => "view",
+ "favourite_delete" => "view",
+ "galaxy_tool" => "download",
+ "galaxy_tool_download" => "download",
+ "index" => "view",
+ "launch" => "download",
+ "new" => "create",
+ "new_version" => "edit",
+ "process_tag_suggestions" => "edit",
+ "rate" => "view",
+ "search" => "view",
+ "show" => "view",
+ "statistics" => "view",
+ "tag" => "view",
+ "tag_suggestions" => "view",
+ "update" => "edit",
+ "update_version" => "edit",
+ }
+
begin
# Use eager loading only for 'show' action
if action_name == 'show'
@@ -704,7 +732,7 @@
workflow = Workflow.find(params[:id])
end
- if Authorization.is_authorized?(action_name, nil, workflow, current_user)
+ if Authorization.check(action_permissions[action_name], workflow, current_user)
@latest_version_number = workflow.current_version
@workflow = workflow
@@ -720,12 +748,12 @@
@viewing_version = @workflow.find_version(@latest_version_number)
end
- @authorised_to_edit = logged_in? && Authorization.is_authorized?('edit', nil, @workflow, current_user)
+ @authorised_to_edit = logged_in? && Authorization.check('edit', @workflow, current_user)
if @authorised_to_edit
# can save a call to .is_authorized? if "edit" was already found to be allowed - due to cascading permissions
@authorised_to_download = true
else
- @authorised_to_download = Authorization.is_authorized?('download', nil, @workflow, current_user)
+ @authorised_to_download = Authorization.check('download', @workflow, current_user)
end
# remove scufl from workflow if the user is not authorized for download
Modified: trunk/app/helpers/application_helper.rb (3088 => 3089)
--- trunk/app/helpers/application_helper.rb 2012-08-15 21:52:46 UTC (rev 3088)
+++ trunk/app/helpers/application_helper.rb 2012-08-19 06:51:23 UTC (rev 3089)
@@ -400,7 +400,7 @@
if thumb
unless w.image.nil?
- if Authorization.is_authorized?('show', nil, w, current_user)
+ if Authorization.check('view', w, current_user)
dot = image_tag url_for_file_column(w, "image", "thumb")
else
dot = image_tag url_for_file_column(w, "image", "padlock")
@@ -833,7 +833,7 @@
:joins => 'LEFT OUTER JOIN users ON workflows.contributor_type = "User" AND workflows.contributor_id = users.id',
:order => 'workflows.id ASC')
- workflows.select { |w| Authorization.is_authorized?('show', 'Workflow', w.id, current_user) }
+ workflows.select { |w| Authorization.check('view', w, current_user) }
end
def blobs_for_attribution_form
@@ -841,7 +841,7 @@
:joins => 'LEFT OUTER JOIN users ON blobs.contributor_type = "User" AND blobs.contributor_id = users.id',
:order => 'blobs.id ASC')
- blobs.select { |b| Authorization.is_authorized?('show', 'Blob', b.id, current_user) }
+ blobs.select { |b| Authorization.check('view', b, current_user) }
end
def networks_for_credits_form
@@ -1057,12 +1057,6 @@
:version => version_number)
end
- def thing_authorized?(action, thing)
- # method preserved only in case some code absolutely requires it in the future;
- # for now (Jan 2009) all occurrences of it's usage were replaced with Authorization.is_authorized?()
- return Authorization.is_authorized?(action, nil, thing, current_user)
- end
-
def strip_html(str, preserve_tags=[])
str = str.strip || ''
preserve_arr = preserve_tags.join('|') << '|\/'
Modified: trunk/app/models/pack.rb (3088 => 3089)
--- trunk/app/models/pack.rb 2012-08-15 21:52:46 UTC (rev 3088)
+++ trunk/app/models/pack.rb 2012-08-19 06:51:23 UTC (rev 3089)
@@ -190,8 +190,8 @@
next # skips all further processing and moves on to the next item
end
- download_allowed = Authorization.is_authorized?('download', nil, item_contribution, user)
- viewing_allowed = download_allowed ? true : Authorization.is_authorized?('view', nil, item_contribution, user)
+ download_allowed = Authorization.check('download', item_contribution, user)
+ viewing_allowed = download_allowed ? true : Authorization.check('view', item_contribution, user)
case item_entry.contributable_type.downcase
Modified: trunk/app/models/user.rb (3088 => 3089)
--- trunk/app/models/user.rb 2012-08-15 21:52:46 UTC (rev 3088)
+++ trunk/app/models/user.rb 2012-08-19 06:51:23 UTC (rev 3089)
@@ -269,6 +269,20 @@
return Conf.admins.include?(self.username.downcase)
end
+ def curator?
+ return false if self.username.blank?
+ return Conf.curators.include?(self.username.downcase)
+ end
+
+ def network_admin?(network)
+ if network.class == Network
+ network.owner == self
+ else
+ result = self.networks_owned.find(:first, :conditions => { :id => network } )
+ !result.nil?
+ end
+ end
+
acts_as_site_entity
acts_as_contributor
Modified: trunk/app/views/blobs/_blob.rhtml (3088 => 3089)
--- trunk/app/views/blobs/_blob.rhtml 2012-08-15 21:52:46 UTC (rev 3088)
+++ trunk/app/views/blobs/_blob.rhtml 2012-08-19 06:51:23 UTC (rev 3089)
@@ -23,9 +23,9 @@
</tr>
<tr>
<td colspan="2">
- <% if Authorization.is_authorized?('download', nil, blob, current_user) %><%= icon "download", download_blob_path(blob) %> <% end %>
- <% if Authorization.is_authorized?('show', nil, blob, current_user) %><%= icon "show", blob_url(blob), nil, nil, "View" %> <% end %>
- <% if logged_in? and Authorization.is_authorized?('edit', nil, blob, current_user) %><%= icon "edit", edit_blob_path(blob) %> <% end %>
+ <% if Authorization.check('download', blob, current_user) %><%= icon "download", download_blob_path(blob) %> <% end %>
+ <% if Authorization.check('view', blob, current_user) %><%= icon "show", blob_url(blob), nil, nil, "View" %> <% end %>
+ <% if logged_in? and Authorization.check('edit', blob, current_user) %><%= icon "edit", edit_blob_path(blob) %> <% end %>
<% if logged_in? and blob.owner?(current_user) %><%= icon "destroy", blob_path(blob), nil, :confirm => 'Are you sure?', :method => :delete %><% end %>
</td>
</tr>
Modified: trunk/app/views/blobs/_table.rhtml (3088 => 3089)
--- trunk/app/views/blobs/_table.rhtml 2012-08-15 21:52:46 UTC (rev 3088)
+++ trunk/app/views/blobs/_table.rhtml 2012-08-19 06:51:23 UTC (rev 3089)
@@ -6,9 +6,9 @@
<% for blob in collection %>
<% # If only one item in collection, check if 'show' permission is available (eg: if this partial was called from contributions/table) -%>
<% if collection.size == 1 -%>
- <% show ||= Authorization.is_authorized?('show', nil, blob, current_user) -%>
+ <% show ||= Authorization.check('view', blob, current_user) -%>
<% else -%>
- <% show = Authorization.is_authorized?('show', nil, blob, current_user) -%>
+ <% show = Authorization.check('view', blob, current_user) -%>
<% end -%>
<% if show -%>
<tr class="<%= (odd_row = !odd_row) ? "odd_row" : "even_row" %>">
@@ -49,7 +49,7 @@
<p style="font-size:85%;">
<b>Attributions:</b>
<% attributors.each do |a| %>
- <% if Authorization.is_authorized?("show", nil, a.attributor, current_user) -%>
+ <% if Authorization.check("view", a.attributor, current_user) -%>
<% if a.attributor_type == 'Workflow' %>
<%= icon('workflow', nil, nil, nil, '') %>
<% elsif a.attributor_type == 'Blob' %>
@@ -96,7 +96,7 @@
<td class="actions" style="width: 80px;">
<%= icon "show", blob_path(blob), nil, nil, "View" %>
- <% if Authorization.is_authorized?("download", nil, blob, current_user) %><%= icon "download", download_blob_path(blob) %><% end %>
+ <% if Authorization.check("download", blob, current_user) %><%= icon "download", download_blob_path(blob) %><% end %>
<% if mine?(blob) %><%= icon "manage", edit_blob_path(blob), nil, nil, "Manage" %><% end %>
</td>
</tr>
Modified: trunk/app/views/blobs/show.rhtml (3088 => 3089)
--- trunk/app/views/blobs/show.rhtml 2012-08-15 21:52:46 UTC (rev 3088)
+++ trunk/app/views/blobs/show.rhtml 2012-08-19 06:51:23 UTC (rev 3089)
@@ -4,7 +4,7 @@
<% if mine?(@blob) -%>
<li><%= icon('manage', edit_blob_path(@blob), nil, nil, 'Manage File Entry')%></li>
<% end -%>
- <% if Authorization.is_authorized?('destroy', nil, @blob, current_user) %>
+ <% if Authorization.check('destroy', @blob, current_user) %>
<li><%= icon('destroy', blob_path(@blob), nil, { :confirm => 'This deletes the File and all metadata such as tags, comments and ratings. Are you sure?', :method => :delete }, 'Delete File Entry') %></li>
<% end %>
</ul>
@@ -88,7 +88,7 @@
Download
</h3>
- <% if Authorization.is_authorized?('download', nil, @blob, current_user) %>
+ <% if Authorization.check('download', @blob, current_user) %>
<ul class="sectionIcons">
<li><%= icon('blob', @named_download_url, "Download File", nil, "Download File") %></li>
</ul>
@@ -116,7 +116,7 @@
:owner_id => ((@blob.contributor_type == 'User') ? @blob.contributor_id : nil),
:add_path => tag_blob_path(@blob),
:edit_path => edit_blob_path(@blob),
- :allow_edit => Authorization.is_authorized?('edit', nil, @blob, current_user) } %>
+ :allow_edit => Authorization.check('edit', @blob, current_user) } %>
<%= render :partial => "contributions/shared_with_groups_box", :locals => { :contributable => @blob } %>
@@ -159,7 +159,7 @@
<%= render :partial => "contributions/sharing_summary", :locals => { :contributable => @blob } %>
<%= render :partial => "contributions/updating_summary", :locals => { :contributable => @blob } %>
- <% if Authorization.is_authorized?('edit', nil, @blob, current_user) %>
+ <% if Authorization.check('edit', @blob, current_user) %>
<ul class="sectionIcons">
<li><%= icon('edit', edit_blob_path(@blob), nil, nil, 'Edit')%></li>
</ul>
Modified: trunk/app/views/blog_posts/_subnav.rhtml (3088 => 3089)
--- trunk/app/views/blog_posts/_subnav.rhtml 2012-08-15 21:52:46 UTC (rev 3088)
+++ trunk/app/views/blog_posts/_subnav.rhtml 2012-08-19 06:51:23 UTC (rev 3089)
@@ -1,6 +1,6 @@
<% case controller.action_name.to_s; when "show" %>
- <% if logged_in? && Authorization.is_authorized?("edit", nil, @blog_post.blog, current_user) %>
+ <% if logged_in? && Authorization.check("edit", @blog_post.blog, current_user) %>
<ul class="sectionIcons">
<li><%= link_to 'Edit Blog Post', edit_blog_blog_post_path(@blog_post.blog, @blog_post) %></li>
</ul>
Modified: trunk/app/views/blog_posts/show.rhtml (3088 => 3089)
--- trunk/app/views/blog_posts/show.rhtml 2012-08-15 21:52:46 UTC (rev 3088)
+++ trunk/app/views/blog_posts/show.rhtml 2012-08-19 06:51:23 UTC (rev 3089)
@@ -1,4 +1,4 @@
-<% if logged_in? && Authorization.is_authorized?("edit", nil, @blog_post.blog, current_user) %>
+<% if logged_in? && Authorization.check("edit", @blog_post.blog, current_user) %>
<ul class="sectionIcons">
<li><%= link_to 'Edit Blog Post', edit_blog_post_path(@blog_post.blog, @blog_post) %></li>
</ul>
Modified: trunk/app/views/blogs/_blog.rhtml (3088 => 3089)
--- trunk/app/views/blogs/_blog.rhtml 2012-08-15 21:52:46 UTC (rev 3088)
+++ trunk/app/views/blogs/_blog.rhtml 2012-08-19 06:51:23 UTC (rev 3089)
@@ -23,11 +23,11 @@
<tr>
<td colspan="2">
<center>
- <% if Authorization.is_authorized?("show", nil, blog, current_user) %><%= icon "show", blog_path(blog), nil, nil, "View" %> <% end %>
- <% if logged_in? && Authorization.is_authorized?("edit", nil, blog, current_user) %><%= icon "edit", edit_blog_path(blog) %> <% end %>
- <% if logged_in? && Authorization.is_authorized?("destroy", nil, blog, current_user) %><%= icon "destroy", blog_path(blog), nil, :confirm => 'Are you sure?', :method => :delete %><% end %>
+ <% if Authorization.check("view", blog, current_user) %><%= icon "show", blog_path(blog), nil, nil, "View" %> <% end %>
+ <% if logged_in? && Authorization.check("edit", blog, current_user) %><%= icon "edit", edit_blog_path(blog) %> <% end %>
+ <% if logged_in? && Authorization.check("destroy", blog, current_user) %><%= icon "destroy", blog_path(blog), nil, :confirm => 'Are you sure?', :method => :delete %><% end %>
</center>
</td>
</tr>
</table>
-</center>
\ No newline at end of file
+</center>
Modified: trunk/app/views/blogs/_table.rhtml (3088 => 3089)
--- trunk/app/views/blogs/_table.rhtml 2012-08-15 21:52:46 UTC (rev 3088)
+++ trunk/app/views/blogs/_table.rhtml 2012-08-19 06:51:23 UTC (rev 3089)
@@ -19,12 +19,12 @@
<td><%=h blog.posts.length %></td>
<td><%=datetime(blog.posts[-1].created_at, false) unless blog.posts.empty? %></td>
<td class="actions">
- <% if Authorization.is_authorized?("show", nil, blog, current_user) %><%= icon "show", blog_path(blog), nil, nil, "View" %> <% end %>
- <% if logged_in? && Authorization.is_authorized?("edit", nil, blog, current_user) %><%= icon "edit", edit_blog_path(blog) %> <% end %>
+ <% if Authorization.check("view", blog, current_user) %><%= icon "show", blog_path(blog), nil, nil, "View" %> <% end %>
+ <% if logged_in? && Authorization.check("edit", blog, current_user) %><%= icon "edit", edit_blog_path(blog) %> <% end %>
<% if logged_in? && blog.owner?(current_user) %><%= icon "destroy", blog_path(blog), nil, :confirm => 'Are you sure?', :method => :delete %><% end %>
</td>
</tr>
<% end %>
</table>
-<% end %>
\ No newline at end of file
+<% end %>
Modified: trunk/app/views/blogs/show.rhtml (3088 => 3089)
--- trunk/app/views/blogs/show.rhtml 2012-08-15 21:52:46 UTC (rev 3088)
+++ trunk/app/views/blogs/show.rhtml 2012-08-19 06:51:23 UTC (rev 3089)
@@ -6,12 +6,12 @@
<% if logged_in? %>
<ul class="sectionIcons">
- <% if Authorization.is_authorized?("edit", nil, @blog, current_user) %>
+ <% if Authorization.check("edit", @blog, current_user) %>
<li><%= icon('new', new_blog_blog_post_path(@blog), nil, nil, "New post") %></li>
<li><%= icon('edit', edit_blog_path(@blog), nil, nil, 'Edit ' + truncate(@blog.title, :length => 10)) %></li>
<% end %>
- <% if Authorization.is_authorized?("destroy", nil, @blog, current_user) %>
+ <% if Authorization.check("destroy", @blog, current_user) %>
<li><%= icon('destroy', blog_path(@blog), nil, { :confirm => 'Are you sure?', :method => :delete }, 'Remove ' + truncate(@blog.title, :length => 10)) %></li>
<% end %>
</ul>
@@ -23,7 +23,7 @@
<%= render :partial => "blog_posts/post", :collection => @blog.posts %>
<% end %>
-<% if logged_in? and Authorization.is_authorized?("destroy", nil, @blog, current_user) %>
+<% if logged_in? and Authorization.check("destroy", @blog, current_user) %>
<h2>History</h2>
<%= render :partial => "contributions/history", :object => @blog.contribution %>
Modified: trunk/app/views/citations/_citation.rhtml (3088 => 3089)
--- trunk/app/views/citations/_citation.rhtml 2012-08-15 21:52:46 UTC (rev 3088)
