working - need to do components, dashboard, and restrict updating fie…

…lds on objects based on roles

app/controllers/admin_controller.rb

@@ -2,14 +2,15 @@
 require 'zip'
 
 class AdminController < ApplicationController
- before_filter :require_admin_permissions, except: [:canvas,:login,:logout,:authenticate]
+ before_filter :require_admin_permissions, only: [:search]
+ before_filter :require_organization_admin_permissions, except: [:canvas,:login,:logout,:authenticate]
  before_filter :require_audit_role, only: [:canvas]
  before_filter :get_organizations, only: [:search,:canvas_accounts,:canvas_courses]
 
  def login
  @organization = find_org_by_path params[:slug]
 
- if @organization and @organization[:lms_authentication_source]
+ if @organization and @organization[:lms_authentication_source] != ""
  redirect_to oauth2_login_path
  else
  render action: :login, layout: false
@@ -41,7 +42,9 @@ def authenticate
  return render action: :login, layout: false
  end
 
- return redirect_to admin_organizations
+ session[:authenticated_user] = user.id
+
+ return redirect_to admin_path
  end
 
  def archive

app/controllers/admin_users_controller.rb

@@ -1,4 +1,5 @@
 class AdminUsersController < AdminController
+ before_filter :require_admin_permissions
  before_filter :get_organizations, only: [:index, :new, :edit, :show, :edit_assignment]
 
  def index

app/controllers/organizations_controller.rb

@@ -1,4 +1,6 @@
 class OrganizationsController < AdminController
+ before_filter :require_admin_permissions, only: [:new, :create, :destroy]
+ before_filter :require_organization_admin_permissions, except: [:new, :create, :destroy]
  before_filter :get_organizations, only: [:index, :new, :edit, :show]
  layout 'admin'
  def index

app/helpers/application_helper.rb

@@ -58,6 +58,30 @@ def get_view_folder(org)
  end
 
  def require_admin_permissions
+ check_for_admin_password
+
+ unless has_role 'admin'
+ return redirect_or_error
+ end
+ end
+
+ def require_organization_admin_permissions
+ check_for_admin_password
+
+ unless has_role 'organization_admin'
+ return redirect_or_error
+ end
+ end
+
+ def redirect_or_error
+ if session[:authenticated_user]
+ return render :file => "public/401.html", :status => :unauthorized, :layout => false
+ else
+ return redirect_to admin_login_path
+ end
+ end
+
+ def check_for_admin_password
  # if there is no admin password set up for the server and we are in the development
  # or test environment, bypass the securtiy check
  if params[:admin_off] == "true"
@@ -67,31 +91,34 @@ def require_admin_permissions
  elsif params[:admin_password] && params[:admin_password] != ''
  session[:admin_authorized] = params[:admin_password] == APP_CONFIG['admin_password']
  end
-
- if !has_role 'organization_admin'
- redirect_to admin_login_path, status: 401
- end
  end
 
  def has_role role, org=nil
- org = find_org_by_path request.env['SERVER_NAME'] unless org
+ unless org
+ if params[:slug]
+ org = find_org_by_path params[:slug]
+ else
+ org = find_org_by_path request.env['SERVER_NAME']
+ end
+ end
 
  result = false
 
  # # if they are authorized as an admin, let them in
  if session[:admin_authorized] == true
  result = true
- elsif session[:lms_authenticated_user]
- if org[:lms_authentication_source] == session[:oauth_endpoint]
+ elsif org && (session[:lms_authenticated_user] != nil || session[:authenticated_user] != nil)
+ if org[:lms_authentication_source] && org[:lms_authentication_source] == session[:oauth_endpoint]
  username = session[:lms_authenticated_user]['id'].to_s
-
  user_assignments = UserAssignment.where organization_id: org[:id], username: username
+ else
+ user_assignments = UserAssignment.where organization_id: org[:id], user_id: session[:authenticated_user]
+ end
 
