matt
/
opnform-host-nginx
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Readonly User (#637) 

* Readonly User

* Refactor FormPolicy and TemplatePolicy to centralize write operation logic

- Introduced a private method `canPerformWriteOperation` in both FormPolicy and TemplatePolicy to encapsulate the logic for determining if a user can perform write operations on the respective models.
- Updated the `update`, `delete`, `restore`, and `forceDelete` methods in FormPolicy to use the new method for improved readability and maintainability.
- Simplified the `update` and `delete` methods in TemplatePolicy to leverage the centralized write operation logic.

This refactoring enhances code clarity and reduces duplication across policy classes.

* Refactor user and workspace permissions handling

- Updated FormController to authorize form creation based on workspace context.
- Removed the `is_readonly` attribute from UserResource and integrated it into WorkspaceResource for better encapsulation.
- Refactored User model to eliminate the `getIsReadonlyAttribute` method, shifting readonly logic to the Workspace model.
- Adjusted FormPolicy and TemplatePolicy to utilize workspace readonly checks for user permissions.
- Updated various frontend components to reference workspace readonly status instead of user readonly status, enhancing clarity and consistency in permission handling.

These changes improve the management of user permissions in relation to workspaces, ensuring a more robust and maintainable authorization system.

* Fix isReadonlyUser

* fix pint

---------

Co-authored-by: Julien Nahum <julien@nahum.net>
This commit is contained in:
Chirag Chhatrala 2024-12-30 19:05:23 +05:30 committed by GitHub
parent 9a2d7b9d8d
commit 2366f9515d
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
18 changed files with 102 additions and 54 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
api/app/Http/Controllers/Forms/FormController.php
View File

@ -108,10 +108,9 @@ class FormController extends Controller
public function store(StoreFormRequest $request)
{
$this->authorize('create', Form::class);
$workspace = Workspace::findOrFail($request->get('workspace_id'));
$this->authorize('view', $workspace);
$this->authorize('create', [Form::class, $workspace]);
$formData = $this->formCleaner
->processRequest($request)

13
api/app/Http/Controllers/WorkspaceUserController.php
View File

@ -31,7 +31,7 @@ class WorkspaceUserController extends Controller
$this->validate($request, [
'email' => 'required|email',
'role' => 'required|in:admin,user',
'role' => 'required|in:' . implode(',', User::ROLES),
]);
$user = User::where('email', $request->email)->first();
@ -62,10 +62,11 @@ class WorkspaceUserController extends Controller
{
if (
UserInvite::where('email', $email)
->where('workspace_id', $workspace->id)
->notExpired()
->pending()
->exists()) {
->where('workspace_id', $workspace->id)
->notExpired()
->pending()
->exists()
) {
return $this->success([
'message' => 'User has already been invited.'
]);
@ -86,7 +87,7 @@ class WorkspaceUserController extends Controller
$this->authorize('adminAction', $workspace);
$this->validate($request, [
'role' => 'required|in:admin,user',
'role' => 'required|in:' . implode(',', User::ROLES),
]);
$workspace->users()->sync([

1
api/app/Http/Resources/WorkspaceResource.php
View File

@ -18,6 +18,7 @@ class WorkspaceResource extends JsonResource
{
return array_merge(parent::toArray($request), [
'max_file_size' => $this->max_file_size / 1000000,
'is_readonly' => $this->isReadonlyUser($request->user()),
]);
}
}

7
api/app/Models/User.php
View File

@ -21,6 +21,13 @@ class User extends Authenticatable implements JWTSubject
public const ROLE_ADMIN = 'admin';
public const ROLE_USER = 'user';
public const ROLE_READONLY = 'readonly';
public const ROLES = [
self::ROLE_ADMIN,
self::ROLE_USER,
self::ROLE_READONLY,
];
/**
* The attributes that are mass assignable.

8
api/app/Models/Workspace.php
View File

@ -203,4 +203,12 @@ class Workspace extends Model implements CachableAttributes
{
return $this->hasMany(Form::class);
}
public function isReadonlyUser(?User $user)
{
return $user ? $this->users()
->wherePivot('user_id', $user->id)
->wherePivot('role', User::ROLE_READONLY)
->exists() : false;
}
}

21
api/app/Policies/FormPolicy.php
View File

@ -4,6 +4,7 @@ namespace App\Policies;
use App\Models\Forms\Form;
use App\Models\User;
use App\Models\Workspace;
use Illuminate\Auth\Access\HandlesAuthorization;
class FormPolicy
@ -35,9 +36,17 @@ class FormPolicy
*
* @return mixed
*/
public function create(User $user)
public function create(User $user, Workspace $workspace)
{
return true;
return !$workspace->isReadonlyUser($user);
}
/**
* Determine whether the user can perform write operations on the model.
*/
private function canPerformWriteOperation(User $user, Form $form): bool
{
return $user->ownsForm($form) && !$form->workspace->isReadonlyUser($user);
}
/**
@ -47,7 +56,7 @@ class FormPolicy
*/
public function update(User $user, Form $form)
{
return $user->ownsForm($form);
return $this->canPerformWriteOperation($user, $form);
}
/**
@ -57,7 +66,7 @@ class FormPolicy
*/
public function delete(User $user, Form $form)
{
return $user->ownsForm($form);
return $this->canPerformWriteOperation($user, $form);
}
/**
@ -67,7 +76,7 @@ class FormPolicy
*/
public function restore(User $user, Form $form)
{
return $user->ownsForm($form);
return $this->canPerformWriteOperation($user, $form);
}
/**
@ -77,6 +86,6 @@ class FormPolicy
*/
public function forceDelete(User $user, Form $form)
{
return $user->ownsForm($form);
return $this->canPerformWriteOperation($user, $form);
}
}

