class PermissionController < ApplicationController
unloadable
require_login
def admin
@pclasses = logged_in_person.administrator_classes
@roles = Role.find :all
end
require_class_permission "change_permissions", :class_param => "klass", :only => [:edit]
def edit
pclass = nil
AeUsers.permissioned_classes.each do |pc|
if pc.name == params[:klass]
pclass = pc
break
end
end
if pclass.nil?
render :inline => "
Invalid class name <%= h AeUsers.permissioned_classes %>
"
else
if params[:id]
@item = pclass.find(params[:id])
else
@item = pclass
end
end
end
def auto_complete_for_permission_grantee
if params[:q]
query = params[:q].strip.downcase
liketerm = "%#{query}%"
terms = query.split
if params[:people] == "true"
sql = terms.collect do |t|
"((LOWER(firstname) like ?) OR (LOWER(lastname) like ?))"
end.join(" AND ")
doubleterms = []
terms.each do |t|
doubleterms.push("%#{t}%")
doubleterms.push("%#{t}%")
end
@grantees = Person.find(:all, :conditions => ([sql] + doubleterms))
@grantees += EmailAddress.find(:all,
:conditions => ["LOWER(address) like ?", liketerm]).collect do |ea|
ea.person
end
else
@grantees = []
end
if params[:roles] == "true"
@grantees += Role.find(:all,
:conditions => ["LOWER(name) like ?", liketerm])
end
@grantees.uniq!
else
@grantees = []
end
render :partial => "add_grantee"
end
before_filter :check_grant_perms, :only => [:grant]
layout nil, :only => [:grant]
def grant
perm_params = {}
if params[:klass] == 'Person'
@grantee = Person.find(params[:id])
perm_params[:person_id] = @grantee.id
else
@grantee = Role.find(params[:id])
perm_params[:role_id] = @grantee.id
end
@perm = Permission.create(perm_params.update(:permission => params[:perm], :permissioned => @permissioned))
@perm.destroy_caches
end
before_filter :check_revoke_perms, :only => [:revoke]
def revoke
@perm.destroy_caches
@perm.destroy
render :nothing => true
end
def create_role
@role = Role.create(params[:role])
redirect_to :action => 'edit_role', :id => @role.id
@role.grant(logged_in_person)
end
before_filter :check_edit_role_perms, :only => [:edit_role, :delete_role]
before_filter :check_edit_role_member_perms, :only => [:add_role_member, :remove_role_member]
def edit_role
end
def add_role_member
@person = Person.find(params[:id])
@role.people.push @person
@role.save
if AeUsers.cache_permissions?
AeUsers.permission_cache.invalidate_all(@person)
end
render :partial => "role_member", :locals => {:person => @person}
end
def remove_role_member
@role.people.delete(@role.people.find(params[:id]))
@role.save
if AeUsers.cache_permissions?
AeUsers.permission_cache.invalidate_all(@person)
end
render :nothing => true
end
def delete_role
if AeUsers.cache_permissions?
@role.people.each do |person|
AeUsers.permission_cache.invalidate_all(person)
end
end
@role.destroy
render :nothing => true
end
private
def check_grant_perms
@permissioned = nil
if params[:item_klass] != 'Class'
pc = AeUsers.permissioned_class(params[:item_klass])
@permissioned = pc.find(params[:item_id])
end
check_metaperms
end
def check_revoke_perms
@perm = Permission.find(params[:id])
@permissioned = @perm.permissioned
check_metaperms
if @person == @perm.grantee and @perm.permission == "change_permissions"
access_denied "Sorry, you can't revoke your own right to change permissions. (You'd probably regret it anyway!)" +
" If you're trying to transfer ownership to someone else, just give them all the permissions, and have them revoke yours."
end
end
def check_metaperms
@person = logged_in_person
if not @person.permitted?(@permissioned, "change_permissions")
access_denied "Sorry, you are not allowed to change the permissions of that object."
end
end
def check_edit_role_perms
@role ||= Role.find(params[:id])
if not @role.permitted?(logged_in_person, "edit")
access_denied "Sorry, you are not allowed to edit this role."
end
end
def check_edit_role_member_perms
@role = Role.find(params[:role])
check_edit_role_perms
end
end