diff --git a/app/models/ability.rb b/app/models/ability.rb deleted file mode 100644 index ba5e6fa..0000000 --- a/app/models/ability.rb +++ /dev/null @@ -1,38 +0,0 @@ -class Ability - include GlobalHelpers - include CanCan::Ability - - def initialize(user) - # Define abilities for the passed in user here. For example: - # - user ||= User.new # guest user (not logged in) - if user.has_role? constant("roles.super_admin") - can :manage, :all - else - can :read, :all - end - - can :manage_settings, User do |viewed_user| - viewed_user.present? && user.id == viewed_user.id - end - # - # The first argument to `can` is the action you are giving the user - # permission to do. - # If you pass :manage it will apply to every action. Other common actions - # here are :read, :create, :update and :destroy. - # - # The second argument is the resource the user can perform the action on. - # If you pass :all it will apply to every resource. Otherwise pass a Ruby - # class of the resource. - # - # The third argument is an optional hash of conditions to further filter the - # objects. - # For example, here the user can only update published articles. - # - # can :update, Article, :published => true - # - # See the wiki for details: - # https://github.com/ryanb/cancan/wiki/Defining-Abilities - - end -end diff --git a/app/models/org.rb b/app/models/org.rb index bf3113e..15dcd92 100644 --- a/app/models/org.rb +++ b/app/models/org.rb @@ -74,7 +74,7 @@ return "Funder" elsif self.organisation? return "Organisation" - elsif @org.research_institute? + elsif self.research_institute? return "Research Institute" elsif self.project? return "Project" diff --git a/app/models/user.rb b/app/models/user.rb index bb2ae87..4cf42a2 100644 --- a/app/models/user.rb +++ b/app/models/user.rb @@ -132,7 +132,7 @@ # # @return [Boolean] true if the user is an admin def can_super_admin? - return self.can_add_orgs? || self.can_grant_api_to_orgs? || can_change_org? + return self.can_add_orgs? || self.can_grant_api_to_orgs? || self.can_change_org? end ## @@ -142,7 +142,8 @@ # # @return [Boolean] true if the user is an organisation admin def can_org_admin? - return self.can_grant_permissions? || self.can_modify_guidance? || self.can_modify_templates? || self.can_modify_org_details? + return self.can_grant_permissions? || self.can_modify_guidance? || + self.can_modify_templates? || self.can_modify_org_details? end ## @@ -260,9 +261,11 @@ end end +# TODO: Remove this, its never called. # this generates a reset password link for a given user # which can then be sent to them with the appropriate host # prepended. +=begin def reset_password_link raw, enc = Devise.token_generator.generate(self.class, :reset_password_token) self.reset_password_token = enc @@ -271,5 +274,6 @@ edit_user_password_path + '?reset_password_token=' + raw end - +=end + end diff --git a/test/unit/user_test.rb b/test/unit/user_test.rb index 9fd0e79..eff121a 100644 --- a/test/unit/user_test.rb +++ b/test/unit/user_test.rb @@ -160,6 +160,35 @@ end # --------------------------------------------------- + test "can find a user via an OAuth response" do + scheme = IdentifierScheme.create!(name: 'tester', active: true) + @user.user_identifiers << UserIdentifier.new(identifier_scheme: scheme, identifier: '12345') + @user.save! + + class Auth + def provider + "tester" + end + def uid + "12345" + end + end + + assert_equal @user, User.from_omniauth(Auth.new) + + class BogusAuth + def provider + "bogus" + end + def uid + "12345" + end + end + + assert_raise User.from_omniauth(Auth.new), "'Unknown OAuth provider: bogus" + end + + # --------------------------------------------------- test "Plans query filter is working properly" do 3.times do |i| @user.plans << Plan.new(template: Template.last, title: "My test #{i}", @@ -186,65 +215,56 @@ 3.times do |i| scheme = IdentifierScheme.find_by(name: "test-#{i}") - assert_equal i.to_s, @user.identifier_for(scheme), "expected the identifier for #{scheme.name} to be '#{i.to_s}'" + assert_equal i.to_s, @user.identifier_for(scheme).identifier, "expected the identifier for #{scheme.name} to be '#{i.to_s}'" end end # --------------------------------------------------- test "can_super_admin is properly set" do - perms = Perm.where('name IN (?)', ['add_organisations', 'change_org_affiliation', 'grant_api_to_orgs') - user = User.create!(email: 'tester@example.edu', password: 'password', perms: perms) + perms = Perm.where('name IN (?)', ['add_organisations', 'change_org_affiliation', 'grant_api_to_orgs']) + user = User.create!(email: 'tester@example.edu', password: 'password') - assert user.can_super_admin?, "expected the user to be able to super_admin if they can add orgs, change a user's org and grant api access to an org" - + assert_not user.can_super_admin?, "expected a user with no permissions to NOT be a super_admin" + perms.each do |p| last = p - user.perms << last unless last.nil? - user.perms.delete(p) + user.perms.delete(last) unless last.nil? + user.perms << p user.save! - assert_not user.can_super_admin?, "expected the removal of the #{p.name} perm to prevent the user from being a super_admin" + assert user.can_super_admin?, "expected the addition of the #{p.name} perm to enable the user to become a super_admin" end + + user.perms = [] + user.save! + + user.perms = perms + user.save! + assert user.can_super_admin?, "expected the addition of all the super_admin perms to allow the user to be a super_admin" end # --------------------------------------------------- test "can_org_admin is properly set" do - perms = Perm.where('name IN (?)', ['grant_permissions', 'modify_templates', 'modify_guidance', 'change_org_details') - user = User.create!(email: 'tester@example.edu', password: 'password', perms: perms) + perms = Perm.where('name IN (?)', ['grant_permissions', 'modify_templates', 'modify_guidance', 'change_org_details']) + user = User.create!(email: 'tester@example.edu', password: 'password') - assert user.can_org_admin?, "expected the user to be able to org_admin if they can grant perms, modify templates, modify guidance and change org details" - + assert_not user.can_org_admin?, "expected a user with no permissions to NOT be a org_admin" + perms.each do |p| last = p - user.perms << last unless last.nil? - user.perms.delete(p) + user.perms.delete(last) unless last.nil? + user.perms << p user.save! - assert_not user.can_org_admin?, "expected the removal of the #{p.name} perm to prevent the user from being a org_admin" + assert user.can_org_admin?, "expected the addition of the #{p.name} perm to enable the user to become a org_admin" end - end - - # --------------------------------------------------- - test "Can only change the org if permissions allow" do - user = User.first - org = user.org - perms = user.perms + + user.perms = [] + user.save! - # If user doesn't have permission (delete all user permissions) - user.perms.delete(Perm.find_by(name: 'change_org_affiliation')) - - user.organisation_id = Org.last - assert user.perms.empty?, "expected all of the user's permissions to have been deleted" - assert_equal Org.last, user.org, "expected the org to be updated if the user does not have permission to change the org affiliation" - assert_equal "", user.api_token, "expected the api_token to be blank" - - # If we pass nil (delete all user permissions) - - # If the existing org is nil (delete all user permissions) - - # sets the organisation - - # removed the api token + user.perms = perms + user.save! + assert user.can_org_admin?, "expected the addition of all the super_admin perms to allow the user to be a org_admin" end # ---------------------------------------------------