20
api/app/Policies/TemplatePolicy.php
View File

@ -12,8 +12,6 @@ class TemplatePolicy
/**
* Determine whether the user can create models.
*
* @return \Illuminate\Auth\Access\Response|bool
*/
public function create(User $user)
{
@ -21,22 +19,20 @@ class TemplatePolicy
}
/**
* Determine whether the user can update the model.
*
* @return mixed
* Determine whether the user can perform write operations on the model.
*/
public function update(User $user, Template $template)
private function canPerformWriteOperation(User $user, Template $template): bool
{
return $user->admin || $user->template_editor || $template->creator_id === $user->id;
}
/**
* Determine whether the user can delete the model.
*
* @return mixed
*/
public function update(User $user, Template $template)
{
return $this->canPerformWriteOperation($user, $template);
}
public function delete(User $user, Template $template)
{
return $user->admin || $user->template_editor || $template->creator_id === $user->id;
return $this->canPerformWriteOperation($user, $template);
}
}

7
client/components/open/tables/OpenTable.vue
View File

@ -29,6 +29,7 @@
</p>
</resizable-th>
<th
v-if="hasActions"
class="n-table-cell p-0 relative"
style="width: 100px"
>
@ -181,6 +182,8 @@ export default {
return {
workingFormStore,
form: storeToRefs(workingFormStore).content,
user: useAuthStore().user,
workspace: useWorkspacesStore().getCurrent,
}
},
@ -188,7 +191,6 @@ export default {
return {
tableHash: null,
skip: false,
hasActions: true,
internalColumns: [],
rafId: null,
fieldComponents: {
@ -213,6 +215,9 @@ export default {
},
computed: {
hasActions() {
return !this.workspace.is_readonly
},
formData() {
return [...this.data].sort((a, b) => new Date(b.created_at) - new Date(a.created_at))
}

3
client/components/pages/admin/AddUserToWorkspace.vue
View File

@ -48,7 +48,8 @@ const workspacesStore = useWorkspacesStore()
const roleOptions = [
{name: "User", value: "user"},
{name: "Admin", value: "admin"}
{name: "Admin", value: "admin"},
{name: "Read Only", value: "readonly"}
]
const newUser = ref("")

3
client/components/pages/admin/EditWorkSpaceUser.vue
View File

@ -18,7 +18,8 @@
:label="'New Role for '+props.user.name"
:options="[
{ name: 'User', value: 'user' },
{ name: 'Admin', value: 'admin' }
{ name: 'Admin', value: 'admin' },
{ name: 'Read Only', value: 'readonly' },
]"
option-key="value"
display-key="name"

3
client/components/pages/auth/components/RegisterForm.vue
View File

@ -24,6 +24,7 @@
/>
<select-input
v-if="!disableEmail"
name="hear_about_us"
:options="hearAboutUsOptions"
:form="form"
@ -169,6 +170,7 @@ export default {
form: useForm({
name: "",
email: "",
hear_about_us: "",
password: "",
password_confirmation: "",
agree_terms: false,
@ -216,6 +218,7 @@ export default {
if (this.$route.query?.invite_token) {
if (this.$route.query?.email) {
this.form.email = this.$route.query?.email
this.form.hear_about_us = 'invite'
this.disableEmail = true
}
this.form.invite_token = this.$route.query?.invite_token

14
client/components/pages/forms/show/ExtraMenu.vue
View File

@ -1,12 +1,15 @@
<template>
<div v-if="form">
<div v-if="form">
<div
v-if="loadingDuplicate || loadingDelete"
class="pr-4 pt-2"
>
<Loader class="h-6 w-6 mx-auto" />
</div>
<UDropdown v-else :items="items">
<UDropdown
v-else
:items="items"
>
<v-button
color="white"
>
@ -99,6 +102,7 @@ const authStore = useAuthStore()
const formsStore = useFormsStore()
const formEndpoint = "/open/forms/{id}"
const user = computed(() => authStore.user)
const workspace = computed(() => useWorkspacesStore().getCurrent)
const loadingDuplicate = ref(false)
const loadingDelete = ref(false)
@ -128,8 +132,9 @@ const items = computed(() => {
}
}] : []
],
[
...props.isMainPage ? [{
...workspace.value.is_readonly ? [] : [
[
...props.isMainPage ? [{
label: 'Edit',
icon: 'i-heroicons-pencil-square-20-solid',
to: { name: 'forms-slug-edit', params: { slug: props.form.slug } }
@ -166,6 +171,7 @@ const items = computed(() => {
class: 'text-red-800 hover:bg-red-50 hover:text-red-600 group',
iconClass: 'text-red-900 group-hover:text-red-800'
}
]
]
].filter((group) => group.length > 0)
})