- if user_assignments.count > 0
- user_assignments.each do |ua|
- if ua[:role] == role or ua[:role] = 'admin'
- result = true
- end
+ if user_assignments.count > 0
+ user_assignments.each do |ua|
+ if ua[:role] == role or ua[:role] == 'admin'
+ result = true
  end
  end
  end
@@ -104,9 +131,13 @@ def get_organizations
  # only show orgs that the logged in use should see
  unless session[:admin_authorized]
  # load all orgs that the user has a cascade == true assignment
- user = UserAssignment.find_by_username(
- session[:lms_authenticated_user]['id'].to_s
- ).user
+ if session[:lms_authenticated_user]
+ user = UserAssignment.find_by_username(
+ session[:lms_authenticated_user]['id'].to_s
+ ).user
+ elsif session[:authenticated_user]
+ user = User.find session[:authenticated_user]
+ end
 
  cascade_permissions = user.user_assignments.where(cascades: true)
  cascade_organizations = Organization.where(id: cascade_permissions.map(&:organization_id))

app/views/admin_documents/edit.html.erb

@@ -10,7 +10,7 @@
  <div class="form-group">
  <%= f.label :organization_id, class: "control-label" %>
  <div class="controls">
- <%= f.select(:organization_id, Organization.where.not(id: params[:id]).order('lft', 'rgt').collect { |org| [ (org.parent && org.parent.parent ? org.parent.parent.name + ' » ' : '') + (org.parent ? org.parent.name + ' » ' : '') + org.name, org.id ] }, {include_blank: true}, {class: 'form-control'}) %></p>
+ <%= f.select(:organization_id, @organizations.collect { |org| [ (org.parent && org.parent.parent ? org.parent.parent.name + ' » ' : '') + (org.parent ? org.parent.name + ' » ' : '') + org.name, org.id ] }, {include_blank: true}, {class: 'form-control'}) %></p>
  </div>
  </div>
 
@@ -25,4 +25,4 @@
  <%= f.submit class: 'btn btn-default' %>
 </div>
 
-<% end %>
+<% end %>

app/views/admin_users/_edit_permission.erb

@@ -39,7 +39,7 @@
  </td>
  <td>
  <% if @organizations %>
- <%= f.select(:organization_id, @organizations.roots.collect {|o| [ o.name + ' (' + o.slug + ')', o.id ] }, include_blank: true) %>
+ <%= f.select(:organization_id, @organizations.collect {|o| [ o.name + ' (' + o.slug + ')', o.id ] }, include_blank: true) %>
  <% else %>
  You don't seem to belong to any organizations... contact your admin to fix this.
  <% end %>

db/schema.rb

@@ -17,10 +17,10 @@
  enable_extension "plpgsql"
 
  create_table "components", force: true do |t|
- t.string "name"
- t.string "slug"
+ t.string "name", limit: nil
+ t.string "slug", limit: nil
  t.text "description"
- t.string "category"
+ t.string "category", limit: nil
  t.integer "organization_id"
  t.text "css"
  t.text "js"
@@ -46,29 +46,29 @@
 
  create_table "document_meta", force: true do |t|
  t.integer "document_id"
- t.string "key"
- t.string "value"
- t.string "lms_organization_id"
- t.string "lms_course_id"
+ t.string "key", limit: nil
+ t.string "value", limit: nil
+ t.string "lms_organization_id", limit: nil
+ t.string "lms_course_id", limit: nil
  t.integer "root_organization_id"
  t.datetime "created_at"
  t.datetime "updated_at"
  end
 
  create_table "documents", force: true do |t|
- t.string "name"
- t.string "edit_id"
- t.string "view_id"
+ t.string "name", limit: nil
+ t.string "edit_id", limit: nil
+ t.string "view_id", limit: nil
  t.text "payload"
  t.datetime "created_at"
  t.datetime "updated_at"
- t.string "template_id"
+ t.string "template_id", limit: nil
  t.integer "organization_id"
- t.string "lms_course_id"
+ t.string "lms_course_id", limit: nil
  t.datetime "lms_published_at"
  t.integer "component_id"
  t.integer "component_version"
- t.string "term_id"
+ t.string "term_id", limit: nil
  end
 
  add_index "documents", ["component_id"], name: "index_documents_on_component_id", using: :btree
@@ -81,31 +81,31 @@
 
  create_table "organization_meta", force: true do |t|
  t.integer "organization_id"
- t.string "key"
- t.string "value"
- t.string "lms_organization_id"
+ t.string "key", limit: nil
+ t.string "value", limit: nil
+ t.string "lms_organization_id", limit: nil
  t.integer "root_id"
  t.datetime "created_at"
  t.datetime "updated_at"
  end
 
  create_table "organizations", force: true do |t|
- t.string "name"
- t.string "slug"
+ t.string "name", limit: nil
+ t.string "slug", limit: nil
  t.integer "parent_id"
  t.integer "lft"
  t.integer "rgt"
  t.integer "depth"
  t.datetime "created_at"
  t.datetime "updated_at"
- t.string "lms_authentication_source"
- t.string "lms_authentication_id"
- t.string "lms_authentication_key"
- t.string "lms_info_slug"
- t.string "lms_id"
+ t.string "lms_authentication_source", limit: nil
+ t.string "lms_authentication_id", limit: nil
+ t.string "lms_authentication_key", limit: nil
+ t.string "lms_info_slug", limit: nil
+ t.string "lms_id", limit: nil
  t.datetime "dashboard_start_at"
  t.datetime "dashboard_end_at"
- t.string "home_page_redirect"
+ t.string "home_page_redirect", limit: nil
  t.json "default_account_filter"
  end
 
