defer autoloading permissions

pull/10420/head
ulferts 3 years ago
parent 6ad2713141
commit c794a9249b
No known key found for this signature in database
GPG Key ID: A205708DE1284017
  1. 622
      config/initializers/permissions.rb
  2. 5
      lib/redmine/plugin.rb
  3. 21
      modules/backlogs/lib/open_project/backlogs/engine.rb
  4. 6
      modules/bim/lib/open_project/bim/engine.rb
  5. 16
      modules/dashboards/lib/dashboards/engine.rb
  6. 14
      modules/github_integration/lib/open_project/github_integration/engine.rb
  7. 20
      modules/overviews/lib/overviews/engine.rb
  8. 16
      modules/reporting/lib/open_project/reporting/engine.rb

@ -26,330 +26,330 @@
# See COPYRIGHT and LICENSE files for more details.
#++
require 'open_project/access_control'
OpenProject::AccessControl.map do |map|
map.project_module nil, order: 100 do
map.permission :add_project,
{ projects: %i[new] },
require: :loggedin,
global: true,
contract_actions: { projects: %i[create] }
map.permission :create_backup,
{ backups: %i[index] },
require: :loggedin,
global: true,
enabled: -> { OpenProject::Configuration.backup_enabled? }
map.permission :manage_user,
{
users: %i[index show new create edit update resend_invitation],
'users/memberships': %i[create update destroy],
admin: %i[index]
},
require: :loggedin,
global: true,
contract_actions: { users: %i[create read update] }
map.permission :manage_placeholder_user,
{
placeholder_users: %i[index show new create edit update deletion_info destroy],
'placeholder_users/memberships': %i[create update destroy],
admin: %i[index]
},
require: :loggedin,
global: true,
contract_actions: { placeholder_users: %i[create read update] }
map.permission :view_project,
{ projects: [:show],
activities: [:index] },
public: true
map.permission :search_project,
{ search: :index },
public: true
map.permission :edit_project,
{
'projects/settings/general': %i[show],
'projects/settings/storage': %i[show],
'projects/templated': %i[create destroy],
'projects/identifier': %i[show update]
},
require: :member,
contract_actions: { projects: %i[update] }
map.permission :select_project_modules,
{
'projects/settings/modules': %i[show update]
},
require: :member
map.permission :manage_members,
{ members: %i[index new create update destroy autocomplete_for_member] },
require: :member,
dependencies: :view_members,
contract_actions: { members: %i[create update destroy] }
map.permission :view_members,
{ members: [:index] },
contract_actions: { members: %i[read] }
map.permission :manage_versions,
{
'projects/settings/versions': [:show],
versions: %i[new create edit update close_completed destroy]
},
require: :member
map.permission :manage_types,
{
'projects/settings/types': %i[show update]
},
require: :member
map.permission :select_custom_fields,
{
'projects/settings/custom_fields': %i[show update]
},
require: :member
map.permission :add_subprojects,
{ projects: %i[new] },
require: :member
map.permission :copy_projects,
{
projects: %i[copy]
},
require: :member,
contract_actions: { projects: %i[copy] }
end
map.project_module :work_package_tracking, order: 90 do |wpt|
wpt.permission :view_work_packages,
{
versions: %i[index show status_by],
journals: %i[index diff],
work_packages: %i[show index],
work_packages_api: [:get],
'work_packages/reports': %i[report report_details]
},
contract_actions: { work_packages: %i[read] }
wpt.permission :add_work_packages,
{}
wpt.permission :edit_work_packages,
{
'work_packages/bulk': %i[edit update]
},
require: :member,
dependencies: :view_work_packages
wpt.permission :move_work_packages,
{ 'work_packages/moves': %i[new create] },
require: :loggedin,
dependencies: :view_work_packages
wpt.permission :add_work_package_notes,
{
# FIXME: Although the endpoint is removed, the code checking whether a user
# is eligible to add work packages through the API still seems to rely on this.
journals: [:new]
},
dependencies: :view_work_packages
wpt.permission :edit_work_package_notes,
{},
require: :loggedin,
dependencies: :view_work_packages
wpt.permission :edit_own_work_package_notes,
{},
require: :loggedin,
dependencies: :view_work_packages
# WorkPackage categories
wpt.permission :manage_categories,
{
'projects/settings/categories': [:show],
categories: %i[new create edit update destroy]
},
require: :member
wpt.permission :export_work_packages,
{
work_packages: %i[index all]
},
dependencies: :view_work_packages
wpt.permission :delete_work_packages,
{
work_packages: :destroy,
'work_packages/bulk': :destroy
},
require: :member,
dependencies: :view_work_packages
wpt.permission :manage_work_package_relations,
{
work_package_relations: %i[create destroy]
},
dependencies: :view_work_packages
wpt.permission :manage_subtasks,
{},
dependencies: :view_work_packages
# Queries
wpt.permission :manage_public_queries,
{},
require: :member
wpt.permission :save_queries,
{},
require: :loggedin,
dependencies: :view_work_packages
# Watchers
wpt.permission :view_work_package_watchers,
{},
dependencies: :view_work_packages
wpt.permission :add_work_package_watchers,
{},
dependencies: :view_work_packages
wpt.permission :delete_work_package_watchers,
{},
dependencies: :view_work_packages
