新增：操作权限

2023-02-20 16:47:19 +08:00 · 2023-02-20 16:47:19 +08:00 · cb3bb23e79
parent 656d5b69b6
commit cb3bb23e79
7 changed files with 18 additions and 9 deletions
--- a/app/controllers/api/v1/base_controller.rb
+++ b/app/controllers/api/v1/base_controller.rb
@ -52,7 +52,6 @@ class Api::V1::BaseController < ApplicationController
  # 具有仓库的操作权限或者fork仓库的操作权限
  def require_operate_above_or_fork_project 
    @project = load_project
-    puts !current_user.admin? && !@project.operator?(current_user) && !(@project.fork_project.present? && @project.fork_project.operator?(current_user))
    return render_forbidden if !current_user.admin? && !@project.operator?(current_user) && !(@project.fork_project.present? && @project.fork_project.operator?(current_user))
  end

--- a/app/controllers/api/v1/issues/issue_tags_controller.rb
+++ b/app/controllers/api/v1/issues/issue_tags_controller.rb
@ -1,6 +1,7 @@
 class Api::V1::Issues::IssueTagsController < Api::V1::BaseController 

-  before_action :require_public_and_member_above, only: [:index, :create, :update, :destroy] 
+  before_action :require_public_and_member_above, only: [:index] 
+  before_action :require_operate_above, only: [:create, :update, :destroy]

  def index 
    @issue_tags = @project.issue_tags.order("#{order_by} #{order_direction}")
--- a/app/controllers/api/v1/issues/journals_controller.rb
+++ b/app/controllers/api/v1/issues/journals_controller.rb
@ -3,6 +3,7 @@ class Api::V1::Issues::JournalsController < Api::V1::IssuesController
  before_action :require_public_and_member_above, only: [:index, :create, :children_journals, :update, :destroy]
  before_action :load_issue, only: [:index, :create, :children_journals, :update, :destroy]
  before_action :load_journal, only: [:children_journals, :update, :destroy]
+  before_action :check_journal_operate_permission, only: [:update, :destroy]

  def index 
    @object_results = Api::V1::Issues::Journals::ListService.call(@issue, query_params, current_user)
@ -45,4 +46,8 @@ class Api::V1::Issues::JournalsController < Api::V1::IssuesController
    return render_not_found("评论不存在！") unless @journal.present?
  end

+  def check_journal_operate_permission 
+    return render_forbidden("您没有操作权限！") unless current_user.present? && current_user.logged? && (@project.member?(current_user) || current_user.admin? || @issue.user == current_user || @journal.user == current_user)
+  end
+
 end
--- a/app/controllers/api/v1/issues/milestones_controller.rb
+++ b/app/controllers/api/v1/issues/milestones_controller.rb
@ -1,5 +1,6 @@
 class Api::V1::Issues::MilestonesController < Api::V1::BaseController 
-  before_action :require_public_and_member_above
+  before_action :require_public_and_member_above, only: [:index, :show]
+  before_action :require_operate_above, only: [:create, :update, :destroy]
  before_action :load_milestone, only: [:show, :update, :destroy]

  # 里程碑列表
--- a/app/controllers/api/v1/issues_controller.rb
+++ b/app/controllers/api/v1/issues_controller.rb
@ -1,6 +1,8 @@
 class Api::V1::IssuesController < Api::V1::BaseController 

-  before_action :require_public_and_member_above, only: [:index, :show, :create, :update, :destroy, :batch_update, :batch_destroy] 
+  before_action :require_public_and_member_above, only: [:index, :show, :create, :update, :destroy] 
+  before_action :require_operate_above, only: [:batch_update, :batch_destroy]
+  before_action :check_issue_operate_permission, only: [:update, :destroy]

  def index 
    @object_results = Api::V1::Issues::ListService.call(@project, query_params, current_user)
@ -17,6 +19,7 @@ class Api::V1::IssuesController < Api::V1::BaseController
  before_action :load_issue, only: [:show, :update, :destroy]

  def show 
+    @user_permission = current_user.present? && current_user.logged? && (@project.member?(current_user) || current_user.admin? || @issue.user == current_user)
  end

  def update 
@ -58,8 +61,6 @@ class Api::V1::IssuesController < Api::V1::BaseController
    @issue = @project.issues.where(project_issues_index: params[:id]).where.not(id: params[:id]).take || Issue.find_by_id(params[:id])
    if @issue.blank?
      render_not_found("疑修不存在!")
-    elsif @issue.present? && @issue.is_lock &&!(@project.member?(current_user) || current_user.admin?)
-      render_forbidden("您没有权限操作！")
    end
  end

@ -69,13 +70,14 @@ class Api::V1::IssuesController < Api::V1::BaseController
      @issue = Issue.find_by_id(id)
      if @issue.blank?
        return render_not_found("ID为#{id}的疑修不存在!")
-      elsif @issue.present? && @issue.is_lock &&!(@project.member?(current_user) || current_user.admin?)
-        return render_forbidden("ID为#{id}的疑修您没有权限操作！")
      end
    end
    @issues = Issue.where(id: params[:ids])
  end

+  def check_issue_operate_permission 
+    return render_forbidden("您没有操作权限！") unless current_user.present? && current_user.logged? && (@project.member?(current_user) || current_user.admin? || @issue.user == current_user)
+  end

  private 

--- a/app/controllers/api/v1/projects/collaborators_controller.rb
+++ b/app/controllers/api/v1/projects/collaborators_controller.rb
@ -3,7 +3,7 @@ class Api::V1::Projects::CollaboratorsController < Api::V1::BaseController
  before_action :require_public_and_member_above, only: [:index]

  def index 
-    @collaborators = @project.all_collaborators.ransack(name_or_login_cont: params[:keyword]).result
+    @collaborators = @project.all_collaborators.like(params[:keyword])
    @collaborators = kaminary_select_paginate(@collaborators)
  end

--- a/app/views/api/v1/issues/show.json.jbuilder
+++ b/app/views/api/v1/issues/show.json.jbuilder
@ -1 +1,2 @@
 json.partial! "api/v1/issues/detail", locals: {issue: @issue}
+json.user_permission @user_permission