+++ trunk/app/views/citations/_citation.rhtml 2012-08-19 06:51:23 UTC (rev 3089)
@@ -12,7 +12,7 @@
<%= arr[i] %><%= "," unless i.to_i == arr.length.to_i - 1 %>
<% end %>
-<% if actions and Authorization.is_authorized?("edit", nil, item, current_user) %>
+<% if actions and Authorization.check("edit", item, current_user) %>
<small>[<%= link_to "view", workflow_citation_path(item, citation) %>]</small>
<small>[<%= link_to "edit", edit_workflow_citation_path(item, citation) %>]</small>
<% end %>
Modified: trunk/app/views/citations/_table.rhtml (3088 => 3089)
--- trunk/app/views/citations/_table.rhtml 2012-08-15 21:52:46 UTC (rev 3088)
+++ trunk/app/views/citations/_table.rhtml 2012-08-19 06:51:23 UTC (rev 3089)
@@ -27,8 +27,8 @@
<% end %>
<td class="actions">
<%= icon "show", workflow_citation_path(workflow, citation), nil, nil, "View" %>
- <% if logged_in? && Authorization.is_authorized?("edit", nil, @workflow, current_user) %><%= icon "edit", edit_workflow_citation_path(workflow, citation) %> <% end %>
- <% if logged_in? && Authorization.is_authorized?("destroy", nil, @workflow, current_user) %><%= icon "destroy", workflow_citation_path(workflow, citation), nil, :confirm => 'Are you sure?', :method => :delete %><% end %>
+ <% if logged_in? && Authorization.check("edit", @workflow, current_user) %><%= icon "edit", edit_workflow_citation_path(workflow, citation) %> <% end %>
+ <% if logged_in? && Authorization.check("destroy", @workflow, current_user) %><%= icon "destroy", workflow_citation_path(workflow, citation), nil, :confirm => 'Are you sure?', :method => :delete %><% end %>
</td>
</tr>
<% end %>
Modified: trunk/app/views/citations/index.rhtml (3088 => 3089)
--- trunk/app/views/citations/index.rhtml 2012-08-15 21:52:46 UTC (rev 3088)
+++ trunk/app/views/citations/index.rhtml 2012-08-19 06:51:23 UTC (rev 3089)
@@ -1,6 +1,6 @@
<h1>Citations for Workflow: <%= contributable(@workflow.id, 'Workflow') -%></h1>
-<% if Authorization.is_authorized?("edit", nil, @workflow, current_user) %>
+<% if Authorization.check("edit", @workflow, current_user) %>
<ul class="sectionIcons">
<li><%= icon('new', new_workflow_citation_path(@workflow), nil, nil, 'New Citation', nil) %></li>
</ul>
Modified: trunk/app/views/citations/show.rhtml (3088 => 3089)
--- trunk/app/views/citations/show.rhtml 2012-08-15 21:52:46 UTC (rev 3088)
+++ trunk/app/views/citations/show.rhtml 2012-08-19 06:51:23 UTC (rev 3089)
@@ -2,11 +2,11 @@
<ul class="sectionIcons">
<% if logged_in? %>
- <% if Authorization.is_authorized?("edit", nil, @workflow, current_user) %>
+ <% if Authorization.check("edit", @workflow, current_user) %>
<li><%= icon('edit', edit_workflow_citation_path(@workflow, @citation), nil, nil, 'Edit Citation') %></li>
<% end %>
- <% if Authorization.is_authorized?("destroy", nil, @workflow, current_user) %>
+ <% if Authorization.check("destroy", @workflow, current_user) %>
<li><%= icon('destroy', workflow_citation_path(@workflow, @citation), nil, { :confirm => 'Are you sure?', :method => :delete }, 'Delete Citation') %></li>
<% end %>
<% end %>
Modified: trunk/app/views/comments/_comment.rhtml (3088 => 3089)
--- trunk/app/views/comments/_comment.rhtml 2012-08-15 21:52:46 UTC (rev 3088)
+++ trunk/app/views/comments/_comment.rhtml 2012-08-19 06:51:23 UTC (rev 3089)
@@ -17,7 +17,7 @@
<tr>
<td style="text-align: right; padding-right: 1em;">
<%= render(:partial => 'contributions/user_report', :locals => { :subject => comment, :user => current_user }) -%>
- <% if Authorization.check(:action ="" 'destroy', :object => comment, :user => current_user) %>
+ <% if Authorization.check('destroy', comment, current_user) %>
<small>
[
<%= link_to_remote( "delete",
Modified: trunk/app/views/content_types/show.rhtml (3088 => 3089)
--- trunk/app/views/content_types/show.rhtml 2012-08-15 21:52:46 UTC (rev 3088)
+++ trunk/app/views/content_types/show.rhtml 2012-08-19 06:51:23 UTC (rev 3089)
@@ -3,7 +3,7 @@
<ul class="sectionIcons">
<li><%= icon('workflow', content_types_path, nil, nil, 'Show all types')%></li>
<li><%= icon('workflow', "/address@hidden", nil, nil, 'Browse content')%></li>
- <% if Authorization.check(:action ="" 'edit', :object => @content_type, :user => current_user) %>
+ <% if Authorization.check('edit', @content_type, current_user) %>
<li><%= icon('manage', edit_content_type_path(@content_type), nil, nil, 'Manage Content Type Entry')%></li>
<% end -%>
</ul>
Modified: trunk/app/views/contributions/_attributed_by.rhtml (3088 => 3089)
--- trunk/app/views/contributions/_attributed_by.rhtml 2012-08-15 21:52:46 UTC (rev 3088)
+++ trunk/app/views/contributions/_attributed_by.rhtml 2012-08-19 06:51:23 UTC (rev 3089)
@@ -16,7 +16,7 @@
<% if a.attributable.nil? -%>
<span class="none_text">Item doesn't exist anymore</span>
<% else -%>
- <% if Authorization.is_authorized?("show", nil, a.attributable, current_user) -%>
+ <% if Authorization.check("view", a.attributable, current_user) -%>
<% if a.attributable_type == 'Workflow' %>
<%= icon('workflow', nil, nil, nil, '') %>
<% elsif a.attributable_type == 'Blob' %>
@@ -36,4 +36,4 @@
<p class="none_text">None</p>
<% end %>
-</div>
\ No newline at end of file
+</div>
Modified: trunk/app/views/contributions/_citations_tab.rhtml (3088 => 3089)
--- trunk/app/views/contributions/_citations_tab.rhtml 2012-08-15 21:52:46 UTC (rev 3088)
+++ trunk/app/views/contributions/_citations_tab.rhtml 2012-08-19 06:51:23 UTC (rev 3089)
@@ -15,7 +15,7 @@
<br/>
- <% if Authorization.is_authorized?("edit", nil, item, current_user) %>
+ <% if Authorization.check("edit", item, current_user) %>
<ul class="sectionIcons">
<li><%= icon('new', new_workflow_citation_path(item), nil, nil, 'New Citation', nil) %></li>
<li><%= icon('edit', workflow_citations_path(item), nil, nil, 'Edit Citations', nil) %></li>
Modified: trunk/app/views/contributions/_credit_attribution_form.rhtml (3088 => 3089)
--- trunk/app/views/contributions/_credit_attribution_form.rhtml 2012-08-15 21:52:46 UTC (rev 3088)
+++ trunk/app/views/contributions/_credit_attribution_form.rhtml 2012-08-19 06:51:23 UTC (rev 3089)
@@ -257,7 +257,7 @@
// Attributions
<% contributable.attributors.each do |a| %>
- <% if Authorization.is_authorized?("show", nil, a.attributor, current_user) -%>
+ <% if Authorization.check("view", a.attributor, current_user) -%>
<% if a.attributor_type == 'Workflow' %>
attributions_workflows[<%= a.attributor_id %>] = '<%= escape_javascript contributable_name(a.attributor_id, 'Workflow') %>';
<% elsif a.attributor_type == 'Blob' %>
Modified: trunk/app/views/contributions/_credits_attributions_box.rhtml (3088 => 3089)
--- trunk/app/views/contributions/_credits_attributions_box.rhtml 2012-08-15 21:52:46 UTC (rev 3088)
+++ trunk/app/views/contributions/_credits_attributions_box.rhtml 2012-08-19 06:51:23 UTC (rev 3089)
@@ -45,7 +45,7 @@
<% if a.attributor.nil? -%>
<span class="none_text">Item doesn't exist anymore</span>
<% else -%>
- <% if Authorization.is_authorized?("show", nil, a.attributor, current_user) -%>
+ <% if Authorization.check("view", a.attributor, current_user) -%>
<% if a.attributor_type == 'Workflow' %>
<%= icon('workflow', nil, nil, nil, '') %>
<% elsif a.attributor_type == 'Blob' %>
@@ -65,8 +65,8 @@
<p class="none_text">None</p>
<% end %>
- <% if Authorization.is_authorized?("edit", nil, contributable, current_user) %>
+ <% if Authorization.check("edit", contributable, current_user) %>
<p style="text-align: right;"><small>[ <%= link_to "edit", edit_path %> ]</small></p>
<% end %>
-</div>
\ No newline at end of file
+</div>
Modified: trunk/app/views/contributions/_in_packs_box.rhtml (3088 => 3089)
--- trunk/app/views/contributions/_in_packs_box.rhtml 2012-08-15 21:52:46 UTC (rev 3088)
+++ trunk/app/views/contributions/_in_packs_box.rhtml 2012-08-19 06:51:23 UTC (rev 3089)
@@ -10,7 +10,7 @@
<ul class="items">
<% packs.each do |p| %>
<li>
- <% if Authorization.is_authorized?("show", nil, p, current_user) -%>
+ <% if Authorization.check("view", p, current_user) -%>
<%= icon('pack', nil, nil, nil, '') %>
<%= contributable(p.id, 'Pack') %>
<% else -%>
Modified: trunk/app/views/contributions/_table.rhtml (3088 => 3089)
--- trunk/app/views/contributions/_table.rhtml 2012-08-15 21:52:46 UTC (rev 3088)
+++ trunk/app/views/contributions/_table.rhtml 2012-08-19 06:51:23 UTC (rev 3089)
@@ -1,7 +1,7 @@
<% unless collection.empty? %>
<% for contribution in collection %>
- <% if (show = Authorization.is_authorized?("show", nil, contribution, current_user)) %>
+ <% if (show = Authorization.check("view", contribution.contributable, current_user)) %>
<% unless params[:contributable_type] %>
<p style="margin-top: 0.5em;"><b><%= visible_name(contribution.contributable_type) %></b></p>
<% end %>
Modified: trunk/app/views/experiments/_table.rhtml (3088 => 3089)
--- trunk/app/views/experiments/_table.rhtml 2012-08-15 21:52:46 UTC (rev 3088)
+++ trunk/app/views/experiments/_table.rhtml 2012-08-19 06:51:23 UTC (rev 3089)
@@ -33,7 +33,7 @@
</td>
<td class="actions" style="width: 80px;">
<%= icon "show", experiment_path(experiment), nil, nil, "View" %>
- <% if Authorization.is_authorized?('edit', nil, experiment, current_user) %>
+ <% if Authorization.check('edit', experiment, current_user) %>
<%= icon('edit', edit_experiment_path(experiment), nil, nil, 'Edit') %>
<% end %>
<%= icon "job", new_experiment_job_path(experiment), nil, nil, "New Job" %>
Modified: trunk/app/views/experiments/show.rhtml (3088 => 3089)
--- trunk/app/views/experiments/show.rhtml 2012-08-15 21:52:46 UTC (rev 3088)
+++ trunk/app/views/experiments/show.rhtml 2012-08-19 06:51:23 UTC (rev 3089)
@@ -1,6 +1,6 @@
<% t "#{h @experiment.title}" -%>
-<% if Authorization.is_authorized?('edit', nil, @experiment, current_user) -%>
+<% if Authorization.check('edit', @experiment, current_user) -%>
<ul class="sectionIcons">
<li><%= icon('edit', edit_experiment_path(@experiment), nil, nil, 'Edit Experiment') %></li>
</ul>
Modified: trunk/app/views/home/_latest_comments.rhtml (3088 => 3089)
--- trunk/app/views/home/_latest_comments.rhtml 2012-08-15 21:52:46 UTC (rev 3088)
+++ trunk/app/views/home/_latest_comments.rhtml 2012-08-19 06:51:23 UTC (rev 3089)
@@ -9,7 +9,7 @@
<% unless (comments = Comment.latest).empty? %>
<ul class="list">
<% comments.each do |c| %>
- <% if Authorization.is_authorized?("show", nil, c.commentable, current_user) %>
+ <% if Authorization.check("view", c.commentable, current_user) %>
<li>
<b><%= c_type = visible_name(c.commentable_type); icon(c.commentable_type.to_s, nil, nil, c_type, c_type) %>:</b>
<span><%= c.commentable_type == 'Network' ? title(c.commentable_id) : contributable(c.commentable_id, c.commentable_type) %></span>
Modified: trunk/app/views/home/_latest_groups.rhtml (3088 => 3089)
--- trunk/app/views/home/_latest_groups.rhtml 2012-08-15 21:52:46 UTC (rev 3088)
+++ trunk/app/views/home/_latest_groups.rhtml 2012-08-19 06:51:23 UTC (rev 3089)
@@ -9,7 +9,7 @@
<% unless (groups = Network.recently_created).empty? %>
<ul class="list" style="font-size: 85%;">
<% groups.each do |g| %>
- <% if Authorization.is_authorized?("show", nil, g, current_user) %>
+ <% if Authorization.check("view", g, current_user) %>
<li>
<%= icon('network', nil, nil, 'group icon', '') %>
<b><%= link_to h(g.title), network_path(g) %></b>
Modified: trunk/app/views/home/_latest_reviews.rhtml (3088 => 3089)
--- trunk/app/views/home/_latest_reviews.rhtml 2012-08-15 21:52:46 UTC (rev 3088)
+++ trunk/app/views/home/_latest_reviews.rhtml 2012-08-19 06:51:23 UTC (rev 3089)
@@ -9,7 +9,7 @@
<% unless (reviews = Review.latest).empty? %>
<ul class="list">
<% reviews.each do |r| %>
- <% if Authorization.is_authorized?("show", nil, r.reviewable, current_user) %>
+ <% if Authorization.check("view", r.reviewable, current_user) %>
<li>
<b><%= r_type = visible_name(r.reviewable_type); icon(r.reviewable_type.to_s, nil, nil, r_type, r_type) %>:</b>
<span><%= contributable(r.reviewable_id, r.reviewable_type) %></span>
Modified: trunk/app/views/home/_latest_tags.rhtml (3088 => 3089)
--- trunk/app/views/home/_latest_tags.rhtml 2012-08-15 21:52:46 UTC (rev 3088)
+++ trunk/app/views/home/_latest_tags.rhtml 2012-08-19 06:51:23 UTC (rev 3089)
@@ -9,7 +9,7 @@
<% unless (taggings = Tagging.latest(20)).empty? %>
<ul class="list" style="font-size: 85%;">
<% taggings.each do |t| %>
- <% if Authorization.is_authorized?("show", nil, t.taggable, current_user) %>
+ <% if Authorization.check("view", t.taggable, current_user) %>
<li>
<span class="box_standout" style="padding: 0.1em 0.4em;">
<b><%= link_to_tag(t.tag) %></b>
Modified: trunk/app/views/home/_updated_items.rhtml (3088 => 3089)
--- trunk/app/views/home/_updated_items.rhtml 2012-08-15 21:52:46 UTC (rev 3088)
+++ trunk/app/views/home/_updated_items.rhtml 2012-08-19 06:51:23 UTC (rev 3089)
@@ -8,7 +8,7 @@
<% unless (contributions = Contribution.last_updated(15)).empty? %>
<ul class="list">
<% contributions.each do |c| %>
- <% if Authorization.is_authorized?("show", nil, c, current_user) %>
+ <% if Authorization.check("view", c, current_user) %>
<li>
<b><%= c_type = visible_name(c.contributable_type); icon(c.contributable_type.to_s, nil, nil, c_type, c_type) %>:</b>
<%= c.contributable_type == 'Network' ? title(c.contributable_id) : contributable(c.contributable_id, c.contributable_type) %>
Modified: trunk/app/views/jobs/_table.rhtml (3088 => 3089)
--- trunk/app/views/jobs/_table.rhtml 2012-08-15 21:52:46 UTC (rev 3088)
+++ trunk/app/views/jobs/_table.rhtml 2012-08-19 06:51:23 UTC (rev 3089)
@@ -45,7 +45,7 @@
<td class="actions" style="width: 80px;">
<%= icon "show", experiment_job_url(job.experiment, job), nil, nil, "View" %>
<% if false -%>
- <% if Authorization.is_authorized?('edit', nil, job, current_user) -%>
+ <% if Authorization.check('edit', job, current_user) -%>
<%= icon('edit', edit_experiment_job_path(job.experiment, job), nil, nil, 'Edit') %>
<% end -%>
<% end -%>
Modified: trunk/app/views/layouts/_pack_items.rxml (3088 => 3089)
--- trunk/app/views/layouts/_pack_items.rxml 2012-08-15 21:52:46 UTC (rev 3088)
+++ trunk/app/views/layouts/_pack_items.rxml 2012-08-19 06:51:23 UTC (rev 3089)
@@ -1,5 +1,5 @@
pack.contributable_entries.each do |e|
- show = e.available? ? Authorization.is_authorized?("show", nil, e.contributable, current_user) : false
