Add specific ability for managing group members

f9bcb963 · Douwe Maan · 43d11880 · f9bcb963 · f9bcb963 · f9bcb963
Commit f9bcb963 authored 9 years ago by Douwe Maan
--- a/app/controllers/groups/group_members_controller.rb
+++ b/app/controllers/groups/group_members_controller.rb
@@ -21,6 +21,8 @@ class Groups::GroupMembersController < Groups::ApplicationController
  end
  
  def create
+    return render_403 unless can?(current_user, :admin_group_member, @group)
+
    @group.add_users(params[:user_ids].split(','), params[:access_level], current_user)
  
    redirect_to group_group_members_path(@group), notice: 'Users were successfully added.'
@@ -28,6 +30,9 @@ class Groups::GroupMembersController < Groups::ApplicationController
  
  def update
    @member = @group.group_members.find(params[:id])
+
+    return render_403 unless can?(current_user, :update_group_member, @member)
+
    @member.update_attributes(member_params)
  end
  
@@ -46,6 +51,8 @@ class Groups::GroupMembersController < Groups::ApplicationController
  end
  
  def resend_invite
+    return render_403 unless can?(current_user, :admin_group_member, @group)
+
    redirect_path = group_group_members_path(@group)
  
    @group_member = @group.group_members.find(params[:id])

--- a/app/models/ability.rb
+++ b/app/models/ability.rb
@@ -233,7 +233,8 @@ class Ability
      if group.has_owner?(user) || user.admin?
        rules.push(*[
          :admin_group,
-          :admin_namespace
+          :admin_namespace,
+          :admin_group_member
        ])
      end
  
@@ -295,7 +296,7 @@ class Ability
      rules = []
      target_user = subject.user
      group = subject.group
-      can_manage = group_abilities(user, group).include?(:admin_group)
+      can_manage = group_abilities(user, group).include?(:admin_group_member)
  
      if can_manage && (user != target_user)
        rules << :update_group_member

--- a/app/views/dashboard/groups/index.html.haml
+++ b/app/views/dashboard/groups/index.html.haml
@@ -23,9 +23,10 @@
              %i.fa.fa-cogs
              Settings
  
-          = link_to leave_group_group_members_path(group), data: { confirm: leave_group_message(group.name) }, method: :delete, class: "btn-sm btn btn-grouped", title: 'Leave this group' do
-            %i.fa.fa-sign-out
-            Leave
+          - if can?(current_user, :destroy_group_member, group_member)
+            = link_to leave_group_group_members_path(group), data: { confirm: leave_group_message(group.name) }, method: :delete, class: "btn-sm btn btn-grouped", title: 'Leave this group' do
+              %i.fa.fa-sign-out
+              Leave
  
        = image_tag group_icon(group), class: "avatar s40 avatar-tile hidden-xs"
        = link_to group, class: 'group-name' do

--- a/app/views/groups/group_members/_group_member.html.haml
+++ b/app/views/groups/group_members/_group_member.html.haml
@@ -24,7 +24,7 @@
          = link_to member.created_by.name, user_path(member.created_by)
        = time_ago_with_tooltip(member.created_at)
  
-      - if show_controls && can?(current_user, :admin_group, @group)
+      - if show_controls && can?(current_user, :admin_group_member, member)
        = link_to resend_invite_group_group_member_path(@group, member), method: :post, class: "btn-xs btn", title: 'Resend invite' do
          Resend invite
  

--- a/app/views/groups/group_members/index.html.haml
+++ b/app/views/groups/group_members/index.html.haml
@@ -17,7 +17,7 @@
      = search_field_tag :search, params[:search], { placeholder: 'Find existing member by name', class: 'form-control search-text-input' }
    = button_tag 'Search', class: 'btn'
  
-  - if current_user && current_user.can?(:admin_group, @group)
+  - if current_user && current_user.can?(:admin_group_member, @group)
    .pull-right
      = button_tag class: 'btn btn-new js-toggle-button', type: 'button' do
        Add members