Adding security to custom plugin vi the :authorize hook

Added by Todd Nine over 9 years ago

Hi all,
I've written a plugin via the engines framework to allow users with a given role to prioritize top level projects. As a result, I've had to override the project/list route in order to add the link to allow a user to re order. I want to add a role "edit priority". However when I do this via my init.rb and add the :authorize to the before filter, the role is based on a per project basis. How can I add a role globally via the plugin mechanism?

Thanks,
Todd

init.rb

require 'redmine'

RAILS_DEFAULT_LOGGER.info 'Starting Project Rank plugin for Redmine'

Redmine::Plugin.register "project_rank_plugin" do
  name 'Project Rank Plugin'
  author 'Todd Nine of ON Web Consulting'
  description 'This is a plugin for Redmine that will allow projects to be ordered by priority'
  version '0.0.1'

  # This plugin adds a project module
  # It can be enabled/disabled at project level (Project settings -> Modules)
  project_module :rank_module do
    # This permission has to be explicitly given
    # It will be listed on the permissions screen
    permission :edit_priority, {:project_rank => [:order]}
  end

end

project_rank_controller.rb

class ProjectRankController < ApplicationController
  layout 'base'
  before_filter :authorize
...
end

Replies (3)

RE: Adding security to custom plugin vi the :authorize hook - Added by Jean-Philippe Lang over 9 years ago

Currently, roles and permission are defined at project level only.
It would be nice to have global permissions too to allow users to create projects or manage users for example. But it's not supported now.

RE: Adding security to custom plugin vi the :authorize hook - Added by Todd Nine over 9 years ago

As a work around, could I simply require that they have a role such as "Project Manager" and state that in my documentation? I don't want to touch the core code, as it makes upgrades a nightmare, and would make my plugin difficult to distribute. Also, while I can pick your brain, I wanted to add the link "Prioritize Projects" to the projects/list view. The only way I could figure out how to do it with the engines was to basically copy your list action code from the project controller and copy the view, then override the routes for "project/list" and "project". Does Engines provide a decorator where I could insert the link into the existing view without have to duplicate/copy the action and view?

Thanks,
Todd

RE: Adding security to custom plugin vi the :authorize hook - Added by Jean-Philippe Lang over 9 years ago

That's a good solution. But you can not use the standard 'authorize' filter since it works at project level.
You need something like this:

def global_authorize
  User.current.memberships.detect {|m| m.role.position == 1}
end

Concerning view customization, I'm afraid there's no easier way than duplicate/copy. In the future, I'll try to make every page menu (links that are displayed in the right-upper corner) customizable.

(1-3/3)