Diff
Modified: branches/authorization_new/app/controllers/blobs_controller.rb (2052 => 2053)
--- branches/authorization_new/app/controllers/blobs_controller.rb 2009-01-16 11:06:53 UTC (rev 2052)
+++ branches/authorization_new/app/controllers/blobs_controller.rb 2009-01-16 11:34:58 UTC (rev 2053)
@@ -294,7 +294,7 @@
:current => params[:page] })
found.each do |blob|
- blob.content_blob.data = "" unless blob.authorized?("download", (logged_in? ? current_user : nil))
+ blob.content_blob.data = "" unless Authorization.is_authorized?("download", nil, blob, current_user)
end
@blobs = found
@@ -304,7 +304,7 @@
begin
blob = Blob.find(params[:id])
- if blob.authorized?(action_name, (logged_in? ? current_user : nil))
+ if Authorization.is_authorized?(action_name, nil, blob, current_user)
@blob = blob
@blob_entry_url = url_for : false,
Modified: branches/authorization_new/app/controllers/blog_posts_controller.rb (2052 => 2053)
--- branches/authorization_new/app/controllers/blog_posts_controller.rb 2009-01-16 11:06:53 UTC (rev 2052)
+++ branches/authorization_new/app/controllers/blog_posts_controller.rb 2009-01-16 11:34:58 UTC (rev 2053)
@@ -78,7 +78,7 @@
begin
blog = Blog.find(params[:blog_id])
- if blog.authorized?(action_name, (logged_in? ? current_user : nil))
+ if Authorization.is_authorized?(action_name, nil, blog, current_user)
@blog = blog
else
error("Blog not found (id not authorized)", "is invalid (not authorized)")
Modified: branches/authorization_new/app/controllers/blogs_controller.rb (2052 => 2053)
--- branches/authorization_new/app/controllers/blogs_controller.rb 2009-01-16 11:06:53 UTC (rev 2052)
+++ branches/authorization_new/app/controllers/blogs_controller.rb 2009-01-16 11:34:58 UTC (rev 2053)
@@ -113,7 +113,7 @@
begin
blog = Blog.find(params[:id])
- if blog.authorized?(action_name, (logged_in? ? current_user : nil))
+ if Authorization.is_authorized?(action_name, nil, blog, current_user)
@blog = blog
else
if logged_in?
Modified: branches/authorization_new/app/controllers/citations_controller.rb (2052 => 2053)
--- branches/authorization_new/app/controllers/citations_controller.rb 2009-01-16 11:06:53 UTC (rev 2052)
+++ branches/authorization_new/app/controllers/citations_controller.rb 2009-01-16 11:34:58 UTC (rev 2053)
@@ -86,11 +86,11 @@
workflow = Workflow.find(params[:workflow_id])
- if workflow.authorized?((["index", "show"].include?(action_name) ? "show" : "edit"), (logged_in? ? current_user : nil))
+ if Authorization.is_authorized?((["index", "show"].include?(action_name) ? "show" : "edit"), nil, workflow, current_user)
@workflow = workflow
# remove workflow data from workflow if the user is not authorized for download
- @workflow.content_blob.data = "" unless @workflow.authorized?("download", (logged_in? ? current_user : nil))
+ @workflow.content_blob.data = "" unless Authorization.is_authorized?("download", nil, @workflow, current_user)
else
if logged_in?
