adminbruno
/
docuseal
mirror of https://github.com/docusealco/docuseal
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

fix role

Browse Source
pull/627/head^2
chapsjust 2 months ago
parent 7cba39d076
commit 3bdfc55680
7 changed files with 238 additions and 71 deletions
Show Stats Download Patch File Download Diff File

8
app/controllers/users_controller.rb
Unescape View File

@ -16,6 +16,9 @@ class UsersController < ApplicationController
@users.active.where.not(role: 'integration')
end
# Restrict visibility to roles at or below the current user's rank.
@users = @users.where(role: Whitelabel.manageable_roles(current_user.role))
@pagy, @users = pagy(@users.preload(account: :account_accesses).where(account: current_account).order(id: :desc))
end
@ -40,7 +43,7 @@ class UsersController < ApplicationController
end
@user.password = SecureRandom.hex if @user.password.blank?
@user.role = User::ADMIN_ROLE unless role_valid?(@user.role)
@user.role = User.admin_role unless role_valid?(@user.role)
if @user.save
UserMailer.invitation_email(@user).deliver_later!
@ -92,7 +95,8 @@ class UsersController < ApplicationController
private
def role_valid?(role)
User::ROLES.include?(role)
# Role must exist AND be at or below the current user's own rank.
Whitelabel.manageable_roles(current_user.role).include?(role.to_s)
end
def build_user

17
app/models/user.rb
Unescape View File

@ -53,6 +53,17 @@ class User < ApplicationRecord
USER_ROLE = 'user'
].freeze
# Config-driven role list. Falls back to ROLES constant if no config.
def self.available_roles
Whitelabel.roles
rescue StandardError
ROLES
end
def self.admin_role
available_roles.first
end
EMAIL_REGEXP = /[^@;,<>\s]+@[^@;,<>\s]+/
FULL_EMAIL_REGEXP =
@ -72,12 +83,12 @@ class User < ApplicationRecord
devise :two_factor_authenticatable, :recoverable, :rememberable, :validatable, :trackable, :lockable
attribute :role, :string, default: ADMIN_ROLE
attribute :role, :string, default: -> { User.admin_role }
attribute :uuid, :string, default: -> { SecureRandom.uuid }
scope :active, -> { where(archived_at: nil) }
scope :archived, -> { where.not(archived_at: nil) }
scope :admins, -> { where(role: ADMIN_ROLE) }
scope :admins, -> { where(role: admin_role) }
validates :email, format: { with: /\A[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,}\z/ }
@ -96,7 +107,7 @@ class User < ApplicationRecord
def sidekiq?
return true if Rails.env.development?
role == 'admin'
role == User.admin_role
end
def self.sign_in_after_reset_password