+ show = e.available? ? Authorization.check("view", e.contributable, current_user) : false
xm.item do
if show
xm.title "#{visible_name(e.contributable_type)}: #{contributable_name(e.contributable_id, e.contributable_type)}"
@@ -45,4 +45,4 @@
xm.author contributor_name(e.user_id, 'User')
xm.link pack_url(pack) + "#item_remote_#{e.id.to_s}"
end
-end
\ No newline at end of file
+end
Modified: trunk/app/views/packs/_entry_item.rhtml (3088 => 3089)
--- trunk/app/views/packs/_entry_item.rhtml 2012-08-15 21:52:46 UTC (rev 3088)
+++ trunk/app/views/packs/_entry_item.rhtml 2012-08-19 06:51:23 UTC (rev 3089)
@@ -2,7 +2,7 @@
<% if type and item_entry -%>
<% if type == 'contributable' -%>
<% if item_entry.contributable -%>
- <% if Authorization.is_authorized?("show", nil, item_entry.contributable, current_user) -%>
+ <% if Authorization.check("view", item_entry.contributable, current_user) -%>
<p style="text-align: center;">
<b>
<%= visible_name(item_entry.contributable_type) -%>:
@@ -30,4 +30,4 @@
<%= link_to h(item_entry.uri), h(item_entry.uri), :popup => true %>
</p>
<% end -%>
-<% end -%>
\ No newline at end of file
+<% end -%>
Modified: trunk/app/views/packs/_items.rhtml (3088 => 3089)
--- trunk/app/views/packs/_items.rhtml 2012-08-15 21:52:46 UTC (rev 3088)
+++ trunk/app/views/packs/_items.rhtml 2012-08-19 06:51:23 UTC (rev 3089)
@@ -11,7 +11,7 @@
<!-- Contributable Item Entries -->
<% pack.contributable_entries.each do |e| %>
- <% show = e.available? ? Authorization.is_authorized?("show", nil, e.contributable, current_user) : false -%>
+ <% show = e.available? ? Authorization.check("view", e.contributable, current_user) : false -%>
<li>
<table>
<tr>
Modified: trunk/app/views/packs/_table.rhtml (3088 => 3089)
--- trunk/app/views/packs/_table.rhtml 2012-08-15 21:52:46 UTC (rev 3088)
+++ trunk/app/views/packs/_table.rhtml 2012-08-19 06:51:23 UTC (rev 3089)
@@ -6,9 +6,9 @@
<% for pack in collection %>
<% # If only one item in collection, check if 'show' permission is available (eg: if this partial was called from contributions/table) -%>
<% if collection.size == 1 -%>
- <% show ||= Authorization.is_authorized?("show", nil, pack, current_user) -%>
+ <% show ||= Authorization.check("view", pack, current_user) -%>
<% else -%>
- <% show = Authorization.is_authorized?("show", nil, pack, current_user) -%>
+ <% show = Authorization.check("view", pack, current_user) -%>
<% end -%>
<% if show -%>
<% cache(:controller => 'packs_cache', :action ="" 'listing', :id => pack.id) do -%>
@@ -61,9 +61,9 @@
<td class="actions" style="width: 80px;">
<%= icon "show", pack_path(pack), nil, nil, "View" %>
- <% if Authorization.is_authorized?("download", nil, pack, current_user) -%><%= icon('download', download_pack_path(pack), nil, nil, 'Download') -%><% end -%>
+ <% if Authorization.check("download", pack, current_user) -%><%= icon('download', download_pack_path(pack), nil, nil, 'Download') -%><% end -%>
<% if mine?(pack) %><%= icon "manage", edit_pack_path(pack), nil, nil, "Manage" %><% end %>
- <% if Authorization.is_authorized?("edit", nil, pack, current_user) -%><%= icon('new', new_item_pack_path(pack), nil, nil, 'Add New Item') -%><% end -%>
+ <% if Authorization.check("edit", pack, current_user) -%><%= icon('new', new_item_pack_path(pack), nil, nil, 'Add New Item') -%><% end -%>
</td>
</tr>
<% end %>
Modified: trunk/app/views/packs/show.rhtml (3088 => 3089)
--- trunk/app/views/packs/show.rhtml 2012-08-15 21:52:46 UTC (rev 3088)
+++ trunk/app/views/packs/show.rhtml 2012-08-19 06:51:23 UTC (rev 3089)
@@ -5,7 +5,7 @@
<% if mine?(@pack) -%>
<li><%= icon('manage', edit_pack_path(@pack), nil, nil, 'Manage Pack') -%></li>
<% end -%>
- <% if Authorization.is_authorized?("destroy", nil, @pack, current_user) %>
+ <% if Authorization.check("destroy", @pack, current_user) %>
<li><%= icon('destroy', pack_path(@pack), nil, { :confirm => 'This deletes the Pack and all metadata such as tags and comments, BUT does not delete the actual items pointed to in the Pack. Are you sure you would like to delete this Pack?', :method => :delete }, 'Delete Pack') %></li>
<% end %>
</ul>
Modified: trunk/app/views/pictures/index.rhtml (3088 => 3089)
--- trunk/app/views/pictures/index.rhtml 2012-08-15 21:52:46 UTC (rev 3088)
+++ trunk/app/views/pictures/index.rhtml 2012-08-19 06:51:23 UTC (rev 3089)
@@ -15,7 +15,7 @@
<% odd_row = false -%>
<% for picture in @pictures %>
- <% if Authorization.is_authorized?("view", nil, picture, current_user) %>
+ <% if Authorization.check("view", picture, current_user) %>
<tr class="<%= (odd_row = !odd_row) ? "odd_row" : "even_row" %>">
<td width="150">
<% if picture.selected? %>
Modified: trunk/app/views/relationships/_relationships.rhtml (3088 => 3089)
--- trunk/app/views/relationships/_relationships.rhtml 2012-08-15 21:52:46 UTC (rev 3088)
+++ trunk/app/views/relationships/_relationships.rhtml 2012-08-19 06:51:23 UTC (rev 3089)
@@ -1,4 +1,4 @@
-<% can_edit = Authorization.check(:action ="" 'edit', :object => context, :user => current_user) %>
+<% can_edit = Authorization.check('edit', context, current_user) %>
<% relationships = context.relationships %>
<% if relationships.empty? %>
Modified: trunk/app/views/runners/_table.rhtml (3088 => 3089)
--- trunk/app/views/runners/_table.rhtml 2012-08-15 21:52:46 UTC (rev 3088)
+++ trunk/app/views/runners/_table.rhtml 2012-08-19 06:51:23 UTC (rev 3089)
@@ -35,7 +35,7 @@
</td>
<td class="actions" style="width: 80px;">
<%= icon "show", runner_path(runner), nil, nil, "View" %>
- <% if Authorization.is_authorized?('edit', nil, runner, current_user) %>
+ <% if Authorization.check('edit', runner, current_user) %>
<%= icon('edit', edit_runner_path(runner), nil, nil, 'Edit') %>
<% end %>
</td>
Modified: trunk/app/views/runners/show.rhtml (3088 => 3089)
--- trunk/app/views/runners/show.rhtml 2012-08-15 21:52:46 UTC (rev 3088)
+++ trunk/app/views/runners/show.rhtml 2012-08-19 06:51:23 UTC (rev 3089)
@@ -1,6 +1,6 @@
<% t "address@hidden - #{h @runner.title}" -%>
-<% if Authorization.is_authorized?('edit', nil, @runner, current_user) -%>
+<% if Authorization.check('edit', @runner, current_user) -%>
<ul class="sectionIcons">
<li><%= icon('edit', edit_runner_path(@runner), nil, nil, 'Edit Runner') %></li>
</ul>
Modified: trunk/app/views/users/_listing.rhtml (3088 => 3089)
--- trunk/app/views/users/_listing.rhtml 2012-08-15 21:52:46 UTC (rev 3088)
+++ trunk/app/views/users/_listing.rhtml 2012-08-19 06:51:23 UTC (rev 3089)
@@ -87,7 +87,7 @@
<% end %>
<% end %>
- <% if Authorization.check(:action ="" 'destroy', :object => user, :user => current_user) %>
+ <% if Authorization.check('destroy', user, current_user) %>
<%= icon "destroy", user_path(user) + "?return_to=" + CGI::escape(request.request_uri), nil, {
:confirm => "Are you sure you want to remove this user?", :method => :delete},
"Delete User" %>
Modified: trunk/app/views/users/show.rhtml (3088 => 3089)
--- trunk/app/views/users/show.rhtml 2012-08-15 21:52:46 UTC (rev 3088)
+++ trunk/app/views/users/show.rhtml 2012-08-19 06:51:23 UTC (rev 3089)
@@ -59,7 +59,7 @@
<li><%= icon('history', user_userhistory_path(@user), nil, nil, 'View My History')%></li>
<% end %>
- <% if Authorization.check(:action ="" 'destroy', :object => @user, :user => current_user) %>
+ <% if Authorization.check('destroy', @user, current_user) %>
<li><%= icon "destroy", user_path(@user), nil, {
:confirm => "Are you sure you want to remove this user?", :method => :delete},
"Delete User" %></li>
@@ -213,7 +213,7 @@
<div class="stats_box">
<p>
<b>
- <%= link_to(pluralize(@user.friends.length, "Friend"), url_for(:action ="" 'friends')) -%>
+ <%= link_to(pluralize(Friendship.count(:conditions => ["accepted_at IS NOT NULL AND (user_id = ? OR friend_id = ?)", @user.id, @user.id]), "Friend"), url_for(:action ="" 'friends')) -%>
</b>
</p>
@@ -249,7 +249,7 @@
<p>
<b>
<%= h @user.name -%> has been credited
- <%= link_to(pluralize(@user.creditations.length, "time"), url_for(:action ="" 'credits')) -%>
+ <%= link_to(pluralize(Authorization.scoped(Contribution).find(:all, :select => "0", :joins => "JOIN creditations ON creditations.creditable_type = contributions.contributable_type AND creditations.creditable_id = contributions.contributable_id", :conditions => ["creditations.creditor_type = ? AND creditations.creditor_id = ?", "User", @user.id]).length, "time"), url_for(:action ="" 'credits')) -%>
</b>
</p>
</div>
Modified: trunk/app/views/workflows/_anchors.rhtml (3088 => 3089)
--- trunk/app/views/workflows/_anchors.rhtml 2012-08-15 21:52:46 UTC (rev 3088)
+++ trunk/app/views/workflows/_anchors.rhtml 2012-08-19 06:51:23 UTC (rev 3089)
@@ -7,7 +7,7 @@
<% collection.each_index do |i| %>
<% workflow = collection[i] %>
- <% if Authorization.is_authorized?("show", nil, workflow, current_user) %>
+ <% if Authorization.check("view", workflow, current_user) %>
<a href="" h(workflow.title).gsub(/ /, "_") %>"><%= num %>. <%= h(workflow.title) %></a><br/>
<% num = num + 1 %>
<% end %>
Modified: trunk/app/views/workflows/_table.rhtml (3088 => 3089)
--- trunk/app/views/workflows/_table.rhtml 2012-08-15 21:52:46 UTC (rev 3088)
+++ trunk/app/views/workflows/_table.rhtml 2012-08-19 06:51:23 UTC (rev 3089)
@@ -7,9 +7,9 @@
<% for workflow in collection %>
<% # If only one item in collection, check if 'show' permission is available (eg: if this partial was called from contributions/table) -%>
<% if collection.size == 1 -%>
- <% show ||= Authorization.is_authorized?("show", nil, workflow, current_user) -%>
+ <% show ||= Authorization.check("view", workflow, current_user) -%>
<% else -%>
- <% show = Authorization.is_authorized?("show", nil, workflow, current_user) -%>
+ <% show = Authorization.check("view", workflow, current_user) -%>
<% end -%>
<% if show -%>
<tr class="<%= (odd_row = !odd_row) ? "odd_row" : "even_row" %>">
@@ -56,7 +56,7 @@
<p style="font-size:85%;">
<b>Attributions:</b>
<% attributors.each do |a| %>
- <% if Authorization.is_authorized?("show", nil, a.attributor, current_user) -%>
+ <% if Authorization.check("view", a.attributor, current_user) -%>
<% if a.attributor_type == 'Workflow' %>
<%= icon('workflow', nil, nil, nil, '') %>
<% elsif a.attributor_type == 'Blob' %>
@@ -120,7 +120,7 @@
<% end -%>
<td class="actions" style="width: 120px;">
<%= icon "show", workflow_path(workflow), nil, nil, "View" %>
- <% if Authorization.is_authorized?("download", nil, workflow, current_user) -%>
+ <% if Authorization.check("download", workflow, current_user) -%>
<%= icon "download", download_workflow_path(workflow), nil, nil, "Download (v#{workflow.versions.count})" %>
<% if ( session[:callback] && (session[:callback][:types].include?(workflow.content_type_id))) -%>
<%= icon "download", callback_url(workflow).to_s, nil, {:rel => 'nofollow'}, session[:callback][:label] -%>
Modified: trunk/app/views/workflows/_workflow.rhtml (3088 => 3089)
--- trunk/app/views/workflows/_workflow.rhtml 2012-08-15 21:52:46 UTC (rev 3088)
+++ trunk/app/views/workflows/_workflow.rhtml 2012-08-19 06:51:23 UTC (rev 3089)
@@ -1,5 +1,5 @@
<% image = !(workflow.image.nil?) -%>
-<% show = Authorization.is_authorized?("show", nil, workflow, current_user) -%>
+<% show = Authorization.check("view", workflow, current_user) -%>
<% if show %>
<center>
@@ -44,10 +44,10 @@
<tr>
<td colspan="<%= show ? 3 : 2 %>">
<center>
- <% if Authorization.is_authorized?("download", nil, workflow, current_user) %><%= icon "download", download_workflow_path(workflow) %> <% end %>
+ <% if Authorization.check("download", workflow, current_user) %><%= icon "download", download_workflow_path(workflow) %> <% end %>
<% if show %><%= icon "show", workflow_path(workflow) %> <% end %>
- <% if logged_in? && Authorization.is_authorized?("edit", nil, workflow, current_user) %><%= icon "edit", edit_workflow_path(workflow) %> <% end %>
- <% if logged_in? && Authorization.is_authorized?("destroy", nil, workflow, current_user) %><%= icon "destroy", workflow_path(workflow), nil, :confirm => 'Are you sure?', :method => :delete %><% end %>
+ <% if logged_in? && Authorization.check("edit", workflow, current_user) %><%= icon "edit", edit_workflow_path(workflow) %> <% end %>
+ <% if logged_in? && Authorization.check("destroy", workflow, current_user) %><%= icon "destroy", workflow_path(workflow), nil, :confirm => 'Are you sure?', :method => :delete %><% end %>
</center>
</td>
</tr>
Modified: trunk/app/views/workflows/show.rhtml (3088 => 3089)
--- trunk/app/views/workflows/show.rhtml 2012-08-15 21:52:46 UTC (rev 3088)
+++ trunk/app/views/workflows/show.rhtml 2012-08-19 06:51:23 UTC (rev 3089)
@@ -7,7 +7,7 @@
<% if mine?(@workflow) -%>
<li><%= icon('manage', edit_workflow_path(@workflow), nil, nil, 'Manage Workflow Entry')%></li>
<% end -%>
- <% if Authorization.is_authorized?("destroy", nil, @workflow, current_user) -%>
+ <% if Authorization.check("destroy", @workflow, current_user) -%>
<li>
<%= icon('destroy', workflow_path(@workflow), nil, { :confirm => 'This deletes all versions of the Workflow and all metadata such as tags, comments and citations. Are you sure?', :method => :delete }, 'Delete Workflow Entry') %>
</li>
@@ -67,7 +67,7 @@
<li style="margin-left: 0;"><%= icon('edit', workflow_version_edit_url(@workflow.id, @viewing_version.version), nil, nil, "Edit This Version") %></li>
<% if false %>
<% if @latest_version_number > 1 %>
- <% if Authorization.is_authorized?("destroy", nil, @workflow, current_user) %>
+ <% if Authorization.check("destroy", @workflow, current_user) %>
<li><%= icon('destroy', workflow_version_delete_url(@workflow.id, @viewing_version.version), nil, { :confirm => "Are you sure you want to delete this version (Version address@hidden) of the Workflow file (including title/description metadata)?", :method => :delete }, 'Delete This Version') %></li>
<% end %>
<% end %>
Modified: trunk/lib/authorization.rb (3088 => 3089)
--- trunk/lib/authorization.rb 2012-08-15 21:52:46 UTC (rev 3088)
+++ trunk/lib/authorization.rb 2012-08-19 06:51:23 UTC (rev 3089)
@@ -1,469 +1,148 @@
-# myExperiment: lib/is_authorized.rb
+# myExperiment: lib/authorization.rb
#
-# Copyright (c) 2007 University of Manchester and the University of Southampton.