error("Workflow not found (id not authorized)", "is invalid (not authorized)", :workflow_id)
Modified: branches/authorization_new/app/controllers/contributions_controller.rb (2052 => 2053)
--- branches/authorization_new/app/controllers/contributions_controller.rb 2009-01-16 11:06:53 UTC (rev 2052)
+++ branches/authorization_new/app/controllers/contributions_controller.rb 2009-01-16 11:34:58 UTC (rev 2053)
@@ -111,7 +111,7 @@
begin
contribution = Contribution.find(params[:id])
- if contribution.authorized?(action_name, (logged_in? ? current_user : nil))
+ if Authorization.is_authorized?(action_name, nil, contribution, current_user)
@contribution = contribution
else
error("Contribution not found (id not authorized)", "is invalid (not authorized)")
Modified: branches/authorization_new/app/controllers/experiments_controller.rb (2052 => 2053)
--- branches/authorization_new/app/controllers/experiments_controller.rb 2009-01-16 11:06:53 UTC (rev 2052)
+++ branches/authorization_new/app/controllers/experiments_controller.rb 2009-01-16 11:34:58 UTC (rev 2053)
@@ -102,6 +102,7 @@
def find_experiment_auth
experiment = Experiment.find(:first, :conditions => ["id = ?", params[:id]])
+ # experiments don't use policy-based authorization, hence original authorization mechanism can be left unchanged
if experiment and experiment.authorized?(action_name, current_user)
@experiment = experiment
else
Modified: branches/authorization_new/app/controllers/jobs_controller.rb (2052 => 2053)
--- branches/authorization_new/app/controllers/jobs_controller.rb 2009-01-16 11:06:53 UTC (rev 2052)
+++ branches/authorization_new/app/controllers/jobs_controller.rb 2009-01-16 11:34:58 UTC (rev 2053)
@@ -23,6 +23,7 @@
end
def show
+ # runners / runnables don't use policy-based authorization, hence original authorization method can be left unchanged
unless @job.runnable.authorized?(action_name, current_user)
flash[:error] = "<p>You will not be able to submit this Job, but you can still see the details of it."
flash[:error] = "<p>The runnable item (address@hidden) is not authorized - you need download priviledges to run it.</p>"
@@ -30,6 +31,7 @@
# TODO: check that runnable version still exists
+ # runners / runnables don't use policy-based authorization, hence original authorization method can be left unchanged
unless @job.runner.authorized?(action_name, current_user)
flash[:error] = "You will not be able to submit this Job, but you can still see the details of it." unless flash[:error]
flash[:error] += "<p>The runner is not authorized - you need to either own it or be part of a Group that owns it.</p>"
@@ -98,6 +100,7 @@
end
end
+ # runners / runnables don't use policy-based authorization, hence original authorization method can be left unchanged
if !runnable or !runnable.authorized?('download', user)
success = false
@job.errors.add(:runnable_id, "not valid or not authorized")
@@ -112,6 +115,7 @@
# Check runner is a valid and authorized one
# (for now we can assume it's a TavernaEnactor)
runner = TavernaEnactor.find(:first, :conditions => ["id = ?", params[:job][:runner_id]])
+ # runners / runnables don't use policy-based authorization, hence original authorization method can be left unchanged
if !runner or !runner.authorized?('execute', user)
success = false
@job.errors.add(:runner_id, "not valid or not authorized")
@@ -213,12 +217,13 @@
errors_text = ''
# Authorize the runnable and runner
-
+ # runners / runnables don't use policy-based authorization, hence original authorization method can be left unchanged
unless @job.runnable.authorized?(action_name, current_user)
success = false;
errors_text += "<p>The runnable item (address@hidden) is not authorized - you need download priviledges to run it.</p>"
end
+ # runners / runnables don't use policy-based authorization, hence original authorization method can be left unchanged
unless @job.runner.authorized?(action_name, current_user)
success = false;
errors_text += "<p>The runner is not authorized - you need to either own it or be part of a Group that owns it.</p>"
@@ -312,6 +317,7 @@
job.experiment = Experiment.new(:title => Experiment.default_title(user), :contributor => user)
