Add customizable user roles (#18641)

* Add customizable user roles * Various fixes and improvements * Add migration for old settings and fix tootctl role management
2022-07-05 02:41:40 +02:00 · 2022-07-05 02:41:40 +02:00 · 44b2ee3485
commit 44b2ee3485
parent 1b4054256f
187 changed files with 1945 additions and 1032 deletions
--- a/db/migrate/20220611210335_create_user_roles.rb
+++ b/db/migrate/20220611210335_create_user_roles.rb
@ -0,0 +1,13 @@
+class CreateUserRoles < ActiveRecord::Migration[6.1]
+  def change
+    create_table :user_roles do |t|
+      t.string :name, null: false, default: ''
+      t.string :color, null: false, default: ''
+      t.integer :position, null: false, default: 0
+      t.bigint :permissions, null: false, default: 0
+      t.boolean :highlighted, null: false, default: false
+
+      t.timestamps
+    end
+  end
+end
--- a/db/migrate/20220611212541_add_role_id_to_users.rb
+++ b/db/migrate/20220611212541_add_role_id_to_users.rb
@ -0,0 +1,8 @@
+class AddRoleIdToUsers < ActiveRecord::Migration[6.1]
+  disable_ddl_transaction!
+
+  def change
+    safety_assured { add_reference :users, :role, foreign_key: { to_table: 'user_roles', on_delete: :nullify }, index: false }
+    add_index :users, :role_id, algorithm: :concurrently, where: 'role_id IS NOT NULL'
+  end
+end
--- a/db/post_migrate/20220617202502_migrate_roles.rb
+++ b/db/post_migrate/20220617202502_migrate_roles.rb
@ -0,0 +1,26 @@
+# frozen_string_literal: true
+
+class MigrateRoles < ActiveRecord::Migration[5.2]
+  disable_ddl_transaction!
+
+  class UserRole < ApplicationRecord; end
+  class User < ApplicationRecord; end
+
+  def up
+    load Rails.root.join('db', 'seeds', '03_roles.rb')
+
+    admin_role     = UserRole.find_by(name: 'Admin')
+    moderator_role = UserRole.find_by(name: 'Moderator')
+
+    User.where(admin: true).in_batches.update_all(role_id: admin_role.id)
+    User.where(moderator: true).in_batches.update_all(role_id: moderator_role.id)
+  end
+
+  def down
+    admin_role     = UserRole.find_by(name: 'Admin')
+    moderator_role = UserRole.find_by(name: 'Moderator')
+
+    User.where(role_id: admin_role.id).in_batches.update_all(admin: true) if admin_role
+    User.where(role_id: moderator_role.id).in_batches.update_all(moderator: true) if moderator_role
+  end
+end
--- a/db/post_migrate/20220704024901_migrate_settings_to_user_roles.rb
+++ b/db/post_migrate/20220704024901_migrate_settings_to_user_roles.rb
@ -0,0 +1,41 @@
+# frozen_string_literal: true
+
+class MigrateSettingsToUserRoles < ActiveRecord::Migration[6.1]
+  disable_ddl_transaction!
+
+  class UserRole < ApplicationRecord; end
+
+  def up
+    owner_role     = UserRole.find_by(name: 'Owner')
+    admin_role     = UserRole.find_by(name: 'Admin')
+    moderator_role = UserRole.find_by(name: 'Moderator')
+    everyone_role  = UserRole.find_by(id: -99)
+
+    min_invite_role  = Setting.min_invite_role
+    show_staff_badge = Setting.show_staff_badge
+
+    if everyone_role
+      everyone_role.permissions &= ~::UserRole::FLAGS[:invite_users] unless min_invite_role == 'user'
+      everyone_role.save
+    end
+
+    if owner_role
+      owner_role.highlighted = show_staff_badge
+      owner_role.save
+    end
+
+    if admin_role
+      admin_role.permissions |= ::UserRole::FLAGS[:invite_users] if %w(admin moderator).include?(min_invite_role)
+      admin_role.highlighted  = show_staff_badge
+      admin_role.save
+    end
+
+    if moderator_role
+      moderator_role.permissions |= ::UserRole::FLAGS[:invite_users] if %w(moderator).include?(min_invite_role)
+      moderator_role.highlighted  = show_staff_badge
+      moderator_role.save
+    end
+  end
+
+  def down; end
+end
--- a/db/schema.rb
+++ b/db/schema.rb
@ -10,7 +10,7 @@
 #
 # It's strongly recommended that you check this file into your version control system.