+# Copyright (c) 2012 University of Manchester and the University of Southampton.
# See license.txt for details.
module Authorization
- # Authorization logic collected from enactment code
-
- # Note: at the moment (Feb 2008), Experiments (and associated Jobs) are
- # private to the owner, if a User owns it, OR accessible by all members of a
- # Group, if a Group owns it.
-
- def Authorization.experiment_authorized?(experiment, action_name, user)
- return false if user.nil?
-
- case experiment.contributor_type.to_s
- when "User"
- return experiment.contributor_id.to_i == user.id.to_i
- when "Network"
- return experiment.contributor.member?(user.id)
- else
- return false
- end
- end
-
- def Authorization.job_authorized?(job, action_name, user)
- # Use authorization logic from parent Experiment
- return Authorization.experiment_authorized?(job.experiment, action_name, user)
- end
-
- def Authorization.runner_authorized?(runner, action_name, user)
- return false if user.nil?
-
- case runner.contributor_type.to_s
- when "User"
- return runner.contributor_id.to_i == user.id.to_i
- when "Network"
- if ['edit','update','delete'].include?(action_name.downcase)
- return runner.contributor.owner?(user.id)
- else
- return runner.contributor.member?(user.id)
- end
- else
- return false
- end
- end
-
- def self.user_is_administrator?(user)
-
- return false if user.nil?
-
- if user.instance_of?(User)
- Conf.admins.include?(user.username)
- else
- Conf.admins.include?(User.find(user).username)
- end
- end
-
- def self.user_is_curator?(user)
-
- return false if user.nil?
-
- if user.instance_of?(User)
- Conf.curators.include?(user.username)
- else
- Conf.curators.include?(User.find(user).username)
- end
- end
-
- # Single entry point to authorisation checks for instances of objects and
- # also classes of objects.
+ # Authorisation check for instances and classes of objects.
#
- # Options:
+ # Arguments:
#
- # :action - This string describes the action to be performed, e.g.
- # 'create', 'read', 'update' or 'destroy'.
+ # action - This string describes the action to be performed, e.g.
+ # 'create', 'read', 'update' or 'destroy'.
#
- # :object - This is the object being acted upon, e.g. an instance of a
- # Comment or an instance of a Workflow.
+ # object - This is the object being acted upon, e.g. an instance of a
+ # Comment or an instance of a Workflow.
#
- # :object_type - As an alternative to an instance of an object, you can
- # :object_id specify the type and id instead and this might not cause
- # the object to be loaded into memory.
+ # user - The user that the check is with respect to. Typically,
+ # this would be current_user.
#
- # :model - If the action is performed on a class of objects, such as
- # creating a Workflow, then specify the class of the object
- # to be acted upon instead of an instance. This is a class
- # object, e.g. Workflow.
- #
- # :user - The user that the check is with respect to. Typically,
- # this would be current_user.
- #
- # :context - This is the context in which the object or object to be
- # created is made. For example, pack entries can only be
- # created by those that can edit the pack that the entry will
- # be made in, so the context here would be an instance of the
- # pack in question. This is only usually required for
- # 'create' actions.
+ # context - This is the context in which the object or object to be
+ # created is made. For example, pack entries can only be
+ # created by those that can edit the pack that the entry will
+ # be made in, so the context here would be an instance of the
+ # pack in question. This is only usually required for 'create'
+ # actions.
- def self.check(opts = {})
+ def self.check(action, object, user, context = nil)
- raise "Missing action in authorisation check" if opts[:action].nil?
+ valid_actions = ["create", "view", "edit", "destroy", "download", "execute"]
- opts[:user] = nil if opts[:user] == 0
+ # This behaviour isn't ideal, but the old authorisation function would just
+ # return false with invalid arguments. I'll have this in here until I can
+ # remove it.
- if opts[:model].nil? && opts[:object].nil? && (opts[:object_type].nil? || opts[:object_id])
- raise "Missing object / model in authorisation check"
- end
+ return false if action.nil? || object.nil?
+# raise "Missing action in authorisation check" unless action
+# raise "Missing object in authorisation check" unless object
- if opts[:model]
- Authorization.is_authorized_for_type?(opts[:action], opts[:model], opts[:user], opts[:context])
- else
- if opts[:object]
- Authorization.is_authorized?(opts[:action], nil, opts[:object], opts[:user])
- else
- Authorization.is_authorized_for_type?(opts[:action], opts[:object_type], opts[:object_id], opts[:user])
- end
- end
- end
+ # If it is a contribution, then work on the contributable instead. I'm not
+ # sure this is still needed and I'll remove it if I can.
- def Authorization.is_authorized_for_type?(action, object_type, user, context)
+ object = object.contributable if object.kind_of?(Contribution)
- # This method deals with cases where there is no instantiated object to
- # authorize. This is usually when thing area created. The other normal
- # CRUD actions (read, update and destroy) are handled by is_authorized?
- # since there's an instantiatable object to authorize on.
-
- # normalise user to nil if this is for an unauthenticated user
- user = nil if user == 0
+ raise "Invalid action ('#{action}') in authorisation check" unless action && valid_actions.include?(action)
- raise "object_type missing in is_authorized_for_type?" if object_type.nil?
+ # Set the user to nil if there is no user (e.g. 0 becomes nil).
- # Workflow permissions
+ user = nil unless user.kind_of?(User)
- if (object_type == 'Workflow') && (action == 'create')
+ is_authorized = false
- # Workflows can only be created by authenticated users
- return !user.nil?
- end
-
- # Blob permissions
-
- if (object_type == 'Blob') && (action == 'create')
+ object_type = object.class == Class ? object.name : object.class.name
- # Files can only be created by authenticated users
- return !user.nil?
- end
-
- # Pack permissions
+ case object_type
- if (object_type == 'Pack') && (action == 'create')
+ when "Workflow", "Blog", "Blob", "Pack", "Service", "Contribution"
- # Packs can only be created by authenticated users
- return !user.nil?
- end
+ # workflows can only be created by authenticated users
+ if (action == "create") && [Workflow, Blob, Pack].include?(object)
+ return !user.nil?
+ end
- if (object_type == 'PackRemoteEntry') && (action == 'create')
+ # the owner of a contributable can perform all actions on it
+ return true if object.contributor == user
- # Remote pack items can only be added by users that can edit a pack
- return Authorization.is_authorized?('edit', nil, context, user)
- end
+ # get the object with edit, view and download permissions attached
+ ob = Authorization.scoped(object.class, :permissions_only => true, :authorised_user => user).find_by_id(object.id)
- if (object_type == 'PackContributableEntry') && (action == 'create')
+ # not getting an object means that there is no view permission
+ return false if ob.nil?
- # Contributable pack items can only be added by users that can edit a pack
- return Authorization.is_authorized?('edit', nil, context, user)
- end
-
- # Comment permissions
-
- if (object_type == 'Comment') && (action == 'create')
-
- # Comments can only be created by authenticated users
- return false if user.nil?
-
- # Comments can only be added to things that a user can view
- return Authorization.is_authorized?('view', nil, context, user) if context
-
- return true
- end
-
- # Rating permissions
-
- if (object_type == 'Rating') && (action == 'create')
-
- # Ratings can only be created by authenticated users
- return false if user.nil?
-
- # Ratings can only be set on things that a user can view
- return Authorization.is_authorized?('view', nil, context, user) if context
-
- return true
- end
-
- # Tagging permissions
-
- if (object_type == 'Tagging') && (action == 'create')
-
- # Taggings can only be created by authenticated users
- return false if user.nil?
-
- # Taggings can only be set on things that a user can view
- return Authorization.is_authorized?('view', nil, context, user) if context
-
- return true
- end
-
- # Bookmark permissions
-
- if (object_type == 'Bookmark') && (action == 'create')
-
- # Bookmarks can only be created by authenticated users
- return false if user.nil?
-
- # Bookmarks can only be added to things that a user can view
- return Authorization.is_authorized?('view', nil, context, user) if context
-
- return true
- end
-
- # Ontology permissions
-
- if (object_type == 'Ontology') && (action == 'create')
-
- # Ontologies can only be created by authenticated users
- return !user.nil?
- end
-
- # Predicate permissions
-
- if (object_type == 'Predicate') && (action == 'create')
-
- # Predicates can only be added by users that can edit its ontology
- return Authorization.is_authorized?('edit', nil, context, user)
- end
-
- # Relationship permissions
-
- if (object_type == 'Relationship') && (action == 'create')
-
- # Relationships can only be added by users that can edit its context
- return Authorization.is_authorized?('edit', nil, context, user)
- end
-
- return false
- end
-
- # 1) action_name - name of the action that is about to happen with the "thing"
- # 2) thing_type - class name of the thing that needs to be authorized;
- # use NIL as a value of this parameter if an instance of the object to be authorized is supplied as "thing";
- # 3) thing - this is supposed to be an instance of the thing to be authorized, but
- # can also accept an ID (since we have the type, too - "thing_type")
- # 4) user - can be either user instance or the ID (NIL or 0 to indicate anonymous/not logged in user)
- #
- # Note: there is no method overloading in Ruby and it's a good idea to have a default "nil" value for "user";
- # this leaves no other choice as to have (sometimes) redundant "thing_type" parameter.
- def Authorization.is_authorized?(action_name, thing_type, thing, user=nil)
- thing_instance = nil
- thing_contribution = nil
- thing_id = nil
- user_instance = nil
- user_id = nil # if this value will not get updated by input parameters - user will be treated as anonymous
-
- # ***************************************
- # Pre-checks on the Parameters
- # ***************************************
-
- # check first if the action that is being executed is known - not authorized otherwise
- action = ""
- return false unless action
-
- # if "thing" is unknown, or "thing" expresses ID of the object to be authorized, but "thing_type" is unknown - don't authorise the action
- # (this would allow, however, supplying no type, but giving the object instance as "thing" instead)
- return false if thing.blank? || (thing_type.blank? && thing.kind_of?(Fixnum))
-
-
-
- # some value for "thing" supplied - assume that the object exists; check if it is an instance or the ID
- if thing.kind_of?(Fixnum)
- # just an ID was provided - "thing_type" is assumed to have a type then
- thing_id = thing
- elsif thing.kind_of?(Contribution)
- # thing_type/_id should be properties of the actual "thing", not it's contribution
- thing_contribution = thing
- thing_type = thing_contribution.contributable_type
- thing_id = thing_contribution.contributable_id
- else
- # "thing" isn't an ID of the object; it's not a Contribution,
- # so it must be an instance of the object to be authorized -- this can be:
- # -- "contributable" (workflow / file / pack) : (will still have to "find" the Contribution instance for this contributable aftewards)
- # OR
- # -- Network instance
- # -- Experiment / Job / Runner / TavernaEnactor instance
- # -- Comment / Bookmark
- # -- or any other object instance, for which we'll use the object itself to run .authorized?() on it
- thing_instance = thing
- thing_type = thing.class.name
- thing_id = thing.id
- end
-
-
- if user.kind_of?(User)
- user_instance = user
- user_id = user.id
- elsif user == 0
- # "Authenticated System" sets current_user to 0 if not logged in (i.e. anonymous user)
- user_id = nil
- elsif user.nil? || user.kind_of?(Fixnum)
- # anonymous user OR only id of the user, not an instance was provided;
- user_id = user
- end
-
-
- # ***************************************
- # Actual Authorization Begins
- # ***************************************
-
- # if (thing_type, ID) pair was supplied instead of a "thing" instance,
- # need to find the object that needs to be authorized first;
- # (only do this for object types that are known to require authorization)
- #
- # this is required to get "policy_id" for policy-based aurhorized objects (like workflows / blobs / packs / contributions)
- # and to get objects themself for other object types (networks, experiments, jobs, tavernaenactors, runners)
- if (thing_contribution.nil? && ["Workflow", "Blog", "Blob", "Pack", "Ontology", "Contribution"].include?(thing_type)) ||
- (thing_instance.nil? && ["Network", "Comment", "Bookmark", "Experiment", "Job", "TavernaEnactor", "Runner", "Picture", "ClientApplication", "Predicate", "Relationship"].include?(thing_type))
-
- found_thing = find_thing(thing_type, thing_id)
-
- unless found_thing
- # search didn't yield any results - the "thing" wasn't found; can't authorize unknown objects
- Rails.logger.error("UNEXPECTED ERROR - Couldn't find object to be authorized:(#{thing_type}, #{thing_id}); action: #{action_name}; user: #{user_id}")
- return false
- else
- if ["Workflow", "Blog", "Blob", "Pack", "Contribution"].include?(thing_type)
- # "contribution" are only found for these three types of object (and the contributions themself),
- # for all the rest - use instances
- thing_contribution = found_thing
- else
- thing_instance = found_thing
+ # return the response
+ case action
+ when "view"; return ob.view_permission == "1"
+ when "download"; return ob.download_permission == "1"
+ when "edit"; return ob.edit_permission == "1"
+ else; return false
end
- end
- end
-
-
- # initially not authorized, so if all tests fail -
- # safe result of being not authorized will get returned
- is_authorized = false
-
- case thing_type
- when "Workflow", "Blog", "Blob", "Pack", "Contribution"
- unless user_id.nil?