@@ -139,7 +139,7 @@
  add_index "report_archives", ["organization_id"], name: "index_report_archives_on_organization_id", using: :btree
 
  create_table "templates", force: true do |t|
- t.string "slug"
+ t.string "slug", limit: nil
  t.text "payload"
  t.integer "organization_id"
  t.datetime "created_at"
@@ -149,12 +149,12 @@
  add_index "templates", ["slug", "organization_id"], name: "index_templates_on_slug_and_organization_id", unique: true, using: :btree
 
  create_table "terms", force: true do |t|
- t.string "slug"
- t.string "name"
+ t.string "slug", limit: nil
+ t.string "name", limit: nil
  t.integer "organization_id"
  t.datetime "start_date"
  t.integer "duration"
- t.string "cycle"
+ t.string "cycle", limit: nil
  t.integer "sequence"
  t.boolean "is_default"
  t.datetime "created_at"
@@ -166,18 +166,18 @@
  create_table "user_assignments", force: true do |t|
  t.integer "user_id"
  t.integer "organization_id"
- t.string "username"
+ t.string "username", limit: nil
  t.boolean "cascades"
- t.string "role"
+ t.string "role", limit: nil
  end
 
  add_index "user_assignments", ["username", "organization_id"], name: "index_user_assignments_on_username_and_organization_id", unique: true, using: :btree
 
  create_table "users", force: true do |t|
- t.string "name"
+ t.string "name", limit: nil
  t.datetime "created_at"
  t.datetime "updated_at"
- t.string "email"
+ t.string "email", limit: nil
  t.string "password_digest"
  t.string "remember_digest"
  t.string "activation_digest"
@@ -191,14 +191,14 @@
 
  create_table "versions", force: true do |t|
  t.integer "versioned_id"
- t.string "versioned_type"
+ t.string "versioned_type", limit: nil
  t.integer "user_id"
- t.string "user_type"
- t.string "user_name"
+ t.string "user_type", limit: nil
+ t.string "user_name", limit: nil
  t.text "modifications"
  t.integer "number"
  t.integer "reverted_from"
- t.string "tag"
+ t.string "tag", limit: nil
  t.datetime "created_at"
  t.datetime "updated_at"
  end

public/401.html

@@ -0,0 +1,57 @@
+<!DOCTYPE html>
+<html>
+<head>
+ <title>The page you were looking for doesn't exist (404)</title>
+ <style>
+ body {
+ background-color: #EFEFEF;
+ color: #2E2F30;
+ text-align: center;
+ font-family: arial, sans-serif;
+ }
+
+ div.dialog {
+ width: 25em;
+ margin: 4em auto 0 auto;
+ border: 1px solid #CCC;
+ border-right-color: #999;
+ border-left-color: #999;
+ border-bottom-color: #BBB;
+ border-top: #B00100 solid 4px;
+ border-top-left-radius: 9px;
+ border-top-right-radius: 9px;
+ background-color: white;
+ padding: 7px 4em 0 4em;
+ }
+
+ h1 {
+ font-size: 100%;
+ color: #730E15;
+ line-height: 1.5em;
+ }
+
+ body > p {
+ width: 33em;
+ margin: 0 auto 1em;
+ padding: 1em 0;
+ background-color: #F7F7F7;
+ border: 1px solid #CCC;
+ border-right-color: #999;
+ border-bottom-color: #999;
+ border-bottom-left-radius: 4px;
+ border-bottom-right-radius: 4px;
+ border-top-color: #DADADA;
+ color: #666;
+ box-shadow:0 3px 8px rgba(50, 50, 50, 0.17);
+ }
+ </style>
+</head>
+
+<body>
+ <!-- This file lives in public/404.html -->
+ <div class="dialog">
+ <h1>You do not have sufficient permissions to do this action.</h1>
+ <p>You may have mistyped the address or the page may have moved.</p>
+ </div>
+</body>
+</html>