feat: add permission checks for user and profile editors

refs #298 refs #86

feat: add permission checks for user and profile editors
b96bccb1 · Konrad Mohrfeldt · 1ed432f7 · b96bccb1 · b96bccb1 · b96bccb1
Commit b96bccb1 authored 8 months ago by Konrad Mohrfeldt
--- a/src/components/identities/AProfileEditor.vue
+++ b/src/components/identities/AProfileEditor.vue
@@ -9,6 +9,7 @@ This is an editor for the Host steering model.
      :label="t('profile.fields.name')"
      :errors="name.errors"
      :is-saving="name.isSaving"
+      edit-permissions="program.edit__profile__name"
    >
      <input v-model="name.value" required v-bind="attrs" @blur="name.save()" />
    </FormGroup>
@@ -18,6 +19,7 @@ This is an editor for the Host steering model.
      :label="t('profile.fields.email')"
      :errors="email.errors"
      :is-saving="email.isSaving"
+      edit-permissions="program.edit__profile__email"
    >
      <input v-model="email.value" type="email" required v-bind="attrs" @blur="email.save()" />
    </FormGroup>
@@ -27,6 +29,7 @@ This is an editor for the Host steering model.
      :label="t('profile.fields.biography')"
      :errors="biography.errors"
      :is-saving="biography.isSaving"
+      edit-permissions="program.edit__profile__biography"
      custom-control
    >
      <AHTMLEditor
@@ -42,6 +45,7 @@ This is an editor for the Host steering model.
      :label="t('profile.fields.image')"
      :errors="imageId.errors"
      :is-saving="imageId.isSaving"
+      edit-permissions="program.edit__profile__image"
      custom-control
    >
      <ImagePicker
@@ -58,6 +62,7 @@ This is an editor for the Host steering model.
      :is-saving="links.isSaving"
      :errors="links.errors.forField('links', '')"
      :has-error="links.errors.length > 0"
+      edit-permissions="program.edit__profile__links"
      custom-control
    >
      <ALinkCollectionEditor
@@ -74,6 +79,7 @@ This is an editor for the Host steering model.
      :label="t('profile.fields.isActive')"
      :errors="isActive.errors"
      :is-saving="isActive.isSaving"
+      edit-permissions="program.update_profile"
      custom-control
    >
      <label class="tw-inline-flex tw-gap-2 tw-items-center">
@@ -98,6 +104,7 @@ This is an editor for the Host steering model.
        class="tw-order-last"
        :is-saving="owners.isSaving"
        :errors="owners.errors"
+        edit-permissions="program.update_profile"
      >
        <AUserSelector v-model="owners.value" :disabled="disabled" />
      </FormGroup>

--- a/src/components/identities/AUserEditor.vue
+++ b/src/components/identities/AUserEditor.vue
 <template>
  <FormTable>
-    <FormGroup v-slot="attrs" :label="t('user.fields.username')">
+    <FormGroup v-slot="attrs" :label="t('user.fields.username')" :edit-permissions="editPermission">
      <input v-model="user.username" required v-bind="attrs" disabled />
    </FormGroup>

@@ -9,6 +9,7 @@
      :label="t('user.fields.firstName')"
      :errors="firstName.errors"
      :is-saving="firstName.isSaving"
+      :edit-permissions="editPermission"
    >
      <input v-model="firstName.value" required v-bind="attrs" @blur="firstName.save()" />
    </FormGroup>
@@ -18,6 +19,7 @@
      :label="t('user.fields.lastName')"
      :errors="lastName.errors"
      :is-saving="lastName.isSaving"
+      :edit-permissions="editPermission"
    >
      <input v-model="lastName.value" required v-bind="attrs" @blur="lastName.save()" />
    </FormGroup>
@@ -27,6 +29,7 @@
      :label="t('user.fields.email')"
      :errors="email.errors"
      :is-saving="email.isSaving"
+      :edit-permissions="editPermission"
    >
      <input v-model="email.value" type="email" required v-bind="attrs" @blur="email.save()" />
    </FormGroup>
@@ -35,6 +38,7 @@
      v-slot="{ disabled }"
      :errors="cba.errors"
      :is-saving="cba.isSaving"
+      :edit-permissions="editPermission"
      label="CBA"
      custom-control
    >
@@ -47,7 +51,7 @@
 import { computed } from 'vue'
 import { useAPIObjectFieldCopy } from '@/form'
 import { useI18n } from '@/i18n'
-import { SteeringUser, useUserStore } from '@/stores/auth'
+import { SteeringUser, useAuthStore, useUserStore } from '@/stores/auth'

 import FormTable from '@/components/generic/FormTable.vue'
 import FormGroup from '@/components/generic/FormGroup.vue'
@@ -58,8 +62,15 @@ const props = defineProps<{
 }>()

 const { t } = useI18n()
+const authStore = useAuthStore()
 const userStore = useUserStore()
 const user = computed(() => props.user)
+const editPermission = computed(() =>
+  // This is a hack to simplify our editing logic
+  // All users have the change_user permission, because everyone should be able to edit their own account.
+  // However, only admins can edit accounts other than their own. We don’t have a permission for that yet.
+  user.value.id === authStore.steeringUser?.id ? undefined : '__off__',
+)

 const firstName = useAPIObjectFieldCopy(userStore, user, 'firstName', { debounce: 2 })
 const lastName = useAPIObjectFieldCopy(userStore, user, 'lastName', { debounce: 2 })

--- a/src/components/nav/AMainNavMenu.vue
+++ b/src/components/nav/AMainNavMenu.vue
@@ -52,11 +52,13 @@
        </ANavLink>
      </ANavListItem>

-      <ANavListItem>
-        <ANavLink :route="{ name: 'profiles' }" active-if-child-active>
-          {{ t('navigation.profiles') }}
-        </ANavLink>
-      </ANavListItem>
+      <APermissionGuard show-permissions="program.delete_profile">
+        <ANavListItem>
+          <ANavLink :route="{ name: 'profiles' }" active-if-child-active>
+            {{ t('navigation.profiles') }}
+          </ANavLink>
+        </ANavListItem>
+      </APermissionGuard>

      <APermissionGuard
        :show-permissions="['program.delete_fundingcategory', 'program.delete_schedule']"