25
app/views/shared/_settings_nav.html.erb
Unescape View File

@ -6,54 +6,57 @@
<span class="!bg-transparent"><%= t('settings') %></span>
</li>
<li></li>
<%# Profile is always visible — personal section %>
<li>
<%= link_to t('profile'), settings_profile_index_path, class: 'text-base hover:bg-base-300' %>
</li>
<li>
<%= link_to t('account'), settings_account_path, class: 'text-base hover:bg-base-300' %>
</li>
<% if Whitelabel.setting_section_visible?(current_user.role, 'account') %>
<li>
<%= link_to t('account'), settings_account_path, class: 'text-base hover:bg-base-300' %>
</li>
<% end %>
<% unless Docuseal.multitenant? %>
<% if can?(:read, EncryptedConfig.new(key: EncryptedConfig::EMAIL_SMTP_KEY, account: current_account)) && ENV['SMTP_ADDRESS'].blank? && true_user == current_user %>
<% if Whitelabel.setting_section_visible?(current_user.role, 'email') && can?(:read, EncryptedConfig.new(key: EncryptedConfig::EMAIL_SMTP_KEY, account: current_account)) && ENV['SMTP_ADDRESS'].blank? && true_user == current_user %>
<li>
<%= link_to t('email'), settings_email_index_path, class: 'text-base hover:bg-base-300' %>
</li>
<% end %>
<% if can?(:read, EncryptedConfig.new(key: EncryptedConfig::FILES_STORAGE_KEY, account: current_account)) && true_user == current_user %>
<% if Whitelabel.setting_section_visible?(current_user.role, 'storage') && can?(:read, EncryptedConfig.new(key: EncryptedConfig::FILES_STORAGE_KEY, account: current_account)) && true_user == current_user %>
<li>
<%= link_to t('storage'), settings_storage_index_path, class: 'text-base hover:bg-base-300' %>
</li>
<% end %>
<% end %>
<% if can?(:read, AccountConfig) %>
<% if Whitelabel.setting_section_visible?(current_user.role, 'notifications') && can?(:read, AccountConfig) %>
<li>
<%= link_to t('notifications'), settings_notifications_path, class: 'text-base hover:bg-base-300' %>
</li>
<% end %>
<% if can?(:read, EncryptedConfig.new(key: EncryptedConfig::ESIGN_CERTS_KEY, account: current_account)) %>
<% if Whitelabel.setting_section_visible?(current_user.role, 'esign') && can?(:read, EncryptedConfig.new(key: EncryptedConfig::ESIGN_CERTS_KEY, account: current_account)) %>
<li>
<%= link_to t('e_signature'), settings_esign_path, class: 'text-base hover:bg-base-300' %>
</li>
<% end %>
<% if can?(:read, AccountConfig) %>
<% if Whitelabel.setting_section_visible?(current_user.role, 'personalization') && can?(:read, AccountConfig) %>
<li>
<%= link_to t('personalization'), settings_personalization_path, class: 'text-base hover:bg-base-300' %>
</li>
<% end %>
<% if can?(:read, User) %>
<% if Whitelabel.setting_section_visible?(current_user.role, 'users') && can?(:read, User) %>
<li>
<%= link_to t('users'), settings_users_path, class: 'text-base hover:bg-base-300' %>
</li>
<% end %>
<%= render 'shared/settings_nav_extra' %>
<% if Docuseal.demo? || !Docuseal.multitenant? %>
<% if can?(:read, AccessToken) && current_user.role != User::USER_ROLE %>
<% if Whitelabel.setting_section_visible?(current_user.role, 'api') && can?(:read, AccessToken) %>
<li>
<%= link_to 'API', settings_api_index_path, class: 'text-base hover:bg-base-300' %>
</li>
<% end %>
<% end %>
<% if Docuseal.demo? || !Docuseal.multitenant? || (current_user != true_user && !current_account.testing?) %>
<% if can?(:read, WebhookUrl) %>
<% if Whitelabel.setting_section_visible?(current_user.role, 'webhooks') && can?(:read, WebhookUrl) %>
<li>
<%= link_to 'Webhooks', settings_webhooks_path, class: 'text-base hover:bg-base-300' %>
</li>

6
app/views/users/_role_select.html.erb
Unescape View File

@ -1,9 +1,9 @@
<div class="form-control">
<%= f.label :role, class: 'label' %>
<%= f.select :role, nil, {}, class: 'base-select' do %>
<option value="admin"><%= t('role_admin') %></option>
<option value="gestionnaire"><%= t('role_gestionnaire') %></option>
<option value="user"><%= t('role_user') %></option>
<% Whitelabel.manageable_roles(current_user.role).each do |role_slug| %>
<option value="<%= role_slug %>"><%= t("role_#{role_slug}", default: role_slug.humanize) %></option>
<% end %>
<% end %>
<% if Docuseal.multitenant? %>
<label class="label">