-ActiveRecord::Schema.define(version: 2022_06_13_110903) do
+ActiveRecord::Schema.define(version: 2022_07_04_024901) do

  # These are extensions that must be enabled in order to support this database
  enable_extension "plpgsql"
@ -968,6 +968,16 @@ ActiveRecord::Schema.define(version: 2022_06_13_110903) do
    t.index ["user_id"], name: "index_user_invite_requests_on_user_id"
  end

+  create_table "user_roles", force: :cascade do |t|
+    t.string "name", default: "", null: false
+    t.string "color", default: "", null: false
+    t.integer "position", default: 0, null: false
+    t.bigint "permissions", default: 0, null: false
+    t.boolean "highlighted", default: false, null: false
+    t.datetime "created_at", precision: 6, null: false
+    t.datetime "updated_at", precision: 6, null: false
+  end
+
  create_table "users", force: :cascade do |t|
    t.string "email", default: "", null: false
    t.datetime "created_at", null: false
@ -1003,11 +1013,13 @@ ActiveRecord::Schema.define(version: 2022_06_13_110903) do
    t.string "webauthn_id"
    t.inet "sign_up_ip"
    t.boolean "skip_sign_in_token"
+    t.bigint "role_id"
    t.index ["account_id"], name: "index_users_on_account_id"
    t.index ["confirmation_token"], name: "index_users_on_confirmation_token", unique: true
    t.index ["created_by_application_id"], name: "index_users_on_created_by_application_id", where: "(created_by_application_id IS NOT NULL)"
    t.index ["email"], name: "index_users_on_email", unique: true
    t.index ["reset_password_token"], name: "index_users_on_reset_password_token", unique: true, opclass: :text_pattern_ops, where: "(reset_password_token IS NOT NULL)"
+    t.index ["role_id"], name: "index_users_on_role_id", where: "(role_id IS NOT NULL)"
  end

  create_table "web_push_subscriptions", force: :cascade do |t|
@ -1159,6 +1171,7 @@ ActiveRecord::Schema.define(version: 2022_06_13_110903) do
  add_foreign_key "users", "accounts", name: "fk_50500f500d", on_delete: :cascade
  add_foreign_key "users", "invites", on_delete: :nullify
  add_foreign_key "users", "oauth_applications", column: "created_by_application_id", on_delete: :nullify
+  add_foreign_key "users", "user_roles", column: "role_id", on_delete: :nullify
  add_foreign_key "web_push_subscriptions", "oauth_access_tokens", column: "access_token_id", on_delete: :cascade
  add_foreign_key "web_push_subscriptions", "users", on_delete: :cascade
  add_foreign_key "web_settings", "users", name: "fk_11910667b2", on_delete: :cascade
--- a/db/seeds.rb
+++ b/db/seeds.rb
@ -1,11 +1,5 @@
-Doorkeeper::Application.create!(name: 'Web', superapp: true, redirect_uri: Doorkeeper.configuration.native_redirect_uri, scopes: 'read write follow push')
+# frozen_string_literal: true

-domain = ENV['LOCAL_DOMAIN'] || Rails.configuration.x.local_domain
-account = Account.find_or_initialize_by(id: -99, actor_type: 'Application', locked: true, username: domain)
-account.save!
-
-if Rails.env.development?
-  admin  = Account.where(username: 'admin').first_or_initialize(username: 'admin')
-  admin.save(validate: false)
-  User.where(email: "admin@#{domain}").first_or_initialize(email: "admin@#{domain}", password: 'mastodonadmin', password_confirmation: 'mastodonadmin', confirmed_at: Time.now.utc, admin: true, account: admin, agreement: true, approved: true).save!
+Dir[Rails.root.join('db', 'seeds', '*.rb')].sort.each do |seed|
+  load seed
 end
--- a/db/seeds/01_web_app.rb
+++ b/db/seeds/01_web_app.rb
@ -0,0 +1 @@
+Doorkeeper::Application.create_with(name: 'Web', redirect_uri: Doorkeeper.configuration.native_redirect_uri, scopes: 'read write follow push').find_or_create_by(superapp: true)
--- a/db/seeds/02_instance_actor.rb
+++ b/db/seeds/02_instance_actor.rb
@ -0,0 +1 @@
+Account.create_with(actor_type: 'Application', locked: true, username: ENV['LOCAL_DOMAIN'] || Rails.configuration.x.local_domain).find_or_create_by(id: -99)
--- a/db/seeds/03_roles.rb
+++ b/db/seeds/03_roles.rb
@ -0,0 +1,9 @@
+# Pre-create base role
+UserRole.everyone
+
+# Create default roles defined in config file
+default_roles = YAML.load_file(Rails.root.join('config', 'roles.yml'))
+
+default_roles.each do |_, config|
+  UserRole.create_with(position: config['position'], permissions_as_keys: config['permissions'], highlighted: true).find_or_create_by(name: config['name'])
+end
--- a/db/seeds/04_admin.rb
+++ b/db/seeds/04_admin.rb
@ -0,0 +1,8 @@
+if Rails.env.development?
+  domain = ENV['LOCAL_DOMAIN'] || Rails.configuration.x.local_domain
+
+  admin = Account.where(username: 'admin').first_or_initialize(username: 'admin')
+  admin.save(validate: false)
+
+  User.where(email: "admin@#{domain}").first_or_initialize(email: "admin@#{domain}", password: 'mastodonadmin', password_confirmation: 'mastodonadmin', confirmed_at: Time.now.utc, role: UserRole.find_by(name: 'Owner'), account: admin, agreement: true, approved: true).save!
+end
				`@ -0,0 +1 @@`
				`Doorkeeper::Application.create_with(name: 'Web', redirect_uri: Doorkeeper.configuration.native_redirect_uri, scopes: 'read write follow push').find_or_create_by(superapp: true)`
				`@ -0,0 +1 @@`
				`Account.create_with(actor_type: 'Application', locked: true, username: ENV['LOCAL_DOMAIN'] \|\| Rails.configuration.x.local_domain).find_or_create_by(id: -99)`