[Xfce4-commits] <moka:master> Make role-based permission control easier.

Jannis Pohlmann noreply at xfce.org
Mon Feb 14 15:02:01 CET 2011 

Updating branch refs/heads/master
         to 3142e2673ceffa823303b5f0a928916b2ac21140 (commit)
       from ebf973ee4ba096800cd8d861913e42e9578587cc (commit)

commit 3142e2673ceffa823303b5f0a928916b2ac21140
Author: Jannis Pohlmann <jannis at xfce.org>
Date:   Mon Feb 14 14:59:20 2011 +0100

    Make role-based permission control easier.
    
    Also allow people with the 'board-member' role to send announcements
    from the release manager through the @xfce identi.ca account.

 lib/controllers/announcements.rb  |    6 +++---
 lib/controllers/authentication.rb |   21 ++++++++++++++++-----
 lib/views/permission_denied.erb   |    8 ++++----
 3 files changed, 23 insertions(+), 12 deletions(-)

diff --git a/lib/controllers/announcements.rb b/lib/controllers/announcements.rb
index 435cdeb..be128e3 100755
--- a/lib/controllers/announcements.rb
+++ b/lib/controllers/announcements.rb
@@ -5,19 +5,19 @@ module Moka
 
       def self.registered(app)
         app.get '/announcements' do
-          authentication_required
+          authentication_required(roles = ['admin', 'board-member'])
 
           view :announcements
         end
 
         app.get '/announcements/identica' do
-          authentication_required
+          authentication_required(roles = ['admin', 'board-member'])
 
           redirect '/announcements'
         end
 
         app.post '/announcements/identica' do
-          authentication_required
+          authentication_required(roles = ['admin', 'board-member'])
 
           unless env['identica']
             error_set(:identica, 'Publishing announcements on identi.ca is not supported at the moment.')
diff --git a/lib/controllers/authentication.rb b/lib/controllers/authentication.rb
index 6428b12..d24092f 100755
--- a/lib/controllers/authentication.rb
+++ b/lib/controllers/authentication.rb
@@ -55,29 +55,40 @@ module Moka
           env['warden'].authenticated?
         end
 
-        def authentication_required(context = nil, role = 'admin')
+        def authentication_required(context = nil, roles = ['admin'])
           redirect '/login' unless authentication_finished?
 
           if (context.is_a? Moka::Models::Project)
+            # abort processing the current page if the user is not
+            # a maintainer of the project and his/her user roles
+            # and the required roles have no elements in common
             unless context.maintainers.include?(authentication_user)
-              unless authentication_user.roles.include?(role)
+              if (authentication_user.roles & roles).empty?
                 halt(view(:permission_denied, binding))
               end
             end
           elsif (context.is_a? Moka::Models::Collection)
+            # abort processing the current page if the user is not
+            # a maintainer of the collection and his/her user roles
+            # and the required roles have no elements in common
             unless context.maintainers.include?(authentication_user)
-              unless authentication_user.roles.include?(role)
+              if (authentication_user.roles & roles).empty?
                 halt(view(:permission_denied, binding))
               end
             end
           elsif (context.is_a? Moka::Models::Maintainer)
+            # abort processing the current page if the user is not
+            # the same as the required maintainer and his/her user 
+            # roles and the required roles have no elements in common
             unless authentication_user == context
-              unless authentication_user.roles.include?(role)
+              if (authentication_user.roles & roles).empty?
                 halt(view(:permission_denied, binding))
               end
             end
           else
-            unless authentication_user.roles.include?(role)
+            # abort processing the current page if the user roles
+            # and the required roles have no elements in common
+            if (authentication_user.roles & roles).empty?
               halt(view(:permission_denied, binding))
             end
           end
diff --git a/lib/views/permission_denied.erb b/lib/views/permission_denied.erb
index 3deab1b..35ab48a 100755
--- a/lib/views/permission_denied.erb
+++ b/lib/views/permission_denied.erb
@@ -2,13 +2,13 @@
 <p class="error">You're denied access to this page for the following reason:</p>
 <p class="error" style="text-align:center;"><strong>
   <% if context.is_a? Moka::Models::Project %>
-    You are not listed as a maintainer of <%= context.name %> and your role is not <%= role %> either.
+    You are not listed as a maintainer of <%= context.name %> and your roles include none of <%= roles.to_s %> either.
   <% elsif context.is_a? Moka::Models::Collection %>
-    You are not listed as a maintainer of <%= context.display_name %> and your role is not <%= role %> either.
+    You are not listed as a maintainer of <%= context.display_name %> and your roles include none of <%= roles.to_s %> either.
   <% elsif context.is_a? Moka::Models::Maintainer %>
-    You are not <%= context.realname %> and your role is not <%= role %> either.
+    You are not <%= context.realname %> and your roles include none of <%= roles.to_s %> either.
   <% else %>
-    The <%= role %> role is required for this.
+    One of the <%= role.to_s %> roles is required for this.
   <% end %>
 </strong></p>
 <p><a href="javascript:history.back()">Bring me back!</a></p>

More information about the Xfce4-commits mailing list