175 lines
5.1 KiB
Ruby
175 lines
5.1 KiB
Ruby
#
|
|
# Copyright (C) 2011 Instructure, Inc.
|
|
#
|
|
# This file is part of Canvas.
|
|
#
|
|
# Canvas is free software: you can redistribute it and/or modify it under
|
|
# the terms of the GNU Affero General Public License as published by the Free
|
|
# Software Foundation, version 3 of the License.
|
|
#
|
|
# Canvas is distributed in the hope that it will be useful, but WITHOUT ANY
|
|
# WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR
|
|
# A PARTICULAR PURPOSE. See the GNU Affero General Public License for more
|
|
# details.
|
|
#
|
|
# You should have received a copy of the GNU Affero General Public License along
|
|
# with this program. If not, see <http://www.gnu.org/licenses/>.
|
|
#
|
|
|
|
class AccountUser < ActiveRecord::Base
|
|
belongs_to :account
|
|
belongs_to :user
|
|
belongs_to :role
|
|
include Role::AssociationHelper
|
|
|
|
has_many :role_overrides, :as => :context
|
|
has_a_broadcast_policy
|
|
before_validation :infer_defaults
|
|
after_save :touch_user
|
|
after_destroy :touch_user
|
|
after_save :update_account_associations_if_changed
|
|
after_destroy :update_account_associations_later
|
|
attr_accessible :account, :user, :role
|
|
|
|
validate :valid_role?
|
|
|
|
EXPORTABLE_ATTRIBUTES = [:id, :account_id, :user_id, :role_id, :created_at, :updated_at]
|
|
|
|
EXPORTABLE_ASSOCIATIONS = [:account, :user]
|
|
|
|
validates_presence_of :account_id, :user_id, :role_id
|
|
|
|
alias_method :context, :account
|
|
|
|
|
|
|
|
def update_account_associations_if_changed
|
|
if (self.account_id_changed? || self.user_id_changed?)
|
|
if self.new_record?
|
|
return if %w{creation_pending deleted}.include?(self.user.workflow_state)
|
|
account_chain = self.account.account_chain
|
|
associations = {}
|
|
account_chain.each_with_index { |account, idx| associations[account.id] = idx }
|
|
self.user.update_account_associations(:incremental => true, :precalculated_associations => associations)
|
|
else
|
|
self.user.update_account_associations_later
|
|
end
|
|
end
|
|
end
|
|
|
|
def update_account_associations_later
|
|
self.user.update_account_associations_later
|
|
end
|
|
|
|
def infer_defaults
|
|
self.role ||= Role.get_built_in_role('AccountAdmin')
|
|
end
|
|
|
|
def valid_role?
|
|
return true if role.built_in?
|
|
|
|
unless role.account_role?
|
|
self.errors.add(:role_id, "is not a valid account role")
|
|
end
|
|
|
|
unless self.account.valid_role?(role)
|
|
self.errors.add(:role_id, "is not an available role for this account")
|
|
end
|
|
end
|
|
|
|
set_broadcast_policy do |p|
|
|
p.dispatch :new_account_user
|
|
p.to {|record| record.account.users}
|
|
p.whenever {|record| record.just_created }
|
|
|
|
p.dispatch :account_user_registration
|
|
p.to {|record| record.user }
|
|
p.whenever {|record| @account_user_registration }
|
|
|
|
p.dispatch :account_user_notification
|
|
p.to {|record| record.user }
|
|
p.whenever {|record| @account_user_notification }
|
|
end
|
|
|
|
set_policy do
|
|
given { |user| self.account.grants_right?(user, :manage_account_memberships) && is_subset_of?(user) }
|
|
can :create and can :destroy
|
|
end
|
|
|
|
def readable_type
|
|
AccountUser.readable_type(self.role.name)
|
|
end
|
|
|
|
def account_user_registration!
|
|
@account_user_registration = true
|
|
self.save!
|
|
@account_user_registration = false
|
|
end
|
|
|
|
def account_user_notification!
|
|
@account_user_notification = true
|
|
self.save!
|
|
@account_user_notification = false
|
|
end
|
|
|
|
def enabled_for?(context, action)
|
|
@permission_lookup ||= {}
|
|
@permission_lookup[[context.class, context.global_id, action]] ||= RoleOverride.enabled_for?(context, action, self.role, self.account)
|
|
end
|
|
|
|
def has_permission_to?(context, action)
|
|
enabled_for?(context, action).include?(:self)
|
|
end
|
|
|
|
def self.all_permissions_for(user, account)
|
|
account_users = account.account_users_for(user)
|
|
result = {}
|
|
account_users.each do |account_user|
|
|
RoleOverride.permissions.keys.each do |permission|
|
|
result[permission] ||= []
|
|
result[permission] |= account_user.enabled_for?(account, permission)
|
|
end
|
|
end
|
|
result
|
|
end
|
|
|
|
def is_subset_of?(user)
|
|
needed_permissions = RoleOverride.manageable_permissions(account).keys.inject({}) do |result, permission|
|
|
result[permission] = enabled_for?(account, permission)
|
|
result
|
|
end
|
|
target_permissions = AccountUser.all_permissions_for(user, account)
|
|
needed_permissions.all? do |(permission, needed_permission)|
|
|
next true unless needed_permission.present?
|
|
target_permission = target_permissions[permission]
|
|
next false unless target_permission.present?
|
|
(needed_permission - target_permission).empty?
|
|
end
|
|
end
|
|
|
|
def self.readable_type(type)
|
|
if type == 'AccountAdmin' || !type || type.empty?
|
|
t('types.account_admin', "Account Admin")
|
|
else
|
|
type
|
|
end
|
|
end
|
|
|
|
def self.any_for?(user)
|
|
!account_ids_for_user(user).empty?
|
|
end
|
|
|
|
def self.account_ids_for_user(user)
|
|
@account_ids_for ||= {}
|
|
@account_ids_for[user.id] ||= Rails.cache.fetch(['account_ids_for_user', user].cache_key) do
|
|
AccountUser.for_user(user).map(&:account_id)
|
|
end
|
|
end
|
|
|
|
def self.for_user_and_account?(user, account_id)
|
|
account_ids_for_user(user).include?(account_id)
|
|
end
|
|
|
|
scope :for_user, lambda { |user| where(:user_id => user) }
|
|
end
|