2
docs/WHITELABEL.md
Unescape View File

@ -4,8 +4,6 @@
> Do NOT add config schema details, API contracts, or example YAML here.
> The private config template is managed in the Intebec Dashboard, not in this repo.
## Usage in Code
### In ERB views
```erb

130
lib/ability.rb
Unescape View File

@ -3,71 +3,101 @@
class Ability
include CanCan::Ability
# Maps config resource names → CanCan model + action rules.
# All condition procs MUST return hashes (not AR relations) so that
# class-level can?/authorize! checks work (e.g. `authorize! :index, Template`).
RESOURCE_MAP = {
'templates' => [
[Template, :read, ->(u) { { account_id: u.account_id } }],
[Template, :create, ->(u) { { account_id: u.account_id } }],
[Template, :update, ->(u) { { account_id: u.account_id } }],
[Template, :destroy, ->(u) { { account_id: u.account_id } }],
[TemplateFolder, :manage, ->(u) { { account_id: u.account_id } }],
[TemplateSharing, :manage, ->(u) { { template: { account_id: u.account_id } } }]
],
'submissions' => [
[Submission, :manage, ->(u) { { account_id: u.account_id } }],
[Submitter, :manage, ->(u) { { account_id: u.account_id } }]
],
'users' => [
[User, :manage, ->(u) { { account_id: u.account_id } }]
],
'settings' => [
[EncryptedConfig, :manage, ->(u) { { account_id: u.account_id } }],
[AccountConfig, :manage, ->(u) { { account_id: u.account_id } }],
[Account, :manage, ->(u) { { id: u.account_id } }],
[WebhookUrl, :manage, ->(u) { { account_id: u.account_id } }]
]
}.freeze
def initialize(user)
case user.role
when User::ADMIN_ROLE
admin_abilities(user)
when User::GESTIONNAIRE_ROLE
gestionnaire_abilities(user)
when User::USER_ROLE
user_abilities(user)
end
return unless user
always_allowed(user)
apply_role_permissions(user)
end
private
# Accès complet à tout le compte
def admin_abilities(user)
can %i[read create update], Template, Abilities::TemplateConditions.collection(user) do |template|
Abilities::TemplateConditions.entity(template, user:, ability: 'manage')
end
can :destroy, Template, account_id: user.account_id
can :manage, TemplateFolder, account_id: user.account_id
can :manage, TemplateSharing, template: { account_id: user.account_id }
can :manage, Submission, account_id: user.account_id
can :manage, Submitter, account_id: user.account_id
can :manage, User, account_id: user.account_id
can :manage, EncryptedConfig, account_id: user.account_id
# Personal resources — always available regardless of role.
def always_allowed(user)
can :manage, EncryptedUserConfig, user_id: user.id
can :manage, AccountConfig, account_id: user.account_id
can :manage, UserConfig, user_id: user.id
can :manage, Account, id: user.account_id
can :manage, User, id: user.id
can :read, Account, id: user.account_id
can :manage, AccessToken, user_id: user.id
can :manage, WebhookUrl, account_id: user.account_id
end
# Peut créer/gérer documents et envois — pas les paramètres ni les utilisateurs
def gestionnaire_abilities(user)
can %i[read create update], Template, Abilities::TemplateConditions.collection(user) do |template|
Abilities::TemplateConditions.entity(template, user:, ability: 'manage')
def apply_role_permissions(user)
role = user.role.to_s
RESOURCE_MAP.each do |resource_key, model_rules|
config_actions = Whitelabel.role_permissions(role, resource_key)
model_rules.each do |model, cancan_action, condition_proc|
grant_if_allowed(user, model, cancan_action, condition_proc, config_actions)
end
end
end
can :destroy, Template, account_id: user.account_id
can :manage, TemplateFolder, account_id: user.account_id
can :manage, TemplateSharing, template: { account_id: user.account_id }
can :manage, Submission, account_id: user.account_id
can :manage, Submitter, account_id: user.account_id
can :manage, EncryptedUserConfig, user_id: user.id
can :manage, UserConfig, user_id: user.id
can :manage, User, id: user.id
can :read, Account, id: user.account_id
can :manage, AccessToken, user_id: user.id
def grant_if_allowed(user, model, cancan_action, condition_proc, config_actions)
needed = action_to_config(cancan_action)
return unless (needed & config_actions).any?
conditions = condition_proc.call(user)
granted = map_cancan_actions(cancan_action, config_actions)
return if granted.empty?
# Hash-only conditions. Shared-template / linked-account filtering
# is handled at the controller level (TemplateConditions.collection,
# filter_templates, etc.) — CanCanCan forbids hash + block together.
can granted, model, conditions
end
# Lecture seule — ne peut pas créer ni modifier
def user_abilities(user)
can :read, Template, Abilities::TemplateConditions.collection(user) do |template|
Abilities::TemplateConditions.entity(template, user:)
# Map a CanCan :manage action to the individual config actions that are allowed.
def map_cancan_actions(cancan_action, config_actions)