- # access is authorized and no further checks required in two cases:
- # ** user is the owner of the "thing"
- return true if is_owner?(user_id, thing_contribution)
-
- # ** user is admin of the policy associated with the "thing"
- # (this means that the user might not have uploaded the "thing", but
- # is the one managing the access permissions for it)
- #
- # it's fine if policy will not be found at this step - default one will get
- # used further when required
- policy_id = thing_contribution.policy_id
- policy = get_policy(policy_id, thing_contribution)
- return false unless policy # if policy wasn't found (and default one couldn't be applied) - error; not authorized
- return true if is_policy_admin?(policy, user_id)
-
-
- # only owners / policy admins are allowed to perform actions categorized as "destroy";
- # hence "destroy" actions are not authorized below this point
- return false if action == "destroy"
-
-
- # user is not the owner/admin of the object; action is not of "destroy" class;
- # next thing - obtain all the permissions that are relevant to the user
- # (start with individual user permissions; group permissions will only
- # be considered if that is required further on)
- user_permissions = get_user_permissions(user_id, policy_id)
-
- # individual user permissions override any other settings;
- # if several of these are found (which shouldn't be the case),
- # all are considered, but the one with "highest" access right is
- # used to make final decision -- that is if at least one of the
- # user permissions allows to make the action, it will be allowed;
- # likewise, if none of the permissions allow the action it will
- # not be allowed
- unless user_permissions.empty?
- authorized_by_user_permissions = false
- user_permissions.each do |p|
- authorized_by_user_permissions = true if permission_allows_action?(action, p)
- end
- return authorized_by_user_permissions
- end
-
-
- # no user permissions found, need to check what is allowed by policy
- # (if no policy was found, default policy is in use instead)
- authorized_by_policy = false
- authorized_by_policy = authorized_by_policy?(policy, thing_contribution, action, user_id)
- return true if authorized_by_policy
-
-
- # not authorized by policy, check the group permissions -- the ones
- # attached to "thing's" policy and belonging to the groups, where
- # "user" is a member or admin of;
- #
- # these cannot limit what is allowed by policy settings, only give more access rights
- authorized_by_group_permissions = false
- group_permissions = get_group_permissions(policy_id)
-
- unless group_permissions.empty?
- group_permissions.each do |p|
- # check if this permission is applicable to the "user"
- if permission_allows_action?(action, p) && (is_network_member?(user_id, p.contributor_id) || is_network_admin?(user_id, p.contributor_id))
- authorized_by_group_permissions = true
- break
- end
- end
- return authorized_by_group_permissions if authorized_by_group_permissions
- end
-
- # user permissions, policy settings and group permissions didn't give the
- # positive result - decline the action request
- return false
- else
- # this is for cases where trying to authorize anonymous users;
- # the only possible check - on public policy settings:
- policy_id = thing_contribution.policy_id
- policy = get_policy(policy_id, thing_contribution)
- return false unless policy # if policy wasn't found (and default one couldn't be applied) - error; not authorized
-
- return authorized_by_policy?(policy, thing_contribution, action, nil)
- end
-
when "Network"
case action
when "edit", "destroy"
# check to allow only admin to edit / delete the group
- is_authorized = is_network_admin?(user_id, thing_id)
+ is_authorized = user && user.network_admin?(object.id)
else
is_authorized = true
end
when "Comment"
case action
+ when "create"
+
+ # Comments can be created by authenticated users that can view the context
+ is_authorized = !user.nil? && Authorization.check('view', context, user)
+
when "destroy"
+
# Users can delete their own comments. Curators and
# administrators can delete any comment.
- is_authorized = Authorization.is_owner?(user_id, thing_instance) ||
- user_is_administrator?(user_id) || user_is_curator?(user_id)
+ is_authorized = object.user == user || (user && user.admin?) || (user && user.curator?)
when "view"
# user can view comment if they can view the item that this comment references
- is_authorized = Authorization.is_authorized?('view', thing_instance.commentable_type, thing_instance.commentable_id, user)
+ is_authorized = Authorization.check('view', object.commentable, user)
else
# 'edit' or any other actions are not allowed on comments
is_authorized = false
end
+ when "Rating"
+ case action
+ when "create"
+
+ # Ratings can be created by authenticated users that can view the context
+ is_authorized = !user.nil? && Authorization.check('view', context, user)
+
+ when "edit", "destroy"
+
+ # Users can edit or remove their own ratings
+ is_authorized = !user.nil? && object.user == user
+ end
+
+ when "Tagging"
+ case action
+ when "create"
+
+ # Taggings can be created by authenticated users that can view the context
+ is_authorized = !user.nil? && Authorization.check('view', context, user)
+
+ when "destroy"
+
+ # Users can delete their own taggings
+ is_authorized = !user.nil? && object.user == user
+ end
+
when "Bookmark"
case action
+ when "create"
+ # Bookmarks can be created by authenticated users that can view the context
+ is_authorized = !user.nil? && Authorization.check('view', context, user)
when "destroy"
# only the user who created the bookmark can delete it
- is_authorized = Authorization.is_owner?(user_id, thing_instance)
+ is_authorized = object.user == user
when "view"
# everyone can view bookmarks
is_authorized = true
@@ -475,24 +154,52 @@
when "Experiment"
- user_instance = get_user(user_id) unless user_instance
+ if user.nil?
+ is_authorized = false
+ else
+ case object.contributor_type.to_s
+ when "User"
+ is_authorized = object.contributor_id.to_i == user.id.to_i
+ when "Network"
+ is_authorized = object.contributor.member?(user.id)
+ else
+ is_authorized = false
+ end
+ end
- # "action_name" used to work with original action name, rather than classification made inside the module
- is_authorized = Authorization.experiment_authorized?(thing_instance, action_name, user)
-
when "TavernaEnactor", "Runner"
- user_instance = get_user(user_id) unless user_instance
+ if user.nil?
+ is_authorized = false
+ else
+ case object.contributor_type.to_s
+ when "User"
+ is_authorized = object.contributor_id.to_i == user.id.to_i
+ when "Network"
+ if ['edit', 'destroy'].include?(action.downcase)
+ is_authorized = object.contributor.owner?(user.id)
+ else
+ is_authorized = object.contributor.member?(user.id)
+ end
+ else
+ is_authorized = false
+ end
+ end
- # "action_name" used to work with original action name, rather than classification made inside the module
- is_authorized = Authorization.runner_authorized?(thing_instance, action_name, user)
-
when "Job"
- user_instance = get_user(user_id) unless user_instance
-
- # "action_name" used to work with original action name, rather than classification made inside the module
- is_authorized = Authorization.job_authorized?(thing_instance, action_name, user)
+ if user.nil?
+ is_authorized = false
+ else
+ case object.experiment.contributor_type.to_s
+ when "User"
+ is_authorized = object.experiment.contributor_id.to_i == user.id.to_i
+ when "Network"
+ is_authorized = object.experiment.contributor.member?(user.id)
+ else
+ is_authorized = false
+ end
+ end
when "ContentType"
@@ -504,7 +211,7 @@
when "edit"
# the owner of the content type can edit
- is_authorized = !user.nil? && thing_instance.user_id == user_id
+ is_authorized = !user.nil? && object.user == user
when "destroy"
# noone can destroy them yet - they just fade away from view
@@ -521,11 +228,11 @@
when "edit"
# the owner of a user record can edit
- is_authorized = !user.nil? && user_id == thing_id
+ is_authorized = !user.nil? && user == object
when "destroy"
# only adminstrators can delete accounts at present
- is_authorized = user_is_administrator?(user)
+ is_authorized = user && user.admin?
end
when "Picture"
@@ -534,366 +241,104 @@
when "view"
# owner can view all their pictures
- return true if is_owner?(user_id, thing_instance)
+ return true if object.owner == user
# anyone can view a user's selected pictures
- is_authorized = thing_instance.selected?
+ is_authorized = object.selected?
when "edit", "destroy"
# only the owner of a picture can edit/destroy
- is_authorized = is_owner?(user_id, thing_instance)
+ is_authorized = object.owner == user
end
when "ClientApplication"
- is_authorized = is_owner?(user_id, thing_instance)
+ is_authorized = object.user == user
when "Ontology"
case action
+ when "create"
+ # Authenticated users can create ontologies
+ is_authorized = !user.nil?
+
when "view"
# All users can view
is_authorized = true
when "edit", "destroy"
# Users can edit and destroy their own ontologies
- is_authorized = Authorization.is_owner?(user_id, thing_instance)
+ is_authorized = object.user == user
end
when "Predicate"
case action
+ when "create"
+
+ raise "Context required for authorisation check" unless context
+
+ # Only users that can edit an ontology can add predicates to it
+ return !user.nil? && Authorization.check('edit', context, user)
+
when "view"
# All users can view predicates
is_authorized = true
else
# All other predicate permissions are inherited from the ontology
- is_authorized = Authorization.is_authorized?('edit', nil, thing_instance.ontology, user_id)
+ is_authorized = Authorization.check('edit', object.ontology, user)
end
when "Relationship"
case action
+ when "create"
+
+ raise "Context required for authorisation check" unless context
+
+ # Only users that can edit a pack can add relationships to it
+ return !user.nil? && Authorization.check('edit', context, user)
+
when "view"
# Users that can view the context can view the relationship
- is_authorized = Authorization.is_authorized?('view', nil, thing_instance.context, user_id)
+ is_authorized = Authorization.check('view', object.context, user)
else
# All other relationship permissions depend on edit access to the context
- is_authorized = Authorization.is_authorized?('edit', nil, thing_instance.context, user_id)
+ is_authorized = Authorization.check('edit', object.context, user)
end
- else
- # don't recognise the kind of "thing" that is being authorized, so
- # we don't specifically know that it needs to be blocked;
- # therefore, allow any actions on it
- is_authorized = true
- end
-
- is_authorized
- end
+ when "PackContributableEntry", "PackRemoteEntry"
+ case action
- private
+ when "create"
- def Authorization.categorize_action(action_name)
- case action_name
- when 'show', 'index', 'view', 'search', 'favourite', 'favourite_delete', 'comment', 'comment_delete', 'comments', 'comments_timeline', 'rate', 'tag', 'items', 'statistics', 'curation', 'suggestions', 'tag_suggestions', 'extra_metadata', 'read', 'verify'
- action = ''
- when 'edit', 'new', 'create', 'update', 'new_version', 'create_version', 'destroy_version', 'edit_version', 'update_version', 'new_item', 'create_item', 'edit_item', 'update_item', 'quick_add', 'resolve_link', 'process_suggestions', 'process_tag_suggestions', 'process_extra_metadata', 'edit_relationships'
- action = ''
- when 'download', 'named_download', 'named_download_with_version', 'launch', 'submit_job', 'save_inputs', 'refresh_status', 'rerun', 'refresh_outputs', 'render_output', 'outputs_xml', 'outputs_package', 'galaxy_tool', 'galaxy_tool_download'
- action = ''
- when 'destroy', 'delete', 'destroy_item'
- action = ''
- when 'execute'
- # action is available only(?) for runners at the moment;
- # possibly, "launch" action for workflows should be moved into this category, too
- action = ''
- else
- # unknown action
- action = ""
- end
-
- return action
- end
+ raise "Context required for authorisation check" unless context
- # check if the DB holds entry for the "thing" to be authorized
- def Authorization.find_thing(thing_type, thing_id)
- found_instance = nil
-
- begin
- case thing_type
- when "Workflow", "Blog", "Blob", "Pack"
- # "find_by_sql" works faster itself PLUS only a subset of all fields is selected;
- # this is the most frequent query to be executed, hence needs to be optimised
- found_instance = Contribution.find_by_sql "SELECT contributor_id, contributor_type, policy_id FROM contributions WHERE contributable_id=#{thing_id} AND contributable_type='#{thing_type}'"
- found_instance = (found_instance.empty? ? nil : found_instance[0]) # if nothing was found - nil; otherwise - first match
- when "Contribution"
- # fairly possible that it's going to be a contribution itself, not a contributable
- found_instance = Contribution.find(thing_id)
- when "Network"
- found_instance = Network.find(thing_id)
- when "Comment"
- found_instance = Comment.find(thing_id)
- when "Bookmark"
- found_instance = Bookmark.find(thing_id)
- when "Experiment"
- found_instance = Experiment.find(thing_id)
- when "Job"
- found_instance = Job.find(thing_id)
- when "TavernaEnactor"
- found_instance = TavernaEnactor.find(thing_id)
- when "Runner"
- # the line below doesn't have a typo - "runners" should really be searched in "TavernaEnactor" model
- found_instance = TavernaEnactor.find(thing_id)
- when "ContentType"
- found_instance = ContentType.find(thing_id)
- when "Picture"
- found_instance = Picture.find(thing_id)
- when "ClientApplication"
- found_instance = ClientApplication.find(thing_id)
- when "Ontology"
- found_instance = Ontology.find(thing_id)
- when "Predicate"
- found_instance = Predicate.find(thing_id)
- when "Relationship"
- found_instance = Relationship.find(thing_id)
- end
- rescue ActiveRecord::RecordNotFound
- # do nothing; makes sure that app won't crash when the required object is not found;
- # the method will return "nil" anyway, so no need to take any further actions here
- end
-
- return found_instance
- end
+ # Only users that can edit a pack can add items to it
+ return !user.nil? && Authorization.check('edit', context, user)
+ when "edit", "destroy"
+ # Users that can edit the pack can also edit / delete items
+ is_authorized = Authorization.check('edit', object.pack, user)
- # checks if "user" is owner of the "thing"
- def Authorization.is_owner?(user_id, thing)
- is_authorized = false
-
- case thing.class.name
- when "Contribution"
- # if owner of the "thing" is the "user" then the "user" is authorized
- if thing.contributor_type == 'User' && thing.contributor_id == user_id
- is_authorized = true
- elsif thing.contributor_type == 'Network'
- is_authorized = is_network_admin?(user_id, thing.contributor_id)
end
- when "Comment"
- is_authorized = (thing.user_id == user_id)
- when "Bookmark"
- is_authorized = (thing.user_id == user_id)
- when "Picture"
- is_authorized = (thing.user_id == user_id)
- when "ClientApplication"
- is_authorized = (thing.user_id == user_id)
- when "Ontology"
- is_authorized = (thing.user_id == user_id)
- #else
- # do nothing -- unknown "thing" types are not authorized by default
- end
- return is_authorized
- end
-
- # checks if "user" is admin of the policy associated with the "thing"
- def Authorization.is_policy_admin?(policy, user_id)
- # if anonymous user or no policy provided - definitely not policy admin
- return false unless (policy && user_id)
-
- return(policy.contributor_type == 'User' && policy.contributor_id == user_id)
- end
-
-
- def Authorization.is_network_admin?(user_id, network_id)
-
- return false unless user_id
-
- # checks if there is a network with ID(network_id) which has admin with ID(user_id) -
- # if found, user with ID(user_id) is an admin of that network
- network = Network.find_by_sql "SELECT user_id FROM networks WHERE id=#{network_id} AND user_id=#{user_id}"
- return(!network.blank?)
