Maintenance: Provide allow_signup column to define the signup permissions for roles and disable new permissions by default as signup permission.

This commit is contained in:
Rolf Schmidt 2020-10-07 14:05:07 +02:00 committed by Thorsten Eckel
parent 5e94f786fd
commit f0462d4c20
5 changed files with 116 additions and 44 deletions

View file

@ -222,13 +222,12 @@ returns
end end
def check_default_at_signup_permissions def check_default_at_signup_permissions
all_permissions = Permission.all.pluck(:id) return true if !default_at_signup
admin_permissions = Permission.where('name LIKE ? OR name = ?', 'admin%', 'ticket.agent').pluck(:id) # admin.*/ticket.agent permissions
normal_permissions = (all_permissions - admin_permissions) | (admin_permissions - all_permissions) # all other permissions besides admin.*/ticket.agent
return true if default_at_signup != true # means if default_at_signup = false, no need further checks
return true if self.permission_ids.all? { |i| normal_permissions.include? i } # allow user to choose only normal permissions
raise Exceptions::UnprocessableEntity, 'Cannot set default at signup when role has admin or ticket.agent permissions.' forbidden_permissions = permissions.reject(&:allow_signup)
return true if forbidden_permissions.blank?
raise Exceptions::UnprocessableEntity, "Cannot set default at signup when role has #{forbidden_permissions.join(', ')} permissions."
end end
end end

View file

@ -132,6 +132,7 @@ class CreateBase < ActiveRecord::Migration[4.2]
t.string :note, limit: 500, null: true t.string :note, limit: 500, null: true
t.string :preferences, limit: 10_000, null: true t.string :preferences, limit: 10_000, null: true
t.boolean :active, null: false, default: true t.boolean :active, null: false, default: true
t.boolean :allow_signup, null: false, default: false
t.timestamps limit: 3, null: false t.timestamps limit: 3, null: false
end end
add_index :permissions, [:name], unique: true add_index :permissions, [:name], unique: true

View file

@ -0,0 +1,31 @@
class RoleSignupColumn < ActiveRecord::Migration[5.2]
def change
# return if it's a new setup
return if !Setting.exists?(name: 'system_init_done')
add_column :permissions, :allow_signup, :boolean, null: false, default: false
signup_permissions = [
'user_preferences',
'user_preferences.password',
'user_preferences.notifications',
'user_preferences.access_token',
'user_preferences.language',
'user_preferences.linked_accounts',
'user_preferences.device',
'user_preferences.avatar',
'user_preferences.calendar',
'user_preferences.out_of_office',
'ticket.customer',
]
Permission.where(name: signup_permissions).update(allow_signup: true)
Role.where(default_at_signup: true).find_each do |role|
role.permissions.where.not(name: signup_permissions).find_each do |permission|
role.permission_revoke(permission.name)
end
end
end
end

View file

@ -266,6 +266,7 @@ Permission.create_if_not_exists(
name: 'user_preferences', name: 'user_preferences',
note: 'User Preferences', note: 'User Preferences',
preferences: {}, preferences: {},
allow_signup: true,
) )
Permission.create_if_not_exists( Permission.create_if_not_exists(
name: 'user_preferences.password', name: 'user_preferences.password',
@ -273,6 +274,7 @@ Permission.create_if_not_exists(
preferences: { preferences: {
translations: ['Password'] translations: ['Password']
}, },
allow_signup: true,
) )
Permission.create_if_not_exists( Permission.create_if_not_exists(
name: 'user_preferences.notifications', name: 'user_preferences.notifications',
@ -281,6 +283,7 @@ Permission.create_if_not_exists(
translations: ['Notifications'], translations: ['Notifications'],
required: ['ticket.agent'], required: ['ticket.agent'],
}, },
allow_signup: true,
) )
Permission.create_if_not_exists( Permission.create_if_not_exists(
name: 'user_preferences.access_token', name: 'user_preferences.access_token',
@ -288,6 +291,7 @@ Permission.create_if_not_exists(
preferences: { preferences: {
translations: ['Token Access'] translations: ['Token Access']
}, },
allow_signup: true,
) )
Permission.create_if_not_exists( Permission.create_if_not_exists(
name: 'user_preferences.language', name: 'user_preferences.language',
@ -295,6 +299,7 @@ Permission.create_if_not_exists(
preferences: { preferences: {
translations: ['Language'] translations: ['Language']
}, },
allow_signup: true,
) )
Permission.create_if_not_exists( Permission.create_if_not_exists(
name: 'user_preferences.linked_accounts', name: 'user_preferences.linked_accounts',
@ -302,6 +307,7 @@ Permission.create_if_not_exists(
preferences: { preferences: {
translations: ['Linked Accounts'] translations: ['Linked Accounts']
}, },
allow_signup: true,
) )
Permission.create_if_not_exists( Permission.create_if_not_exists(
name: 'user_preferences.device', name: 'user_preferences.device',
@ -309,6 +315,7 @@ Permission.create_if_not_exists(
preferences: { preferences: {
translations: ['Devices'] translations: ['Devices']
}, },
allow_signup: true,
) )
Permission.create_if_not_exists( Permission.create_if_not_exists(
name: 'user_preferences.avatar', name: 'user_preferences.avatar',
@ -316,6 +323,7 @@ Permission.create_if_not_exists(
preferences: { preferences: {
translations: ['Avatar'] translations: ['Avatar']
}, },
allow_signup: true,
) )
Permission.create_if_not_exists( Permission.create_if_not_exists(
name: 'user_preferences.calendar', name: 'user_preferences.calendar',
@ -324,6 +332,7 @@ Permission.create_if_not_exists(
translations: ['Calendars'], translations: ['Calendars'],
required: ['ticket.agent'], required: ['ticket.agent'],
}, },
allow_signup: true,
) )
Permission.create_if_not_exists( Permission.create_if_not_exists(
name: 'user_preferences.out_of_office', name: 'user_preferences.out_of_office',
@ -332,6 +341,7 @@ Permission.create_if_not_exists(
translations: ['Out of Office'], translations: ['Out of Office'],
required: ['ticket.agent'], required: ['ticket.agent'],
}, },
allow_signup: true,
) )
Permission.create_if_not_exists( Permission.create_if_not_exists(
@ -357,6 +367,7 @@ Permission.create_if_not_exists(
name: 'ticket.customer', name: 'ticket.customer',
note: 'Access to Customer Tickets based on current_user and organization', note: 'Access to Customer Tickets based on current_user and organization',
preferences: {}, preferences: {},
allow_signup: true,
) )
Permission.create_if_not_exists( Permission.create_if_not_exists(
name: 'chat', name: 'chat',

View file

@ -0,0 +1,30 @@
require 'rails_helper'
RSpec.describe RoleSignupColumn, type: :db_migration, db_strategy: :reset do
context 'when a role contains signup permissions' do
let!(:role) do
role = create(:role)
role.permission_grant('user_preferences.password')
role.permission_grant('ticket.agent')
role.update_column(:default_at_signup, true)
role
end
before do
without_column(:permissions, column: :allow_signup)
migrate
end
it 'has password permission' do
expect(role.reload.permissions.map(&:name)).to include('user_preferences.password')
end
it 'has no agent permission' do
expect(role.reload.permissions.map(&:name)).not_to include('ticket.agent')
end
it 'has permission with allow_signup set correctly' do
expect(Permission.find_by(name: 'user_preferences.password').allow_signup).to be true
end
end
end