Add visible scope for placeholder users (#9042)

pull/9046/head
Oliver Günther 4 years ago committed by GitHub
parent 31b0931892
commit 8122d05a66
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
  1. 2
      app/models/placeholder_user.rb
  2. 52
      app/models/placeholder_users/scopes/visible.rb
  3. 9
      lib/api/v3/placeholder_users/placeholder_users_api.rb
  4. 0
      spec/models/placeholder_users/placeholder_user_spec.rb
  5. 68
      spec/models/placeholder_users/scopes/visible_spec.rb
  6. 11
      spec/requests/api/v3/placeholder_users/index_resource_spec.rb
  7. 14
      spec/requests/api/v3/placeholder_users/show_resource_spec.rb
  8. 2
      spec/requests/api/v3/placeholder_users/update_resource_spec.rb

@ -37,6 +37,8 @@ class PlaceholderUser < Principal
include ::Associations::Groupable
scopes :visible
def to_s
lastname
end

@ -0,0 +1,52 @@
#-- encoding: UTF-8
#-- copyright
# OpenProject is an open source project management software.
# Copyright (C) 2012-2021 the OpenProject GmbH
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License version 3.
#
# OpenProject is a fork of ChiliProject, which is a fork of Redmine. The copyright follows:
# Copyright (C) 2006-2013 Jean-Philippe Lang
# Copyright (C) 2010-2013 the ChiliProject Team
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
# as published by the Free Software Foundation; either version 2
# of the License, or (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
#
# See docs/COPYRIGHT.rdoc for more details.
#++
# Only return placeholders that are visible to the current user.
#
# Either the user has:
# - the global `manage_placeholder_user`
# - or `manage_members` permission in any project,
# - or all principals in visible projects are returned
module PlaceholderUsers::Scopes
module Visible
extend ActiveSupport::Concern
class_methods do
def visible(user = User.current)
if user.allowed_to_globally?(:manage_placeholder_user) ||
user.allowed_to_globally?(:manage_members)
all
else
in_visible_project(user)
end
end
end
end
end

@ -31,12 +31,8 @@ module API
module PlaceholderUsers
class PlaceholderUsersAPI < ::API::OpenProjectAPI
resources :placeholder_users do
after_validation do
authorize_any %i[manage_placeholder_user], global: true
end
get &::API::V3::Utilities::Endpoints::Index
.new(model: PlaceholderUser)
.new(model: PlaceholderUser, scope: -> { PlaceholderUser.visible(current_user) })
.mount
post &::API::V3::Utilities::Endpoints::Create
@ -45,7 +41,8 @@ module API
route_param :id, type: Integer, desc: 'Placeholder user ID' do
after_validation do
@placeholder_user = PlaceholderUser.find(params[:id])
authorize_any %i[manage_placeholder_user manage_members], global: true
@placeholder_user = PlaceholderUser.visible.find(params[:id])
end
get &::API::V3::Utilities::Endpoints::Show.new(model: PlaceholderUser).mount

@ -0,0 +1,68 @@
#-- encoding: UTF-8
#-- copyright
# OpenProject is an open source project management software.
# Copyright (C) 2012-2021 the OpenProject GmbH
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License version 3.
#
# OpenProject is a fork of ChiliProject, which is a fork of Redmine. The copyright follows:
# Copyright (C) 2006-2013 Jean-Philippe Lang
# Copyright (C) 2010-2013 the ChiliProject Team
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
# as published by the Free Software Foundation; either version 2
# of the License, or (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
#
# See docs/COPYRIGHT.rdoc for more details.
#++
require 'spec_helper'
describe PlaceholderUsers::Scopes::Visible, type: :model do
describe '.visible' do
shared_let(:project) { FactoryBot.create :project }
shared_let(:other_project) { FactoryBot.create :project }
shared_let(:role) { FactoryBot.create :role, permissions: %i[manage_members] }
shared_let(:other_project_placeholder) { FactoryBot.create :placeholder_user, member_in_project: other_project, member_through_role: role }
shared_let(:global_placeholder) { FactoryBot.create :placeholder_user }
subject { ::PlaceholderUser.visible.to_a }
context 'when user has manage_members permission' do
current_user { FactoryBot.create :user, member_in_project: project, member_through_role: role }
it 'sees all users' do
expect(subject).to match_array [other_project_placeholder, global_placeholder]
end
end
context 'when user has no manage_members permission, but it is in other project' do
current_user { FactoryBot.create :user, member_in_project: other_project, member_with_permissions: %i[view_work_packages] }
it 'sees the other user in the same project' do
expect(subject).to match_array [other_project_placeholder]
end
end
context 'when user has no permission' do
current_user { FactoryBot.create :user }
it 'sees nothing' do
expect(subject).to match_array []
end
end
end
end

@ -64,11 +64,16 @@ describe ::API::V3::PlaceholderUsers::PlaceholderUsersAPI,
it_behaves_like 'API V3 collection response', 2, 2, 'PlaceholderUser'
end
describe 'user with manage_members permission' do
let(:project) { FactoryBot.create(:project) }
let(:user) { FactoryBot.create(:user, member_in_project: project, member_with_permissions: %i[manage_members]) }
it_behaves_like 'API V3 collection response', 2, 2, 'PlaceholderUser'
end
describe 'unauthorized user' do
let(:user) { FactoryBot.build(:user) }
it 'returns an erroneous response' do
expect(last_response.status).to eq(403)
end
it_behaves_like 'API V3 collection response', 0, 0, 'PlaceholderUser'
end
end

@ -62,10 +62,22 @@ describe ::API::V3::PlaceholderUsers::PlaceholderUsersAPI,
it_behaves_like 'represents the placeholder'
end
describe 'user with manage_members permission' do
let(:project) { FactoryBot.create(:project) }
let(:role) { FactoryBot.create :role, permissions: %i[manage_members]}
let(:user) { FactoryBot.create(:user, member_in_project: project, member_through_role: role) }
before do
project.add_member! placeholder, [role]
end
it_behaves_like 'represents the placeholder'
end
describe 'unauthorized user' do
let(:user) { FactoryBot.build(:user) }
it 'returns an erroneous response' do
it 'returns a 403 response' do
expect(last_response.status).to eq(403)
end
end

@ -69,7 +69,7 @@ describe ::API::V3::PlaceholderUsers::PlaceholderUsersAPI,
describe 'unauthorized user' do
let(:user) { FactoryBot.build(:user) }
it 'returns an erroneous response' do
it 'returns a 403 response' do
expect(last_response.status).to eq(403)
end
end

Loading…
Cancel
Save