if cancan_action == :manage
mapped = []
mapped << :read if config_actions.include?('read')
mapped << :create if config_actions.include?('create')
mapped << :update if config_actions.include?('update')
mapped << :destroy if config_actions.include?('delete')
mapped
elsif cancan_action == :destroy
config_actions.include?('delete') ? [:destroy] : []
else
config_actions.include?(cancan_action.to_s) ? [cancan_action] : []
end
end
can :read, TemplateFolder, account_id: user.account_id
can :read, Submission, account_id: user.account_id
can :read, Submitter, account_id: user.account_id
can :manage, EncryptedUserConfig, user_id: user.id
can :manage, UserConfig, user_id: user.id
can :manage, User, id: user.id
can :read, Account, id: user.account_id
can :manage, AccessToken, user_id: user.id
def action_to_config(cancan_action)
case cancan_action
when :manage then %w[read create update delete]
when :read then %w[read]
when :create then %w[create]
when :update then %w[update]
when :destroy then %w[delete]
else [cancan_action.to_s]
end
end
end

121
lib/whitelabel.rb
Unescape View File

@ -332,6 +332,127 @@ module Whitelabel
dig_bool('features', 'show_pro_upsells', false)
end
# =====================================================================
# Roles & Permissions (config-driven)
# =====================================================================
#
# Config format:
# roles:
# admin:
# permissions:
# templates: [read, create, update, delete]
# submissions: [read, create, update, delete]
# users: [read, create, update, delete]
# settings: [read, create, update, delete]
# gestionnaire:
# permissions:
# templates: [read, create, update, delete]
# submissions: [read, create, update, delete]
# users: [read]
# settings: [read]
# user:
# permissions:
# templates: [read]
# submissions: [read]
#
# Default permission matrix — used when no roles section in config.
DEFAULT_ROLES = {
'admin' => {
'permissions' => {
'templates' => %w[read create update delete],
'submissions' => %w[read create update delete],
'users' => %w[read create update delete],
'settings' => %w[read create update delete]
}
},
'gestionnaire' => {
'permissions' => {
'templates' => %w[read create update delete],
'submissions' => %w[read create update delete],
'users' => %w[read],
'settings' => %w[read]
}
},
'user' => {
'permissions' => {
'templates' => %w[read],
'submissions' => %w[read],
'users' => [],
'settings' => []
}
}
}.freeze
# All available roles (keys). Order matters — first is the default.
def roles
(config.dig('roles') || DEFAULT_ROLES).keys
end
# The default role assigned to new users.
def default_role
roles.first
end
# Full role definition hash for a given role slug.
def role_definition(role_slug)
all = config.dig('roles') || DEFAULT_ROLES
all[role_slug.to_s] || {}
end
# Permission list for a role + resource.
# Returns e.g. ["read", "create", "update"] or [].
def role_permissions(role_slug, resource)
perms = role_definition(role_slug).dig('permissions', resource.to_s)
perms.is_a?(Array) ? perms : []
end
# Check if a role has a specific action on a resource.
def role_can?(role_slug, resource, action)
role_permissions(role_slug, resource).include?(action.to_s)
end
# Check if a role is an admin (first role in the list is always the admin).
def admin_role?(role_slug)
role_slug.to_s == roles.first
end
# Validate that a role slug exists in config.
def role_valid?(role_slug)
roles.include?(role_slug.to_s)
end
# Returns the rank index of a role (0 = highest privilege = admin).
# Unknown roles return roles.size (treated as lowest).
def role_rank(role_slug)
roles.index(role_slug.to_s) || roles.size
end
# Returns only roles that the given actor_role can assign/manage.
# An actor can only work with roles at their own rank or lower (higher index).
def manageable_roles(actor_role)
rank = role_rank(actor_role.to_s)
roles[rank..]
end
# All known settings sections in display order.
ALL_SETTINGS_SECTIONS = %w[account email storage notifications esign personalization users api webhooks].freeze
# Returns true if the role is allowed to see the given settings section.
# Falls back to ALL_SETTINGS_SECTIONS for roles that have settings read
# permission but no explicit sections list (backward-compatible).
def setting_section_visible?(role_slug, section)
defn = role_definition(role_slug)
sections = defn['settings_sections']
if sections.is_a?(Array)
sections.map(&:to_s).include?(section.to_s)
else
# No explicit list → grant all sections to roles that can read settings.
role_permissions(role_slug, 'settings').include?('read')
end
end
# =====================================================================
# Internal
# =====================================================================

Write Preview
Loading…
Cancel
Save