1
client/components/pages/settings/WorkSpaceUser.vue
View File

@ -5,6 +5,7 @@
Workspace Members
</h4>
<UButton
v-if="!workspace.is_readonly"
label="Invite User"
icon="i-heroicons-user-plus-20-solid"
:loading="loading"

15
client/pages/forms/[slug]/show.vue
View File

@ -32,6 +32,7 @@
</h2>
<div class="flex">
<extra-menu
v-if="!workspace.is_readonly"
class="mr-2"
:form="form"
/>
@ -98,6 +99,7 @@
</svg>
</v-button>
<v-button
v-if="!workspace.is_readonly"
class="text-white"
:to="{ name: 'forms-slug-edit', params: { slug: slug } }"
>
@ -253,6 +255,7 @@ const slug = useRoute().params.slug
formsStore.startLoading()
const form = computed(() => formsStore.getByKey(slug))
const workspace = computed(() => workspacesStore.getCurrent)
const loading = computed(() => formsStore.loading || workspacesStore.loading)
const displayClosesDate = computed(() => {
@ -279,11 +282,13 @@ const tabsList = [
route: "forms-slug-show-submissions",
params: { 'slug': slug }
},
{
name: "Integrations",
route: "forms-slug-show-integrations",
params: { 'slug': slug }
},
...workspace.value.is_readonly ? [] : [
{
name: "Integrations",
route: "forms-slug-show-integrations",
params: { 'slug': slug }
},
],
{
name: "Analytics",
route: "forms-slug-show-stats",

3
client/pages/forms/[slug]/show/share.vue
View File

@ -3,6 +3,7 @@
<div class="mb-20">
<div class="mb-6 pb-6 border-b w-full flex flex-col sm:flex-row gap-2">
<regenerate-form-link
v-if="!workspace.is_readonly"
class="sm:w-1/2 flex"
:form="props.form"
/>
@ -54,6 +55,8 @@ import RegenerateFormLink from "~/components/pages/forms/show/RegenerateFormLink
import AdvancedFormUrlSettings from "~/components/open/forms/components/AdvancedFormUrlSettings.vue"
import EmbedFormAsPopupModal from "~/components/pages/forms/show/EmbedFormAsPopupModal.vue"
const workspace = computed(() => useWorkspacesStore().getCurrent)
const props = defineProps({
form: { type: Object, required: true },
})

3
client/pages/home.vue
View File

@ -8,6 +8,7 @@
Your Forms
</h2>
<v-button
v-if="!workspace.is_readonly"
v-track.create_form_click
:to="{ name: 'forms-create' }"
>
@ -86,7 +87,7 @@
again.
</div>
<v-button
v-if="forms.length === 0"
v-if="!workspace.is_readonly && forms.length === 0"
v-track.create_form_click
class="mt-4"
:to="{ name: 'forms-create' }"

19
client/pages/settings.vue
View File

@ -56,6 +56,7 @@ useOpnSeoMeta({
const authStore = useAuthStore()
const user = computed(() => authStore.user)
const workspace = computed(() => useWorkspacesStore().getCurrent)
const tabsList = computed(() => {
const tabs = [
{
@ -66,14 +67,16 @@ const tabsList = computed(() => {
name: "Workspace Settings",
route: "settings-workspace",
},
{
name: "Access Tokens",
route: "settings-access-tokens",
},
{
name: "Connections",
route: "settings-connections",
},
...workspace.value.is_readonly ? [] : [
{
name: "Access Tokens",
route: "settings-access-tokens",
},
{
name: "Connections",
route: "settings-connections",
},
],
{
name: "Password",
route: "settings-password",

12
client/pages/settings/workspace.vue
View File

@ -9,8 +9,10 @@
You can switch to another workspace in top left corner of the page.</small>
</div>
<div class="w-full flex flex-wrap gap-2">
<WorkSpaceCustomDomains v-if="useFeatureFlag('custom_domains') && !loading" />
<WorkSpaceEmailSettings v-if="!loading" />
<template v-if="!workspace.is_readonly">
<WorkSpaceCustomDomains v-if="useFeatureFlag('custom_domains') && !loading" />
<WorkSpaceEmailSettings v-if="!loading" />
</template>
<UButton
label="New Workspace"
icon="i-heroicons-plus"
@ -95,12 +97,10 @@
</template>
<script setup>
import {watch, ref} from "vue"
import {fetchAllWorkspaces} from "~/stores/workspaces.js"
const crisp = useCrisp()
const workspacesStore = useWorkspacesStore()
const workspaces = computed(() => workspacesStore.getAll)
const workspace = computed(() => workspacesStore.getCurrent)
const loading = computed(() => workspacesStore.loading)
useOpnSeoMeta({
@ -116,8 +116,6 @@ const form = useForm({
})
const workspaceModal = ref(false)
const workspace = computed(() => workspacesStore.getCurrent)
onMounted(() => {
fetchAllWorkspaces()
})