wpt.permission :assign_versions,
{},
dependencies: :view_work_packages
# A user having the following permission can become assignee and/or responsible of a work package.
# This is a passive permission in the sense that a user having the permission isn't eligible to perform
# actions but rather to have actions taken together with him/her.
wpt.permission :work_package_assigned,
{},
require: :member,
contract_actions: { work_packages: %i[assigned] },
grant_to_admin: false
end
map.project_module :news do |news|
news.permission :view_news,
{ news: %i[index show] },
public: true
news.permission :manage_news,
{
news: %i[new create edit update destroy preview],
'news/comments': [:destroy]
},
require: :member
news.permission :comment_news,
{ 'news/comments': :create }
end
map.project_module :wiki do |wiki|
wiki.permission :view_wiki_pages,
{ wiki: %i[index show special date_index] }
wiki.permission :list_attachments,
{ wiki: :list_attachments },
require: :member
wiki.permission :manage_wiki,
{ wikis: %i[edit destroy] },
require: :member
wiki.permission :manage_wiki_menu,
{ wiki_menu_items: %i[edit update select_main_menu_item replace_main_menu_item] },
require: :member
wiki.permission :rename_wiki_pages,
{ wiki: :rename },
require: :member
wiki.permission :change_wiki_parent_page,
{ wiki: %i[edit_parent_page update_parent_page] },
require: :member
wiki.permission :delete_wiki_pages,
{ wiki: :destroy },
require: :member
wiki.permission :export_wiki_pages,
{ wiki: [:export] }
wiki.permission :view_wiki_edits,
{ wiki: %i[history diff annotate] }
wiki.permission :edit_wiki_pages,
{ wiki: %i[edit update preview add_attachment new new_child create] }
wiki.permission :delete_wiki_pages_attachments,
{}
Rails.application.reloader.to_prepare do
OpenProject::AccessControl.map do |map|
map.project_module nil, order: 100 do
map.permission :add_project,
{ projects: %i[new] },
require: :loggedin,
global: true,
contract_actions: { projects: %i[create] }
map.permission :create_backup,
{ backups: %i[index] },
require: :loggedin,
global: true,
enabled: -> { OpenProject::Configuration.backup_enabled? }
map.permission :manage_user,
{
users: %i[index show new create edit update resend_invitation],
'users/memberships': %i[create update destroy],
admin: %i[index]
},
require: :loggedin,
global: true,
contract_actions: { users: %i[create read update] }
map.permission :manage_placeholder_user,
{
placeholder_users: %i[index show new create edit update deletion_info destroy],
'placeholder_users/memberships': %i[create update destroy],
admin: %i[index]
},
require: :loggedin,
global: true,
contract_actions: { placeholder_users: %i[create read update] }
map.permission :view_project,
{ projects: [:show],
activities: [:index] },
public: true
wiki.permission :protect_wiki_pages,
{ wiki: :protect },
require: :member
end
map.permission :search_project,
{ search: :index },
public: true
map.project_module :repository do |repo|
repo.permission :browse_repository,
{ repositories: %i[show browse entry annotate changes diff stats graph] }
map.permission :edit_project,
{
'projects/settings/general': %i[show],
'projects/settings/storage': %i[show],
'projects/templated': %i[create destroy],
'projects/identifier': %i[show update]
},
require: :member,
contract_actions: { projects: %i[update] }
map.permission :select_project_modules,
{
'projects/settings/modules': %i[show update]
},
require: :member
repo.permission :commit_access,
{}
map.permission :manage_members,
{ members: %i[index new create update destroy autocomplete_for_member] },
require: :member,
dependencies: :view_members,
contract_actions: { members: %i[create update destroy] }
map.permission :view_members,
{ members: [:index] },
contract_actions: { members: %i[read] }
map.permission :manage_versions,
{
'projects/settings/versions': [:show],
versions: %i[new create edit update close_completed destroy]
},
require: :member
repo.permission :manage_repository,
{
repositories: %i[edit create update committers destroy_info destroy],
'projects/settings/repository': :show
},
require: :member
map.permission :manage_types,
{
'projects/settings/types': %i[show update]
},
require: :member
repo.permission :view_changesets,
{ repositories: %i[show revisions revision] }
map.permission :select_custom_fields,
{
'projects/settings/custom_fields': %i[show update]
},
require: :member
repo.permission :view_commit_author_statistics,
{}
end
map.permission :add_subprojects,
{ projects: %i[new] },
require: :member
map.project_module :forums do |forum|
forum.permission :manage_forums,
{ forums: %i[new create edit update move destroy] },
map.permission :copy_projects,
{
projects: %i[copy]
},
require: :member,
contract_actions: { projects: %i[copy] }
end
map.project_module :work_package_tracking, order: 90 do |wpt|
wpt.permission :view_work_packages,
{
versions: %i[index show status_by],
journals: %i[index diff],
work_packages: %i[show index],
work_packages_api: [:get],
'work_packages/reports': %i[report report_details]
},
contract_actions: { work_packages: %i[read] }
wpt.permission :add_work_packages,
{}
wpt.permission :edit_work_packages,
{
'work_packages/bulk': %i[edit update]
},
require: :member,
