90 lines
2.9 KiB
Ruby
90 lines
2.9 KiB
Ruby
class UserPolicy < ApplicationPolicy
|
|
# Roles that allow:
|
|
# - troubleshooting for a user
|
|
# - managing a user's invitations
|
|
# - updating a user's email and roles (e.g. wranglers, archivists, not admin roles)
|
|
# This is further restricted using ALLOWED_ATTRIBUTES_BY_ROLES.
|
|
MANAGE_ROLES = %w[superadmin legal policy_and_abuse open_doors support tag_wrangling].freeze
|
|
|
|
# Roles that are allowed to set a generic username for users.
|
|
CHANGE_USERNAME_ROLES = %w[superadmin policy_and_abuse].freeze
|
|
|
|
# Roles that allow updating the Fannish Next Of Kin of a user.
|
|
MANAGE_NEXT_OF_KIN_ROLES = %w[superadmin policy_and_abuse support].freeze
|
|
|
|
# Roles that allow deleting all of a spammer's creations.
|
|
SPAM_CLEANUP_ROLES = %w[superadmin policy_and_abuse].freeze
|
|
|
|
# Roles that allow viewing of past user emails and logins.
|
|
VIEW_PAST_USER_INFO_ROLES = %w[superadmin policy_and_abuse open_doors support tag_wrangling].freeze
|
|
|
|
# Roles that allow accessing a summary of a user's works and comments.
|
|
REVIEW_CREATIONS_ROLES = %w[superadmin policy_and_abuse].freeze
|
|
|
|
# Define which roles can update which attributes.
|
|
ALLOWED_ATTRIBUTES_BY_ROLES = {
|
|
"open_doors" => [roles: []],
|
|
"policy_and_abuse" => [:email, { roles: [] }],
|
|
"superadmin" => [:email, { roles: [] }],
|
|
"support" => [:email, { roles: [] }],
|
|
"tag_wrangling" => [roles: []]
|
|
}.freeze
|
|
|
|
# Define which admin roles can edit which user roles.
|
|
ALLOWED_USER_ROLES_BY_ADMIN_ROLES = {
|
|
"open_doors" => %w[archivist no_resets opendoors],
|
|
"policy_and_abuse" => %w[no_resets protected_user],
|
|
"superadmin" => %w[archivist no_resets official opendoors protected_user tag_wrangler],
|
|
"support" => %w[no_resets],
|
|
"tag_wrangling" => %w[tag_wrangler]
|
|
}.freeze
|
|
|
|
def can_manage_users?
|
|
user_has_roles?(MANAGE_ROLES)
|
|
end
|
|
|
|
def can_manage_next_of_kin?
|
|
user_has_roles?(MANAGE_NEXT_OF_KIN_ROLES)
|
|
end
|
|
|
|
def can_destroy_spam_creations?
|
|
user_has_roles?(SPAM_CLEANUP_ROLES)
|
|
end
|
|
|
|
def can_view_past?
|
|
user_has_roles?(VIEW_PAST_USER_INFO_ROLES)
|
|
end
|
|
|
|
def can_access_creation_summary?
|
|
user_has_roles?(REVIEW_CREATIONS_ROLES)
|
|
end
|
|
|
|
def can_change_username?
|
|
user_has_roles?(CHANGE_USERNAME_ROLES)
|
|
end
|
|
|
|
def permitted_attributes
|
|
ALLOWED_ATTRIBUTES_BY_ROLES.values_at(*user.roles).compact.flatten
|
|
end
|
|
|
|
def can_edit_user_role?(role)
|
|
ALLOWED_USER_ROLES_BY_ADMIN_ROLES.values_at(*user.roles).compact.flatten.include?(role.name)
|
|
end
|
|
|
|
alias index? can_manage_users?
|
|
alias bulk_search? can_manage_users?
|
|
alias show? can_manage_users?
|
|
alias update? can_manage_users?
|
|
alias change_username? can_change_username?
|
|
alias changed_username? can_change_username?
|
|
|
|
alias update_next_of_kin? can_manage_next_of_kin?
|
|
|
|
alias confirm_delete_user_creations? can_destroy_spam_creations?
|
|
alias destroy_user_creations? can_destroy_spam_creations?
|
|
|
|
alias creations? can_access_creation_summary?
|
|
|
|
alias troubleshoot? can_manage_users?
|
|
alias activate? can_manage_users?
|
|
end
|