- end
-
-
- def Authorization.is_network_member?(user_id, network_id)
-
- return false unless user_id
-
- # checks if user with ID(user_id) is a member of the group ID(network_id)
- membership = Membership.find_by_sql "SELECT id FROM memberships WHERE user_id=#{user_id} AND network_id=#{network_id} AND user_established_at IS NOT NULL AND network_established_at IS NOT NULL"
- return(!membership.blank?)
- end
-
-
- # checks if two users are friends
- def Authorization.is_friend?(contributor_id, user_id)
- friendship = Friendship.find_by_sql "SELECT id FROM friendships WHERE ((user_id=#{contributor_id} AND friend_id=#{user_id}) OR (user_id=#{user_id} AND friend_id=#{contributor_id})) AND accepted_at IS NOT NULL"
- return(!friendship.blank?)
- end
-
-
- # gets the user object from the user_id;
- # used by is_authorized when calling model.authorized? method for classes that don't use policy-based authorization
- def Authorization.get_user(user_id)
- return nil if user_id == 0
-
- begin
- user = User.find(:first, :conditions => ["id = ?", user_id])
- return user
- rescue ActiveRecord::RecordNotFound
- # user not found, "nil" for anonymous user will be returned
- return nil
+ else
+ # don't recognise the kind of object that is being authorized, so
+ # we don't specifically know that it needs to be blocked;
+ # therefore, allow any actions on it
+ is_authorized = true
end
- end
-
-
- # query database for relevant fields in policies table
- #
- # Parameters:
- # 1) policy_id - ID of the policy to find in the DB;
- # 2) thing_contribution - Contribution object for the "thing" that is being authorized;
- def Authorization.get_policy(policy_id, thing_contribution)
- unless policy_id.blank?
- select_string = 'id, contributor_id, contributor_type, share_mode, update_mode'
- policy_array = Policy.find_by_sql "SELECT #{select_string} FROM policies WHERE policies.id=#{policy_id}"
-
- # if nothing's found, use the default policy
- policy = (policy_array.blank? ? get_default_policy(thing_contribution) : policy_array[0])
- else
- # if the "policy_id" turns out unknown, use default policy
- policy = get_default_policy(thing_contribution)
- end
- return policy
+ is_authorized
end
-
-
- # if a policy instance not found to be associated with the Contribution of a "thing", use a default one
- def Authorization.get_default_policy(thing_contribution)
- # an unlikely event that contribution doesn't have a policy - need to use
- # default one; "owner" of the contribution will be treated as policy admin
- #
- # the following is slow, but given the very rare execution can be kept
- begin
- # thing_contribution is Contribution, so thing_contribution.contributor is the original uploader == owner of the item
- contributor = eval("#{thing_contribution.contributor_type}.find(#{thing_contribution.contributor_id})")
- policy = Policy._default(contributor)
- return policy
- rescue ActiveRecord::RecordNotFound => e
- # original contributor not found, but the Contribution entry still exists -
- # this is an error in associations then, because all dependent items
- # should have been deleted along with the contributor entry; log the error
- Rails.logger.error("UNEXPECTED ERROR - Contributor object missing for an existing contribution: (#{thing_contribution.class.name}, #{thing_contribution.id})")
- Rails.logger.error("EXCEPTION:" + e)
- return nil
- end
- end
-
-
- # get all user permissions related to policy for the "thing" for "user"
- def Authorization.get_user_permissions(user_id, policy_id)
- unless user_id.blank? || policy_id.blank?
- select_string = 'contributor_id, download, edit, view'
- Permission.find_by_sql "SELECT #{select_string} FROM permissions WHERE policy_id=#{policy_id} AND contributor_type='User' AND contributor_id=#{user_id}"
- else
- # an empty array to be returned has the same effect as if no permissions were found anyway
- return []
- end
- end
-
-
- # get all group permissions related to policy for the "thing"
- def Authorization.get_group_permissions(policy_id)
- unless policy_id.blank?
- select_string = 'contributor_id, download, edit, view'
- Permission.find_by_sql "SELECT #{select_string} FROM permissions WHERE policy_id=#{policy_id} AND contributor_type='Network'"
- else
- # an empty array to be returned has the same effect as if no permissions were found anyway
- return []
- end
- end
-
- # checks whether "user" is authorized for "action" on "thing"
- def Authorization.authorized_by_policy?(policy, thing_contribution, action, user_id)
- is_authorized = false
-
- # NB! currently myExperiment won't support objects owned by entities other than users
- # (especially, policy checks are not agreed for these cases - however, owner tests and
- # permission tests are possible and will be carried out)
- unless thing_contribution.contributor_type == "User"
- return false
- end
-
- ####################################################################################
- #
- # For details on what each sharing / updating mode means, see the wiki:
- # http://wiki.myexperiment.org/index.php/Developer:Ownership_Sharing_and_Permissions
- #
- ####################################################################################
- share_mode = policy.share_mode
- update_mode = policy.update_mode
-
- case action
- when 'view'
- if (share_mode == 0 || share_mode == 1 || share_mode == 2)
- # if share mode is 0,1,2, anyone can view
- is_authorized = true
- elsif !user_id.nil? && (share_mode == 3 || share_mode == 4 || update_mode == 1)
- # if share mode is 3,4, friends can view; AND friends can also view if update mode is 1 -- due to cascading permissions
- is_authorized = is_friend?(thing_contribution.contributor_id, user_id)
- end
-
- when 'download'
- if (share_mode == 0)
- # if share mode is 0, anyone can download
- is_authorized = true
- elsif !user_id.nil? && (share_mode == 1 || share_mode == 3 || update_mode == 1)
- # if share mode is 1,3, friends can download; AND if update mode is 1, friends can download too -- due to cascading permissions
- is_authorized = is_friend?(thing_contribution.contributor_id, user_id)
- end
- when 'edit'
- if (update_mode == 0 && share_mode == 0)
- # if update mode is 0, anyone with view & download permissions can edit (sharing mode 0 for anonymous)
- is_authorized = true
- elsif !user_id.nil? && (update_mode == 1 || (update_mode == 0 && (share_mode == 1 || share_mode == 3)))
- # if update mode is 1, friends can edit; AND if update mode is 0 and friends have view & download permissions, they can edit
- is_authorized = is_friend?(thing_contribution.contributor_id, user_id)
- end
- end
-
- return is_authorized
- end
-
-
- # checks if a permission instance allows certain action taking into account cascading permissions
- #
- # NB! caller of this method *assumes* that the permission belongs to the user, for which
- # authorization is performed
- def Authorization.permission_allows_action?(action, permission)
- # check that a permission instance was supplied
- return false unless permission
-
- case action
- when "view"
- return (permission.attributes["view"] || permission.attributes["download"] || permission.attributes["edit"])
- when "download"
- return (permission.attributes["download"] || permission.attributes["edit"])
- when "edit"
- return permission.attributes["edit"]
- else
- # any other type of action is not allowed by permissions
- return false
- end
- end
-
def self.scoped(model, opts = {})
def self.view_conditions(user_id, friends, networks)
@@ -967,7 +412,7 @@
# not support authorization in themselves but by association with the
# taggable association.
#
- # In thie case, :auth_type would be "taggings.taggable_type" and :auth_id
+ # In this case, :auth_type would be "taggings.taggable_type" and :auth_id
# authorize would be "taggings.taggable_id".
auth_id = opts.delete(:auth_id) || "#{model.table_name}.id"
@@ -983,15 +428,20 @@
# Include the effective permissions in the result?
- if opts.delete(:include_permissions)
+ include_permissions = opts.delete(:include_permissions)
+ permissions_only = opts.delete(:permissions_only)
- opts[:select] = "#{model.table_name}.*"
+ select_parts = []
- opts[:select] << ", BIT_OR(#{view_conditions(user_id, friends, networks)}) AS view_permission"
- opts[:select] << ", BIT_OR(#{download_conditions(user_id, friends, networks)}) AS download_permission"
- opts[:select] << ", BIT_OR(#{edit_conditions(user_id, friends, networks)}) AS edit_permission"
+ select_parts << "#{model.table_name}.*" if include_permissions
+
+ if include_permissions || permissions_only
+ select_parts << "BIT_OR(#{view_conditions(user_id, friends, networks)}) AS view_permission"
+ select_parts << "BIT_OR(#{download_conditions(user_id, friends, networks)}) AS download_permission"
+ select_parts << "BIT_OR(#{edit_conditions(user_id, friends, networks)}) AS edit_permission"
end
+ opts[:select] = select_parts.join(", ") unless select_parts.empty?
opts[:conditions] = view_conditions(user_id, friends, networks)
opts[:group] ||= 'contributions.contributable_type, contributions.contributable_id'
opts[:joins] = joins
Modified: trunk/lib/maintenance/backup.rb (3088 => 3089)
--- trunk/lib/maintenance/backup.rb 2012-08-15 21:52:46 UTC (rev 3088)
+++ trunk/lib/maintenance/backup.rb 2012-08-19 06:51:23 UTC (rev 3089)
@@ -109,7 +109,7 @@
content_blob_ids =
(Workflow.find(:all) + Workflow::Version.find(:all) + Blob.find(:all)).select do |x|
- Authorization.is_authorized?('view', nil, x, nil)
+ Authorization.check('view', x, nil)
end.map do |x|
x.content_blob_id
end
@@ -178,14 +178,14 @@
cmd = "tar czf address@hidden"
Workflow.find(:all).select do |w|
- if Authorization.is_authorized?('view', nil, w, nil)
+ if Authorization.check('view', w, nil)
add_path("public/workflow/image/#{w.id}", cmd)
add_path("public/workflow/svg/#{w.id}", cmd)
end
end
Workflow::Version.find(:all).select do |wv|
- if Authorization.is_authorized?('view', nil, wv.workflow, nil)
+ if Authorization.check('view', wv.workflow, nil)
add_path("public/workflow/version/image/#{wv.id}", cmd)
add_path("public/workflow/version/svg/#{wv.id}", cmd)
end
Modified: trunk/lib/rest.rb (3088 => 3089)
--- trunk/lib/rest.rb 2012-08-15 21:52:46 UTC (rev 3088)
+++ trunk/lib/rest.rb 2012-08-19 06:51:23 UTC (rev 3089)
@@ -163,7 +163,7 @@
permission = model_data['Permission'][i]
if permission
- return nil if !Authorization.is_authorized?(permission, nil, ob, user)
+ return nil if !Authorization.check(permission, ob, user)
end
return nil if elements.nil? || elements[model_data['REST Attribute'][i]].nil?
@@ -196,7 +196,7 @@
# filter out things that the user cannot see
collection = collection.select do |c|
- not c.respond_to?('contribution') or Authorization.is_authorized?("view", nil, c, user)
+ not c.respond_to?('contribution') or Authorization.check("view", c, user)
end
collection.each do |item|
@@ -438,7 +438,7 @@
case rules['Permission']
when 'public'; # do nothing
- when 'view'; return rest_response(401, :reason => "Not authorised") if not Authorization.is_authorized?("show", nil, perm_ob, user)
+ when 'view'; return rest_response(401, :reason => "Not authorised") if not Authorization.check("view", perm_ob, user)
when 'owner'; return rest_response(401, :reason => "Not authorised") if logged_in?.nil? or object_owner(perm_ob) != user
end
@@ -457,7 +457,7 @@
results.select do |result|
- selected = Authorization.is_authorized?('view', nil, result, user)
+ selected = Authorization.check('view', result, user)
if selected
filters.each do |attribute, bits|
@@ -854,7 +854,7 @@
resource = cl.find_by_id(id)
- return nil if !Authorization.is_authorized?('view', nil, resource, user)
+ return nil if !Authorization.check('view', resource, user)
resource
end
@@ -878,7 +878,7 @@
return nil if resource.nil?
if permission
- return nil if !Authorization.is_authorized?(permission, nil, resource, user)
+ return nil if !Authorization.check(permission, resource, user)
end
resource
@@ -903,7 +903,7 @@
end
if permission
- if !Authorization.is_authorized?(permission, nil, resource, user)
+ if !Authorization.check(permission, resource, user)
return [nil, rest_response(401, :reason => "Not authorised for #{type} #{id}")]
end
end
@@ -923,7 +923,7 @@
return rest_response(404, :reason => "The specified resource does not exist") if ob.nil?
- return rest_response(401, :reason => "Not authorised for the specified resource") if !Authorization.is_authorized?('view', nil, ob, opts[:user])
+ return rest_response(401, :reason => "Not authorised for the specified resource") if !Authorization.check('view', ob, opts[:user])
rest_response(307, :location => rest_access_uri(ob))
end
@@ -980,13 +980,13 @@
case action
when 'create':
- return rest_response(401, :reason => "Not authorised to create a workflow") unless Authorization.is_authorized_for_type?('create', 'Workflow', opts[:user], nil)
+ return rest_response(401, :reason => "Not authorised to create a workflow") unless Authorization.check('create', Workflow, opts[:user], nil)
if opts[:query]['id']
ob, error = obtain_rest_resource('Workflow', opts[:query]['id'], opts[:query]['version'], opts[:user], action)
else
ob = Workflow.new(:contributor => opts[:user])
end
- when 'read', 'update', 'destroy':
+ when 'view', 'edit', 'destroy':
ob, error = obtain_rest_resource('Workflow', opts[:query]['id'], opts[:query]['version'], opts[:user], action)
else
raise "Invalid action '#{action}'"
@@ -1124,7 +1124,7 @@
end
def put_workflow(opts)
- workflow_aux('update', opts)
+ workflow_aux('edit', opts)
end
def delete_workflow(opts)
@@ -1139,13 +1139,13 @@
case action
when 'create':
- return rest_response(401, :reason => "Not authorised to create a file") unless Authorization.is_authorized_for_type?('create', 'Blob', opts[:user], nil)
+ return rest_response(401, :reason => "Not authorised to create a file") unless Authorization.check('create', Blob, opts[:user], nil)
if opts[:query]['id']
ob, error = obtain_rest_resource('Blob', opts[:query]['id'], opts[:query]['version'], opts[:user], action)
else
ob = Blob.new(:contributor => opts[:user])
end
- when 'read', 'update', 'destroy':
+ when 'view', 'edit', 'destroy':
ob, error = obtain_rest_resource('Blob', opts[:query]['id'], opts[:query]['version'], opts[:user], action)
else
raise "Invalid action '#{action}'"
@@ -1252,7 +1252,7 @@
end
def put_file(opts)
- file_aux('update', opts)
+ file_aux('edit', opts)
end
def delete_file(opts)
@@ -1267,9 +1267,9 @@
case action
when 'create':
- return rest_response(401, :reason => "Not authorised to create a pack") unless Authorization.is_authorized_for_type?('create', 'Pack', opts[:user], nil)
+ return rest_response(401, :reason => "Not authorised to create a pack") unless Authorization.check('create', Pack, opts[:user], nil)
ob = Pack.new(:contributor => opts[:user])
- when 'read', 'update', 'destroy':
+ when 'view', 'edit', 'destroy':
ob, error = obtain_rest_resource('Pack', opts[:query]['id'], opts[:query]['version'], opts[:user], action)
else
raise "Invalid action '#{action}'"
@@ -1315,7 +1315,7 @@
end
def put_pack(opts)
- pack_aux('update', opts)
+ pack_aux('edit', opts)
end
def delete_pack(opts)
@@ -1340,9 +1340,9 @@
case action
when 'create':
- return rest_response(401, :reason => "Not authorised to create an external pack item") unless Authorization.is_authorized_for_type?('create', 'PackRemoteEntry', opts[:user], pack)
+ return rest_response(401, :reason => "Not authorised to create an external pack item") unless Authorization.check('create', PackRemoteEntry, opts[:user], pack)
return rest_response(400, :reason => "Pack not found") if pack.nil?