dependencies: :view_work_packages
wpt.permission :move_work_packages,
{ 'work_packages/moves': %i[new create] },
require: :loggedin,
dependencies: :view_work_packages
wpt.permission :add_work_package_notes,
{
# FIXME: Although the endpoint is removed, the code checking whether a user
# is eligible to add work packages through the API still seems to rely on this.
journals: [:new]
},
dependencies: :view_work_packages
wpt.permission :edit_work_package_notes,
{},
require: :loggedin,
dependencies: :view_work_packages
wpt.permission :edit_own_work_package_notes,
{},
require: :loggedin,
dependencies: :view_work_packages
# WorkPackage categories
wpt.permission :manage_categories,
{
'projects/settings/categories': [:show],
categories: %i[new create edit update destroy]
},
require: :member
forum.permission :view_messages,
{ forums: %i[index show],
messages: [:show] },
public: true
wpt.permission :export_work_packages,
{
work_packages: %i[index all]
},
dependencies: :view_work_packages
wpt.permission :delete_work_packages,
{
work_packages: :destroy,
'work_packages/bulk': :destroy
},
require: :member,
dependencies: :view_work_packages
wpt.permission :manage_work_package_relations,
{
work_package_relations: %i[create destroy]
},
dependencies: :view_work_packages
wpt.permission :manage_subtasks,
{},
dependencies: :view_work_packages
# Queries
wpt.permission :manage_public_queries,
{},
require: :member
forum.permission :add_messages,
{ messages: %i[new create reply quote preview] }
wpt.permission :save_queries,
{},
require: :loggedin,
dependencies: :view_work_packages
# Watchers
wpt.permission :view_work_package_watchers,
{},
dependencies: :view_work_packages
wpt.permission :add_work_package_watchers,
{},
dependencies: :view_work_packages
wpt.permission :delete_work_package_watchers,
{},
dependencies: :view_work_packages
wpt.permission :assign_versions,
{},
dependencies: :view_work_packages
# A user having the following permission can become assignee and/or responsible of a work package.
# This is a passive permission in the sense that a user having the permission isn't eligible to perform
# actions but rather to have actions taken together with him/her.
wpt.permission :work_package_assigned,
{},
require: :member,
contract_actions: { work_packages: %i[assigned] },
grant_to_admin: false
end
map.project_module :news do |news|
news.permission :view_news,
{ news: %i[index show] },
public: true
news.permission :manage_news,
{
news: %i[new create edit update destroy preview],
'news/comments': [:destroy]
},
require: :member
news.permission :comment_news,
{ 'news/comments': :create }
end
map.project_module :wiki do |wiki|
wiki.permission :view_wiki_pages,
{ wiki: %i[index show special date_index] }
wiki.permission :list_attachments,
{ wiki: :list_attachments },
require: :member
wiki.permission :manage_wiki,
{ wikis: %i[edit destroy] },
require: :member
wiki.permission :manage_wiki_menu,
{ wiki_menu_items: %i[edit update select_main_menu_item replace_main_menu_item] },
require: :member
wiki.permission :rename_wiki_pages,
{ wiki: :rename },
require: :member
wiki.permission :change_wiki_parent_page,
{ wiki: %i[edit_parent_page update_parent_page] },
require: :member
wiki.permission :delete_wiki_pages,
{ wiki: :destroy },
require: :member
wiki.permission :export_wiki_pages,
{ wiki: [:export] }
wiki.permission :view_wiki_edits,
{ wiki: %i[history diff annotate] }
wiki.permission :edit_wiki_pages,
{ wiki: %i[edit update preview add_attachment new new_child create] }
wiki.permission :delete_wiki_pages_attachments,
{}
wiki.permission :protect_wiki_pages,
{ wiki: :protect },
require: :member
end
map.project_module :repository do |repo|
repo.permission :browse_repository,
{ repositories: %i[show browse entry annotate changes diff stats graph] }
repo.permission :commit_access,
{}
repo.permission :manage_repository,
{
repositories: %i[edit create update committers destroy_info destroy],
'projects/settings/repository': :show
},
require: :member
repo.permission :view_changesets,
{ repositories: %i[show revisions revision] }
repo.permission :view_commit_author_statistics,
{}
end
map.project_module :forums do |forum|
forum.permission :manage_forums,
{ forums: %i[new create edit update move destroy] },
require: :member
forum.permission :view_messages,
{ forums: %i[index show],
messages: [:show] },
public: true
forum.permission :add_messages,
{ messages: %i[new create reply quote preview] }
forum.permission :edit_messages,
{ messages: %i[edit update preview] },
require: :member
forum.permission :edit_messages,
{ messages: %i[edit update preview] },
require: :member
forum.permission :edit_own_messages,
{ messages: %i[edit update preview] },
require: :loggedin
forum.permission :edit_own_messages,
{ messages: %i[edit update preview] },
require: :loggedin
forum.permission :delete_messages,
{ messages: :destroy },
require: :member
forum.permission :delete_messages,
{ messages: :destroy },
require: :member
forum.permission :delete_own_messages,
{ messages: :destroy },
require: :loggedin
end
forum.permission :delete_own_messages,
{ messages: :destroy },
require: :loggedin
map.project_module :activity
end
map.project_module :activity
end