elsif params[:change_experiment] == 'existing'
experiment = Experiment.find(params[:change_experiment_id])
+ # experiments don't use policy-based authorization, hence original authorization method can be left unchanged
if experiment and experiment.authorized?('edit', user)
job.experiment = experiment
else
@@ -338,6 +344,7 @@
def find_experiment_auth
experiment = Experiment.find(:first, :conditions => ["id = ?", params[:experiment_id]])
+ # experiments don't use policy-based authorization, hence original authorization method can be left unchanged
if experiment and experiment.authorized?(action_name, current_user)
@experiment = experiment
else
@@ -355,6 +362,7 @@
def find_job_auth
job = Job.find(:first, :conditions => ["id = ?", params[:id]])
+ # jobs don't use policy-based authorization, hence original authorization method can be left unchanged
if job and job.experiment.id == @experiment.id and job.authorized?(action_name, current_user)
@job = job
else
Modified: branches/authorization_new/app/controllers/packs_controller.rb (2052 => 2053)
--- branches/authorization_new/app/controllers/packs_controller.rb 2009-01-16 11:06:53 UTC (rev 2052)
+++ branches/authorization_new/app/controllers/packs_controller.rb 2009-01-16 11:34:58 UTC (rev 2053)
@@ -431,11 +431,11 @@
begin
pack = Pack.find(params[:id])
- if pack.authorized?(action_name, current_user)
+ if Authorization.is_authorized?(action_name, pack.class.name, pack, current_user)
@pack = pack
- @authorised_to_edit = logged_in? && @pack.authorized?("edit", current_user)
- @authorised_to_download = @pack.authorized?("download", (logged_in? ? current_user : nil))
+ @authorised_to_edit = Authorization.is_authorized?("edit", nil, @pack, current_user)
+ @authorised_to_download = Authorization.is_authorized?("download", nil, @pack, current_user)
@pack_entry_url = url_for : false,
:host => base_host,
Modified: branches/authorization_new/app/controllers/reviews_controller.rb (2052 => 2053)
--- branches/authorization_new/app/controllers/reviews_controller.rb 2009-01-16 11:06:53 UTC (rev 2052)
+++ branches/authorization_new/app/controllers/reviews_controller.rb 2009-01-16 11:34:58 UTC (rev 2053)
@@ -114,9 +114,9 @@
workflow = Workflow.find(params[:workflow_id])
- if workflow.authorized?("show", (logged_in? ? current_user : nil))
+ if Authorization.is_authorized?('show', nil, workflow, current_user)
# remove workflow data from workflow if the user is not authorized for download
- workflow.content_blob.data = "" unless workflow.authorized?("download", (logged_in? ? current_user : nil))
+ workflow.content_blob.data = "" unless Authorization.is_authorized?('download', nil, workflow, current_user)
@reviewable = workflow
else
if logged_in?
Modified: branches/authorization_new/app/controllers/runners_controller.rb (2052 => 2053)
--- branches/authorization_new/app/controllers/runners_controller.rb 2009-01-16 11:06:53 UTC (rev 2052)
+++ branches/authorization_new/app/controllers/runners_controller.rb 2009-01-16 11:34:58 UTC (rev 2053)
@@ -112,6 +112,7 @@
def find_runner_auth
runner = TavernaEnactor.find(:first, :conditions => ["id = ?", params[:id]])
+ # runners / runnables don't use policy-based authorization, hence original authorization method can be left unchanged
if runner and runner.authorized?(action_name, current_user)
@runner = runner
else
Modified: branches/authorization_new/app/controllers/tags_controller.rb (2052 => 2053)
--- branches/authorization_new/app/controllers/tags_controller.rb 2009-01-16 11:06:53 UTC (rev 2052)
+++ branches/authorization_new/app/controllers/tags_controller.rb 2009-01-16 11:34:58 UTC (rev 2053)
@@ -65,7 +65,7 @@
# Authorise entries now
taggings.each do |t|
if t.taggable.respond_to?(:contribution)
- @tagged_with << t.taggable if t.taggable.contribution.authorized?("show", current_user)
+ @tagged_with << t.taggable if Authorization.is_authorized?('show', nil, t.taggable.contribution, current_user)
else
@tagged_with << t.taggable
end
Modified: branches/authorization_new/app/controllers/workflows_controller.rb (2052 => 2053)
--- branches/authorization_new/app/controllers/workflows_controller.rb 2009-01-16 11:06:53 UTC (rev 2052)
