Add customizable user roles (#18641)

* Add customizable user roles * Various fixes and improvements * Add migration for old settings and fix tootctl role management
2022-07-05 02:41:40 +02:00 · 2022-07-05 02:41:40 +02:00 · 44b2ee3485
commit 44b2ee3485
parent 1b4054256f
187 changed files with 1945 additions and 1032 deletions
--- a/app/models/user.rb
+++ b/app/models/user.rb
@ -37,6 +37,7 @@
 #  sign_in_token_sent_at     :datetime
 #  webauthn_id               :string
 #  sign_up_ip                :inet
+#  role_id                   :bigint(8)
 #

 class User < ApplicationRecord
@ -50,7 +51,6 @@ class User < ApplicationRecord
  )

  include Settings::Extend
-  include UserRoles
  include Redisable
  include LanguagesHelper

@ -79,6 +79,7 @@ class User < ApplicationRecord
  belongs_to :account, inverse_of: :user
  belongs_to :invite, counter_cache: :uses, optional: true
  belongs_to :created_by_application, class_name: 'Doorkeeper::Application', optional: true
+  belongs_to :role, class_name: 'UserRole', optional: true
  accepts_nested_attributes_for :account

  has_many :applications, class_name: 'Doorkeeper::Application', as: :owner
@ -103,6 +104,7 @@ class User < ApplicationRecord
  validates_with RegistrationFormTimeValidator, on: :create
  validates :website, absence: true, on: :create
  validates :confirm_password, absence: true, on: :create
+  validate :validate_role_elevation

  scope :recent, -> { order(id: :desc) }
  scope :pending, -> { where(approved: false) }
@ -117,6 +119,7 @@ class User < ApplicationRecord
  scope :emailable, -> { confirmed.enabled.joins(:account).merge(Account.searchable) }

  before_validation :sanitize_languages
+  before_validation :sanitize_role
  before_create :set_approved
  after_commit :send_pending_devise_notifications
  after_create_commit :trigger_webhooks
@ -135,8 +138,28 @@ class User < ApplicationRecord
           :disable_swiping, :always_send_emails,
           to: :settings, prefix: :setting, allow_nil: false

+  delegate :can?, to: :role
+
  attr_reader :invite_code
-  attr_writer :external, :bypass_invite_request_check
+  attr_writer :external, :bypass_invite_request_check, :current_account
+
+  def self.those_who_can(*any_of_privileges)
+    matching_role_ids = UserRole.that_can(*any_of_privileges).map(&:id)
+
+    if matching_role_ids.empty?
+      none
+    else
+      where(role_id: matching_role_ids)
+    end
+  end
+
+  def role
+    if role_id.nil?
+      UserRole.everyone
+    else
+      super
+    end
+  end

  def confirmed?
    confirmed_at.present?
@ -441,6 +464,11 @@ class User < ApplicationRecord
    self.chosen_languages = nil if chosen_languages.empty?
  end

+  def sanitize_role
+    return if role.nil?
+    self.role = nil if role.everyone?
+  end
+
  def prepare_new_user!
    BootstrapTimelineWorker.perform_async(account_id)
    ActivityTracker.increment('activity:accounts:local')
@ -453,7 +481,7 @@ class User < ApplicationRecord
  end

  def notify_staff_about_pending_account!
-    User.staff.includes(:account).find_each do |u|
+    User.those_who_can(:manage_users).includes(:account).find_each do |u|
      next unless u.allows_pending_account_emails?
      AdminMailer.new_pending_account(u.account, self).deliver_later
    end
@ -471,6 +499,10 @@ class User < ApplicationRecord
    email_changed? && !external? && !(Rails.env.test? || Rails.env.development?)
  end

+  def validate_role_elevation
+    errors.add(:role_id, :elevated) if defined?(@current_account) && role&.overrides?(@current_account&.user_role)
+  end
+
  def invite_text_required?
    Setting.require_invite_text && !invited? && !external? && !bypass_invite_request_check?
  end