@ -331,7 +331,10 @@ module Redmine #:nodoc:
# end
def project_module(name, options = {}, &block)
@project_scope = [name, options]
instance_eval(&block)
plugin = self
Rails.application.reloader.to_prepare do
plugin.instance_eval(&block)
end
ensure
@project_scope = nil
end

@ -51,16 +51,19 @@ module OpenProject::Backlogs
author_url: 'https://www.openproject.org',
bundled: true,
settings: settings do
OpenProject::AccessControl.permission(:add_work_packages).tap do |add|
add.controller_actions << 'rb_stories/create'
add.controller_actions << 'rb_tasks/create'
add.controller_actions << 'rb_impediments/create'
end
OpenProject::AccessControl.permission(:edit_work_packages).tap do |edit|
edit.controller_actions << 'rb_stories/update'
edit.controller_actions << 'rb_tasks/update'
edit.controller_actions << 'rb_impediments/update'
Rails.application.reloader.to_prepare do
OpenProject::AccessControl.permission(:add_work_packages).tap do |add|
add.controller_actions << 'rb_stories/create'
add.controller_actions << 'rb_tasks/create'
add.controller_actions << 'rb_impediments/create'
end
OpenProject::AccessControl.permission(:edit_work_packages).tap do |edit|
edit.controller_actions << 'rb_stories/update'
edit.controller_actions << 'rb_tasks/update'
edit.controller_actions << 'rb_impediments/update'
end
end
project_module :backlogs, dependencies: :work_package_tracking do