- return rest_response(401, :reason => "Not authorised to change the specified pack") unless Authorization.is_authorized?('edit', nil, pack, opts[:user])
+ return rest_response(401, :reason => "Not authorised to change the specified pack") unless Authorization.check('edit', pack, opts[:user])
ob = PackRemoteEntry.new(:user => opts[:user],
:pack => pack,
@@ -1351,12 +1351,12 @@
:alternate_uri => alternate_uri,
:comment => comment)
- when 'read', 'update', 'destroy':
+ when 'view', 'edit', 'destroy':
ob, error = obtain_rest_resource('PackRemoteEntry', opts[:query]['id'], opts[:query]['version'], opts[:user], action)
if ob
- return rest_response(401, :reason => "Not authorised to change the specified pack") unless Authorization.is_authorized?('edit', nil, ob.pack, opts[:user])
+ return rest_response(401, :reason => "Not authorised to change the specified pack") unless Authorization.check('edit', ob.pack, opts[:user])
end
else
@@ -1389,7 +1389,7 @@
end
def put_external_pack_item(opts)
- external_pack_item_aux('update', opts)
+ external_pack_item_aux('edit', opts)
end
def delete_external_pack_item(opts)
@@ -1412,23 +1412,18 @@
case action
when 'create':
- return rest_response(401, :reason => "Not authorised to create an internal pack item") unless Authorization.is_authorized_for_type?('create', 'PackContributableEntry', opts[:user], pack)
+ return rest_response(401, :reason => "Not authorised to create an internal pack item") unless Authorization.check('create', PackContributableEntry, opts[:user], pack)
return rest_response(400, :reason => "Pack not found") if pack.nil?
- return rest_response(401, :reason => "Not authorised to change the specified pack") unless Authorization.is_authorized?('edit', nil, pack, opts[:user])
ob = PackContributableEntry.new(:user => opts[:user],
:pack => pack,
:contributable => item,
:comment => comment)
- when 'read', 'update', 'destroy':
+ when 'view', 'edit', 'destroy':
ob, error = obtain_rest_resource('PackContributableEntry', opts[:query]['id'], opts[:query]['version'], opts[:user], action)
- if ob
- return rest_response(401, :reason => "Not authorised to change the specified pack") unless Authorization.is_authorized?('edit', nil, ob.pack, opts[:user])
- end
-
else
raise "Invalid action '#{action}'"
end
@@ -1456,7 +1451,7 @@
end
def put_internal_pack_item(opts)
- internal_pack_item_aux('update', opts)
+ internal_pack_item_aux('edit', opts)
end
def delete_internal_pack_item(opts)
@@ -1483,9 +1478,9 @@
# runner = TavernaEnactor.find_by_id(runner_bits[1].to_i)
# runnable = Workflow.find_by_id(runnable_bits[1].to_i)
#
-# return rest_response(400) if experiment.nil? or not Authorization.is_authorized?('edit', nil, experiment, opts[:user])
-# return rest_response(400) if runner.nil? or not Authorization.is_authorized?('download', nil, runner, opts[:user])
-# return rest_response(400) if runnable.nil? or not Authorization.is_authorized?('view', nil, runnable, opts[:user])
+# return rest_response(400) if experiment.nil? or not Authorization.check('edit', experiment, opts[:user])
+# return rest_response(400) if runner.nil? or not Authorization.check('download', runner, opts[:user])
+# return rest_response(400) if runnable.nil? or not Authorization.check('view', runnable, opts[:user])
#
# puts "#{params[:job]}"
#
@@ -1541,7 +1536,7 @@
obs = model.find(:all, :conditions => ['id >= ? AND id <= ?', bits[2], bits[3]])
- obs = (obs.select do |c| c.respond_to?('contribution') == false or Authorization.is_authorized?("view", nil, c, opts[:user]) end)
+ obs = (obs.select do |c| c.respond_to?('contribution') == false or Authorization.check("view", c, opts[:user]) end)
return produce_rest_list(opts[:req_uri], opts[:rules], opts[:query], obs, 'search', {}, opts[:user])
end
@@ -1622,7 +1617,7 @@
def workflow_count(opts)
workflows = Workflow.find(:all).select do |w|
- Authorization.is_authorized?('view', nil, w, opts[:user])
+ Authorization.check('view', w, opts[:user])
end
root = LibXML::XML::Node.new('workflow-count')
@@ -1637,7 +1632,7 @@
def pack_count(opts)
packs = Pack.find(:all).select do |p|
- Authorization.is_authorized?('view', nil, p, opts[:user])
+ Authorization.check('view', p, opts[:user])
end
root = LibXML::XML::Node.new('pack-count')
@@ -1669,7 +1664,7 @@
obs = tag ? tag.tagged : []
# filter out ones they are not allowed to get
- obs = (obs.select do |c| c.respond_to?('contribution') == false or Authorization.is_authorized?("index", nil, c, opts[:user]) end)
+ obs = (obs.select do |c| c.respond_to?('contribution') == false or Authorization.check("view", c, opts[:user]) end)
produce_rest_list("tagged", opts[:rules], opts[:query], obs, 'tagged', [], opts[:user])
end
@@ -1773,7 +1768,7 @@
privileges = LibXML::XML::Node.new('privileges')
['view', 'download', 'edit'].each do |type|
- if Authorization.is_authorized?(type, nil, ob, user)
+ if Authorization.check(type, ob, user)
privilege = LibXML::XML::Node.new('privilege')
privilege['type'] = type
@@ -1788,14 +1783,22 @@
def comment_aux(action, opts)
+ unless action == "destroy"
+
+ data = ""
+
+ comment = parse_element(data, :text, '/comment/comment')
+ subject = parse_element(data, :resource, '/comment/subject')
+ end
+
# Obtain object
case action
when 'create':
- return rest_response(401, :reason => "Not authorised to create a comment") unless Authorization.is_authorized_for_type?('create', 'Comment', opts[:user], nil)
+ return rest_response(401, :reason => "Not authorised to create a comment") unless Authorization.check('create', Comment, opts[:user], subject)
ob = Comment.new(:user => opts[:user])
- when 'read', 'update', 'destroy':
+ when 'view', 'edit', 'destroy':
ob, error = obtain_rest_resource('Comment', opts[:query]['id'], opts[:query]['version'], opts[:user], action)
else
raise "Invalid action '#{action}'"
@@ -1809,16 +1812,11 @@
else
- data = ""
-
- comment = parse_element(data, :text, '/comment/comment')
- subject = parse_element(data, :resource, '/comment/subject')
-
ob.comment = comment if comment
if subject
return rest_response(400, :reason => "Specified resource does not support comments") unless [Blob, Network, Pack, Workflow].include?(subject.class)
- return rest_response(401, :reason => "Not authorised to add a comment to the specified resource") unless Authorization.is_authorized_for_type?(action, 'Comment', opts[:user], subject)
+ return rest_response(401, :reason => "Not authorised to add a comment to the specified resource") unless Authorization.check(action, Comment, opts[:user], subject)
ob.commentable = subject
end
@@ -1902,7 +1900,7 @@
end
def put_comment(opts)
- comment_aux('update', opts)
+ comment_aux('edit', opts)
end
def delete_comment(opts)
@@ -1913,14 +1911,21 @@
def favourite_aux(action, opts)
+ unless action == "destroy"
+
+ data = ""
+
+ target = parse_element(data, :resource, '/favourite/object')
+ end
+
# Obtain object
case action
when 'create':
- return rest_response(401, :reason => "Not authorised to create a favourite") unless Authorization.is_authorized_for_type?('create', 'Bookmark', opts[:user], nil)
+ return rest_response(401, :reason => "Not authorised to create a favourite") unless Authorization.check('create', Bookmark, opts[:user], target)
ob = Bookmark.new(:user => opts[:user])
- when 'read', 'update', 'destroy':
+ when 'view', 'edit', 'destroy':
ob, error = obtain_rest_resource('Bookmark', opts[:query]['id'], opts[:query]['version'], opts[:user], action)
else
raise "Invalid action '#{action}'"
@@ -1934,13 +1939,9 @@
else
- data = ""
-
- target = parse_element(data, :resource, '/favourite/object')
-
if target
return rest_response(400, :reason => "Specified resource is not a valid favourite target") unless [Blob, Pack, Workflow].include?(target.class)
- return rest_response(401, :reason => "Not authorised to create the favourite") unless Authorization.is_authorized_for_type?(action, 'Bookmark', opts[:user], target)
+ return rest_response(401, :reason => "Not authorised to create the favourite") unless Authorization.check(action, Bookmark, opts[:user], target)
ob.bookmarkable = target
end
@@ -1955,7 +1956,7 @@
end
def put_favourite(opts)
- favourite_aux('update', opts)
+ favourite_aux('edit', opts)
end
def delete_favourite(opts)
@@ -1966,14 +1967,22 @@
def rating_aux(action, opts)
+ unless action == "destroy"
+
+ data = ""
+
+ rating = parse_element(data, :text, '/rating/rating')
+ subject = parse_element(data, :resource, '/rating/subject')
+ end
+
# Obtain object
case action
when 'create':
- return rest_response(401, :reason => "Not authorised to create a rating") unless Authorization.is_authorized_for_type?('create', 'Rating', opts[:user], nil)
+ return rest_response(401, :reason => "Not authorised to create a rating") unless Authorization.check('create', Rating, opts[:user], subject)
ob = Rating.new(:user => opts[:user])
- when 'read', 'update', 'destroy':
+ when 'view', 'edit', 'destroy':
ob, error = obtain_rest_resource('Rating', opts[:query]['id'], opts[:query]['version'], opts[:user], action)
else
raise "Invalid action '#{action}'"
@@ -1987,16 +1996,11 @@
else
- data = ""
-
- rating = parse_element(data, :text, '/rating/rating')
- subject = parse_element(data, :resource, '/rating/subject')
-
ob.rating = rating if rating
if subject
return rest_response(400, :reason => "Specified resource does not support ratings") unless [Blob, Network, Pack, Workflow].include?(subject.class)
- return rest_response(401, :reason => "Not authorised for the specified resource") unless Authorization.is_authorized_for_type?(action, 'Rating', opts[:user], subject)
+ return rest_response(401, :reason => "Not authorised for the specified resource") unless Authorization.check(action, Rating, opts[:user], subject)
ob.rateable = subject
end
@@ -2011,7 +2015,7 @@
end
def put_rating(opts)
- rating_aux('update', opts)
+ rating_aux('edit', opts)
end
def delete_rating(opts)
@@ -2022,14 +2026,23 @@
def tagging_aux(action, opts)
+ unless action == "destroy"
+
+ data = ""
+
+ subject = parse_element(data, :resource, '/tagging/subject')
+ label = parse_element(data, :text, '/tagging/label')
+ tag = parse_element(data, :resource, '/tagging/tag')
+ end
+
# Obtain object
case action
when 'create':
- return rest_response(401, :reason => "Not authorised to create a tagging") unless Authorization.is_authorized_for_type?('create', 'Tagging', opts[:user], nil)
+ return rest_response(401, :reason => "Not authorised to create a tagging") unless Authorization.check('create', Tagging, opts[:user], subject)
ob = Tagging.new(:user => opts[:user])
- when 'read', 'update', 'destroy':
+ when 'view', 'edit', 'destroy':
ob, error = obtain_rest_resource('Tagging', opts[:query]['id'], opts[:query]['version'], opts[:user], action)
else
raise "Invalid action '#{action}'"
@@ -2043,17 +2056,11 @@
else
- data = ""
-
- subject = parse_element(data, :resource, '/tagging/subject')
- label = parse_element(data, :text, '/tagging/label')
- tag = parse_element(data, :resource, '/tagging/tag')
-
ob.label = label if label
ob.tag = tag if tag
if subject
- return rest_response(401, :reason => "Not authorised for the specified resource") unless Authorization.is_authorized_for_type?(action, 'Rating', opts[:user], subject)
+ return rest_response(401, :reason => "Not authorised for the specified resource") unless Authorization.check(action, Rating, opts[:user], subject)
ob.taggable = subject
end
@@ -2079,9 +2086,9 @@
case action
when 'create':
- return rest_response(401, :reason => "Not authorised to create an ontology") unless Authorization.is_authorized_for_type?('create', 'Ontology', opts[:user], nil)
+ return rest_response(401, :reason => "Not authorised to create an ontology") unless Authorization.check('create', Ontology, opts[:user], nil)
ob = Ontology.new(:user => opts[:user])
- when 'read', 'update', 'destroy':
+ when 'view', 'edit', 'destroy':
ob, error = obtain_rest_resource('Ontology', opts[:query]['id'], opts[:query]['version'], opts[:user], action)
else
raise "Invalid action '#{action}'"
@@ -2122,7 +2129,7 @@
end
def put_ontology(opts)
- ontology_aux('update', opts)
+ ontology_aux('edit', opts)
end
def delete_ontology(opts)
@@ -2149,9 +2156,9 @@
case action
when 'create':
- return rest_response(401, :reason => "Not authorised to create a predicate") unless Authorization.is_authorized_for_type?('create', 'Predicate', opts[:user], ontology)
+ return rest_response(401, :reason => "Not authorised to create a predicate") unless Authorization.check('create', Predicate, opts[:user], ontology)
ob = Predicate.new
- when 'read', 'update', 'destroy':
+ when 'view', 'edit', 'destroy':
ob, error = obtain_rest_resource('Predicate', opts[:query]['id'], opts[:query]['version'], opts[:user], action)
else
raise "Invalid action '#{action}'"
@@ -2186,7 +2193,7 @@
end
def put_predicate(opts)
- predicate_aux('update', opts)
+ predicate_aux('edit', opts)
end
def delete_predicate(opts)
@@ -2211,9 +2218,9 @@
case action
when 'create':
- return rest_response(401, :reason => "Not authorised to create a relationship") unless Authorization.is_authorized_for_type?('create', 'Relationship', opts[:user], context)
+ return rest_response(401, :reason => "Not authorised to create a relationship") unless Authorization.check('create', Relationship, opts[:user], context)
ob = Relationship.new(:user => opts[:user])
- when 'read', 'update', 'destroy':
+ when 'view', 'edit', 'destroy':
ob, error = obtain_rest_resource('Relationship', opts[:query]['id'], opts[:query]['version'], opts[:user], action)
else
raise "Invalid action '#{action}'"
@@ -2247,7 +2254,7 @@
end
def put_relationship(opts)
- relationship_aux('update', opts)
+ relationship_aux('edit', opts)
end
def delete_relationship(opts)
Modified: trunk/test/functional/api_controller_test.rb (3088 => 3089)
--- trunk/test/functional/api_controller_test.rb 2012-08-15 21:52:46 UTC (rev 3088)
+++ trunk/test/functional/api_controller_test.rb 2012-08-19 06:51:23 UTC (rev 3089)
@@ -590,7 +590,7 @@
assert_equal(rating.rateable, workflow);
assert_equal(rating.rating, 4);
- # update the rating (which should fail)
+ # update the rating
rest_request(:put, 'rating', "<?xml version='1.0'?>
<rating>
@@ -601,7 +601,7 @@
rating.reload
- assert_equal(rating.rating, 3);