+++ branches/authorization_new/app/controllers/workflows_controller.rb 2009-01-16 11:34:58 UTC (rev 2053)
@@ -573,7 +573,7 @@
:order => "workflows.updated_at DESC" }))
found.each do |workflow|
- workflow.content_blob.data = "" unless workflow.authorized?("download", (logged_in? ? current_user : nil))
+ workflow.content_blob.data = "" unless Authorization.is_authorized?('download', nil, workflow, current_user)
end
@workflows = found
@@ -587,7 +587,7 @@
@rss_workflows = [ ]
found.each do |workflow|
- @rss_workflows << workflow if workflow.authorized?("show", (logged_in? ? current_user : nil))
+ @rss_workflows << workflow if Authorization.is_authorized?('show', nil, workflow, current_user)
end
end
end
@@ -601,10 +601,7 @@
workflow = Workflow.find(params[:id])
end
- permission = action_name
- permission = 'show' if action_name == 'launch'
-
- if workflow.authorized?(permission, (logged_in? ? current_user : nil))
+ if Authorization.is_authorized?(action_name, nil, workflow, current_user)
@latest_version_number = workflow.current_version
@workflow = workflow
if params[:version]
@@ -619,8 +616,13 @@
@viewing_version = @workflow.find_version(@latest_version_number)
end
- @authorised_to_download = @workflow.authorized?("download", (logged_in? ? current_user : nil))
- @authorised_to_edit = logged_in? && @workflow.authorized?("edit", (logged_in? ? current_user : nil))
+ @authorised_to_edit = logged_in? && Authorization.is_authorized?('edit', nil, @workflow, current_user)
+ if @authorised_to_edit
+ # can save a call to .is_authorized? if "edit" was already found to be allowed - due to cascading permissions
+ @authorised_to_download = true
+ else
+ @authorised_to_download = Authorization.is_authorized?('download', nil, @workflow, current_user)
+ end
# remove scufl from workflow if the user is not authorized for download
@viewing_version.content_blob.data = "" unless @authorised_to_download
Modified: branches/authorization_new/app/helpers/application_helper.rb (2052 => 2053)
--- branches/authorization_new/app/helpers/application_helper.rb 2009-01-16 11:06:53 UTC (rev 2052)
+++ branches/authorization_new/app/helpers/application_helper.rb 2009-01-16 11:34:58 UTC (rev 2053)
@@ -417,7 +417,7 @@
if thumb
unless w.image.nil?
- if w.authorized?("show", (logged_in? ? current_user : nil))
+ if Authorization.is_authorized?('show', nil, w, current_user)
dot = image_tag url_for_file_column(w, "image", "thumb")
else
dot = image_tag url_for_file_column(w, "image", "padlock")
@@ -837,7 +837,7 @@
def all_workflows
workflows = Workflow.find(:all, :order => "title ASC")
- workflows = workflows.select {|w| w.authorized?('show', w) }
+ workflows = workflows.select {|w| Authorization.is_authorized?('show', nil, w, current_user) }
end
def all_blobs
@@ -847,7 +847,7 @@
y_title = (y.title and y.title.length > 0) ? y.title : y.local_name
x_title.downcase <=> y_title.downcase
}
- blobs = blobs.select {|b| b.authorized?('show', b) }
+ blobs = blobs.select {|b| Authorization.is_authorized?('show', nil, b, current_user) }
end
def all_networks
@@ -1051,7 +1051,7 @@
def thing_authorized?(action, thing)
return true unless thing.respond_to?(:authorized?)
- return thing.authorized?(action, (logged_in? ? current_user : nil))
+ return Authorization.is_authorized?(action, nil, thing, current_user)
end
def strip_html(str, preserve_tags=[])
Modified: branches/authorization_new/app/models/pack.rb (2052 => 2053)
--- branches/authorization_new/app/models/pack.rb 2009-01-16 11:06:53 UTC (rev 2052)
+++ branches/authorization_new/app/models/pack.rb 2009-01-16 11:34:58 UTC (rev 2053)
@@ -166,8 +166,8 @@
next # skips all further processing and moves on to the next item
end
- download_allowed = item_contribution.authorized?("download", user)
- viewing_allowed = download_allowed ? true : item_contribution.authorized?("view", user)
+ download_allowed = Authorization.is_authorized?('download', nil, item_contribution, user)
+ viewing_allowed = download_allowed ? true : Authorization.is_authorized?('view', nil, item_contribution, user)
case item_entry.contributable_type.downcase