@ -81,7 +81,11 @@ module OpenProject::Bim
dependencies: %i[manage_public_queries save_bcf_queries]
end
OpenProject::AccessControl.permission(:view_work_packages).controller_actions << 'bim/bcf/issues/redirect_to_bcf_issues_list'
Rails.application.reloader.to_prepare do
OpenProject::AccessControl
.permission(:view_work_packages)
.controller_actions << 'bim/bcf/issues/redirect_to_bcf_issues_list'
end
::Redmine::MenuManager.map(:project_menu) do |menu|
menu.push(:ifc_models,

@ -20,13 +20,15 @@ module Dashboards
end
initializer 'dashboards.permissions' do
# deactivate for now
next unless Rails.env == 'test'
OpenProject::AccessControl.map do |ac_map|
ac_map.project_module(:dashboards) do |pm_map|
pm_map.permission(:view_dashboards, { 'dashboards/dashboards': ['show'] })
pm_map.permission(:manage_dashboards, { 'dashboards/dashboards': ['show'] })
Rails.application.reloader.to_prepare do
# deactivate for now
next unless Rails.env.test?
OpenProject::AccessControl.map do |ac_map|
ac_map.project_module(:dashboards) do |pm_map|
pm_map.permission(:view_dashboards, { 'dashboards/dashboards': ['show'] })
pm_map.permission(:manage_dashboards, { 'dashboards/dashboards': ['show'] })
end
end
end
end

@ -41,7 +41,11 @@ module OpenProject::GithubIntegration
register 'openproject-github_integration',
author_url: 'https://www.openproject.org/',
bundled: true
bundled: true do
project_module(:github, dependencies: :work_package_tracking) do
permission(:show_github_content, {})
end
end
initializer 'github.register_hook' do
::OpenProject::Webhooks.register_hook 'github' do |hook, environment, params, user|
@ -58,14 +62,6 @@ module OpenProject::GithubIntegration
&NotificationHandler.method(:pull_request))
end
initializer 'github.permissions' do
OpenProject::AccessControl.map do |ac_map|
ac_map.project_module(:github, dependencies: :work_package_tracking) do |pm_map|
pm_map.permission(:show_github_content, {})
end
end
end
extend_api_response(:v3, :work_packages, :work_package,
&::OpenProject::GithubIntegration::Patches::API::WorkPackageRepresenter.extension)

@ -15,15 +15,17 @@ module Overviews
end
initializer 'overviews.permissions' do
OpenProject::AccessControl.permission(:view_project)
.controller_actions
.push('overviews/overviews/show')
OpenProject::AccessControl.map do |ac_map|
ac_map.project_module nil do |map|
map.permission :manage_overview,
{ 'overviews/overviews': ['show'] },
public: true
Rails.application.reloader.to_prepare do
OpenProject::AccessControl.permission(:view_project)
.controller_actions
.push('overviews/overviews/show')
OpenProject::AccessControl.map do |ac_map|
ac_map.project_module nil do |map|
map.permission :manage_overview,
{ 'overviews/overviews': ['show'] },
public: true
end
end
end
end

@ -46,12 +46,16 @@ module OpenProject::Reporting
permission :save_private_cost_reports, { cost_reports: edit_actions }
end
# register additional permissions for viewing time and cost entries through the CostReportsController
view_actions.each do |action|
OpenProject::AccessControl.permission(:view_time_entries).controller_actions << "cost_reports/#{action}"
OpenProject::AccessControl.permission(:view_own_time_entries).controller_actions << "cost_reports/#{action}"
OpenProject::AccessControl.permission(:view_cost_entries).controller_actions << "cost_reports/#{action}"
OpenProject::AccessControl.permission(:view_own_cost_entries).controller_actions << "cost_reports/#{action}"
Rails.application.reloader.to_prepare do
OpenProject::AccessControl.map do
# register additional permissions for viewing time and cost entries through the CostReportsController
view_actions.each do |action|
OpenProject::AccessControl.permission(:view_time_entries).controller_actions << "cost_reports/#{action}"
OpenProject::AccessControl.permission(:view_own_time_entries).controller_actions << "cost_reports/#{action}"
OpenProject::AccessControl.permission(:view_cost_entries).controller_actions << "cost_reports/#{action}"
OpenProject::AccessControl.permission(:view_own_cost_entries).controller_actions << "cost_reports/#{action}"
end
end
end
# menu extensions

Loading…
Cancel
Save