+ assert_equal(3, rating.rating);
# delete the rating
Modified: trunk/test/functional/authorization_test.rb (3088 => 3089)
--- trunk/test/functional/authorization_test.rb 2012-08-15 21:52:46 UTC (rev 3088)
+++ trunk/test/functional/authorization_test.rb 2012-08-19 06:51:23 UTC (rev 3089)
@@ -13,156 +13,119 @@
assert true
end
- def test_is_owner
- assert Authorization.is_owner?(users(:john).id, workflows(:workflow_dilbert).contribution)
- end
-
- def test_is_not_owner
- assert !Authorization.is_owner?(users(:jane).id, workflows(:workflow_dilbert).contribution)
- end
-
- def test_is_friend
- assert Authorization.is_friend?(users(:john).id, users(:jane).id)
- end
-
- def test_is_not_friend
- assert !Authorization.is_friend?(users(:john).id, users(:admin).id)
- end
-
- def test_is_member_of_group
- assert Authorization.is_network_member?(users(:john).id, networks(:another_network).id)
- assert Authorization.is_network_member?(users(:jane).id, networks(:dilbert_appreciation_network).id)
- end
-
- def test_is_not_member_of_group
- assert !Authorization.is_network_member?(users(:admin).id, networks(:dilbert_appreciation_network).id)
- end
-
def test_is_owner_authorized_to_view
- # "thing" referenced by ID and Type; only user_id, not instance supplied
- assert Authorization.is_authorized?("view", "Blob", blobs(:for_true_policy).id, users(:john).id)
-
- # "thing" referenced by ID and Type; user instance supplied
- assert Authorization.is_authorized?("view", "Blob", blobs(:for_false_policy).id, users(:john))
-
- # "thing" supplied as instance; user instance supplied
- assert Authorization.is_authorized?("view", nil, blobs(:for_protected_policy), users(:john))
-
- # "thing" supplied as instance; only user_id, not instance supplied
- assert Authorization.is_authorized?("view", nil, blobs(:for_public_policy), users(:john).id)
+ assert Authorization.check("view", blobs(:for_true_policy), users(:john))
+ assert Authorization.check("view", blobs(:for_false_policy), users(:john))
+ assert Authorization.check("view", blobs(:for_protected_policy), users(:john))
+ assert Authorization.check("view", blobs(:for_public_policy), users(:john))
end
def test_is_owner_authorized_to_edit
- assert Authorization.is_authorized?("edit", nil, blobs(:for_true_policy), users(:john))
- assert Authorization.is_authorized?("edit", nil, blobs(:for_false_policy), users(:john))
- assert Authorization.is_authorized?("edit", nil, blobs(:for_protected_policy), users(:john))
- assert Authorization.is_authorized?("edit", nil, blobs(:for_public_policy), users(:john))
+ assert Authorization.check("edit", blobs(:for_true_policy), users(:john))
+ assert Authorization.check("edit", blobs(:for_false_policy), users(:john))
+ assert Authorization.check("edit", blobs(:for_protected_policy), users(:john))
+ assert Authorization.check("edit", blobs(:for_public_policy), users(:john))
end
def test_is_owner_authorized_to_download
- assert Authorization.is_authorized?("download", nil, blobs(:for_true_policy), users(:john))
- assert Authorization.is_authorized?("download", nil, blobs(:for_false_policy), users(:john))
- assert Authorization.is_authorized?("download", nil, blobs(:for_protected_policy), users(:john))
- assert Authorization.is_authorized?("download", nil, blobs(:for_public_policy), users(:john))
+ assert Authorization.check("download", blobs(:for_true_policy), users(:john))
+ assert Authorization.check("download", blobs(:for_false_policy), users(:john))
+ assert Authorization.check("download", blobs(:for_protected_policy), users(:john))
+ assert Authorization.check("download", blobs(:for_public_policy), users(:john))
end
def test_is_anonymous_authorized_to_view
- # "anonymous" indicated as a default parameter (not even supplied)
- assert Authorization.is_authorized?("view", nil, blobs(:for_true_policy))
- assert !Authorization.is_authorized?("view", nil, blobs(:for_false_policy))
- assert !Authorization.is_authorized?("view", nil, blobs(:for_protected_policy))
- assert Authorization.is_authorized?("view", nil, blobs(:for_public_policy))
- # "anonymous" indicated as NIL
- assert Authorization.is_authorized?("view", nil, blobs(:for_true_policy), nil)
- assert !Authorization.is_authorized?("view", nil, blobs(:for_false_policy), nil)
- assert !Authorization.is_authorized?("view", nil, blobs(:for_protected_policy), nil)
- assert Authorization.is_authorized?("view", nil, blobs(:for_public_policy), nil)
+ # "anonymous" indicated as nil
+ assert Authorization.check("view", blobs(:for_true_policy), nil)
+ assert !Authorization.check("view", blobs(:for_false_policy), nil)
+ assert !Authorization.check("view", blobs(:for_protected_policy), nil)
+ assert Authorization.check("view", blobs(:for_public_policy), nil)
# "anonymous" indicated as "0" - the same way as AuthenticadSystem module will
# do for not logged in users
- assert Authorization.is_authorized?("view", nil, blobs(:for_true_policy), 0)
- assert !Authorization.is_authorized?("view", nil, blobs(:for_false_policy), 0)
- assert !Authorization.is_authorized?("view", nil, blobs(:for_protected_policy), 0)
- assert Authorization.is_authorized?("view", nil, blobs(:for_public_policy), 0)
+ assert Authorization.check("view", blobs(:for_true_policy), 0)
+ assert !Authorization.check("view", blobs(:for_false_policy), 0)
+ assert !Authorization.check("view", blobs(:for_protected_policy), 0)
+ assert Authorization.check("view", blobs(:for_public_policy), 0)
end
def test_is_anonymous_authorized_to_edit
- assert Authorization.is_authorized?("edit", nil, blobs(:for_true_policy), 0)
- assert !Authorization.is_authorized?("edit", nil, blobs(:for_false_policy), 0)
- assert !Authorization.is_authorized?("edit", nil, blobs(:for_protected_policy), 0)
- assert Authorization.is_authorized?("edit", nil, blobs(:for_public_policy), 0)
+ assert Authorization.check("edit", blobs(:for_true_policy), 0)
+ assert !Authorization.check("edit", blobs(:for_false_policy), 0)
+ assert !Authorization.check("edit", blobs(:for_protected_policy), 0)
+ assert Authorization.check("edit", blobs(:for_public_policy), 0)
end
def test_is_anonymous_authorized_to_download
- assert Authorization.is_authorized?("download", nil, blobs(:for_true_policy), nil)
- assert !Authorization.is_authorized?("download", nil, blobs(:for_false_policy), nil)
- assert !Authorization.is_authorized?("download", nil, blobs(:for_protected_policy), nil)
- assert Authorization.is_authorized?("download", nil, blobs(:for_public_policy), nil)
+ assert Authorization.check("download", blobs(:for_true_policy), nil)
+ assert !Authorization.check("download", blobs(:for_false_policy), nil)
+ assert !Authorization.check("download", blobs(:for_protected_policy), nil)
+ assert Authorization.check("download", blobs(:for_public_policy), nil)
end
def test_is_friend_authorized_to_view
- assert Authorization.is_authorized?("view", nil, blobs(:for_true_policy), users(:johns_friend))
- assert !Authorization.is_authorized?("view", nil, blobs(:for_false_policy), users(:johns_friend))
- assert Authorization.is_authorized?("view", nil, blobs(:for_protected_policy), users(:johns_friend))
- assert Authorization.is_authorized?("view", nil, blobs(:for_public_policy), users(:johns_friend))
+ assert Authorization.check("view", blobs(:for_true_policy), users(:johns_friend))
+ assert !Authorization.check("view", blobs(:for_false_policy), users(:johns_friend))
+ assert Authorization.check("view", blobs(:for_protected_policy), users(:johns_friend))
+ assert Authorization.check("view", blobs(:for_public_policy), users(:johns_friend))
end
def test_is_friend_authorized_to_edit
- assert Authorization.is_authorized?("edit", nil, blobs(:for_true_policy), users(:johns_friend))
- assert !Authorization.is_authorized?("edit", nil, blobs(:for_false_policy), users(:johns_friend))
- assert Authorization.is_authorized?("edit", nil, blobs(:for_protected_policy), users(:johns_friend))
- assert Authorization.is_authorized?("edit", nil, blobs(:for_public_policy), users(:johns_friend))
+ assert Authorization.check("edit", blobs(:for_true_policy), users(:johns_friend))
+ assert !Authorization.check("edit", blobs(:for_false_policy), users(:johns_friend))
+ assert Authorization.check("edit", blobs(:for_protected_policy), users(:johns_friend))
+ assert Authorization.check("edit", blobs(:for_public_policy), users(:johns_friend))
end
def test_is_friend_authorized_to_download
- assert Authorization.is_authorized?("download", nil, blobs(:for_true_policy), users(:johns_friend))
- assert !Authorization.is_authorized?("download", nil, blobs(:for_false_policy), users(:johns_friend))
- assert Authorization.is_authorized?("download", nil, blobs(:for_protected_policy), users(:johns_friend))
- assert Authorization.is_authorized?("download", nil, blobs(:for_public_policy), users(:johns_friend))
+ assert Authorization.check("download", blobs(:for_true_policy), users(:johns_friend))
+ assert !Authorization.check("download", blobs(:for_false_policy), users(:johns_friend))
+ assert Authorization.check("download", blobs(:for_protected_policy), users(:johns_friend))
+ assert Authorization.check("download", blobs(:for_public_policy), users(:johns_friend))
end
def test_is_group_authorized_to_view
- assert Authorization.is_authorized?("view", nil, blobs(:for_true_policy), users(:spare_user))
- assert !Authorization.is_authorized?("view", nil, blobs(:for_false_policy), users(:spare_user))
- assert !Authorization.is_authorized?("view", nil, blobs(:for_protected_policy), users(:spare_user))
- assert Authorization.is_authorized?("view", nil, blobs(:for_public_policy), users(:spare_user))
+ assert Authorization.check("view", blobs(:for_true_policy), users(:spare_user))
+ assert !Authorization.check("view", blobs(:for_false_policy), users(:spare_user))
+ assert !Authorization.check("view", blobs(:for_protected_policy), users(:spare_user))
+ assert Authorization.check("view", blobs(:for_public_policy), users(:spare_user))
end
def test_is_group_authorized_to_edit
- assert Authorization.is_authorized?("edit", nil, blobs(:for_true_policy), users(:spare_user))
- assert !Authorization.is_authorized?("edit", nil, blobs(:for_false_policy), users(:spare_user))
- assert !Authorization.is_authorized?("edit", nil, blobs(:for_protected_policy), users(:spare_user))
- assert Authorization.is_authorized?("edit", nil, blobs(:for_public_policy), users(:spare_user))
+ assert Authorization.check("edit", blobs(:for_true_policy), users(:spare_user))
+ assert !Authorization.check("edit", blobs(:for_false_policy), users(:spare_user))
+ assert !Authorization.check("edit", blobs(:for_protected_policy), users(:spare_user))
+ assert Authorization.check("edit", blobs(:for_public_policy), users(:spare_user))
end
def test_is_group_authorized_to_download
- assert Authorization.is_authorized?("download", nil, blobs(:for_true_policy), users(:spare_user))
- assert !Authorization.is_authorized?("download", nil, blobs(:for_false_policy), users(:spare_user))
- assert !Authorization.is_authorized?("download", nil, blobs(:for_protected_policy), users(:spare_user))
- assert Authorization.is_authorized?("download", nil, blobs(:for_public_policy), users(:spare_user))
+ assert Authorization.check("download", blobs(:for_true_policy), users(:spare_user))
+ assert !Authorization.check("download", blobs(:for_false_policy), users(:spare_user))
+ assert !Authorization.check("download", blobs(:for_protected_policy), users(:spare_user))
+ assert Authorization.check("download", blobs(:for_public_policy), users(:spare_user))
end
def test_user_permissions
- assert Authorization.is_authorized?("view", nil, blobs(:for_false_policy), users(:admin))
- assert !Authorization.is_authorized?("edit", nil, blobs(:for_false_policy), users(:admin))
- assert Authorization.is_authorized?("download", nil, blobs(:for_false_policy), users(:admin))
+ assert Authorization.check("view", blobs(:for_false_policy), users(:admin))
+ assert !Authorization.check("edit", blobs(:for_false_policy), users(:admin))
+ assert Authorization.check("download", blobs(:for_false_policy), users(:admin))
end
def test_group_permissions
- assert Authorization.is_authorized?("view", nil, blobs(:for_false_policy), users(:jane))
- assert Authorization.is_authorized?("edit", nil, blobs(:for_false_policy), users(:jane))
+ assert Authorization.check("view", blobs(:for_false_policy), users(:jane))
+ assert Authorization.check("edit", blobs(:for_false_policy), users(:jane))
# in the fixture "view"/"edit" flags are set to TRUE, but "download" is set to FALSE;
# cascading permissions should provide permission to download in this case
- assert Authorization.is_authorized?("download", nil, blobs(:for_false_policy), users(:jane))
+ assert Authorization.check("download", blobs(:for_false_policy), users(:jane))
end
def test_is_authorized_to_destroy
- assert Authorization.is_authorized?("destroy", nil, blobs(:for_true_policy), users(:john))
- assert !Authorization.is_authorized?("destroy", nil, blobs(:for_true_policy), users(:jane))
- assert !Authorization.is_authorized?("destroy", nil, blobs(:for_true_policy), users(:admin))
- assert !Authorization.is_authorized?("destroy", nil, blobs(:for_true_policy), users(:johns_friend))
- assert !Authorization.is_authorized?("destroy", nil, blobs(:for_true_policy), users(:spare_user))
+ assert Authorization.check("destroy", blobs(:for_true_policy), users(:john))
+ assert !Authorization.check("destroy", blobs(:for_true_policy), users(:jane))
+ assert !Authorization.check("destroy", blobs(:for_true_policy), users(:admin))
+ assert !Authorization.check("destroy", blobs(:for_true_policy), users(:johns_friend))
+ assert !Authorization.check("destroy", blobs(:for_true_policy), users(:spare_user))
end
end
Modified: trunk/vendor/plugins/acts_as_taggable_redux/lib/tag.rb (3088 => 3089)
--- trunk/vendor/plugins/acts_as_taggable_redux/lib/tag.rb 2012-08-15 21:52:46 UTC (rev 3088)
+++ trunk/vendor/plugins/acts_as_taggable_redux/lib/tag.rb 2012-08-19 06:51:23 UTC (rev 3089)
@@ -44,7 +44,7 @@
def tagged_auth(user)
tagged.select do |taggable|
- Authorization.is_authorized?('view', nil, taggable, user)
+ Authorization.check('view', taggable, user)
end
end