Only allow projects access to users that are specified as part of the…

… project (#1290) * Started adding validation for authorization * Allow sys admins to view all * Moving access check to a before filter getting tests to pass * only allow sysadmin users access to the project index * Remove double render error --------- Co-authored-by: Hector Correa <hector_correa@princeton.edu>
pulibrary · Feb 6, 2025 · 5bcc644 · 5bcc644
1 parent 670d646
commit 5bcc644
Show file tree

Hide file tree

Showing 6 changed files with 220 additions and 113 deletions.
diff --git a/app/controllers/projects_controller.rb b/app/controllers/projects_controller.rb
@@ -71,9 +71,11 @@ def create
   end
 
   def details
+    return if project.blank?
+
     add_breadcrumb(project.title, project_path)
     add_breadcrumb("Details")
-    project
+
     @departments = project.departments.join(", ")
     @project_metadata = project.metadata_model
 
@@ -169,16 +171,22 @@ def update
   end
 
   def index
-    @projects = Project.all
+    if current_user.eligible_sysadmin?
+      @projects = Project.all
+    else
+      flash[:alert] = "Access Denied"
+      redirect_to root_path
+    end
   end
 
   def confirmation; end
   def revision_confirmation; end
 
   def show
+    return if project.blank?
+
     add_breadcrumb(project.title, project_path)
     add_breadcrumb("Contents")
-    project
 
     @latest_completed_download = current_user.user_requests.where(project_id: @project.id, state: "completed").order(:completion_time).last
     @storage_usage = project.storage_usage(session_id: current_user.mediaflux_session)
@@ -199,6 +207,8 @@ def project_job_service
   end
 
   def list_contents
+    return if project.blank?
+
     project_job_service.list_contents_job(user: current_user)
 
     json_response = {
@@ -257,7 +267,16 @@ def build_new_project
     end
 
     def project
-      @project ||= Project.find(params[:id])
+      @project ||= begin
+        project = Project.find(params[:id])
+        if project.user_has_access?(user: current_user)
+          project
+        else
+          flash[:alert] = "Access Denied"
+          redirect_to root_path
+          nil
+        end
+      end
     end
 
     def eligible_editor?

diff --git a/app/models/project.rb b/app/models/project.rb
@@ -183,6 +183,12 @@ def self.data_user_projects(user)
     Project.where("(metadata_json @> ? :: jsonb) OR (metadata_json @> ? :: jsonb)", query_ro, query_rw)
   end
 
+  def user_has_access?(user:)
+    return true if user.eligible_sysadmin?
+    metadata_model.data_sponsor == user.uid || metadata_model.data_manager == user.uid ||
+    metadata_model.data_user_read_only.include?(user.uid) || metadata_model.data_user_read_write.include?(user.uid)
+  end
+
   def save_in_mediaflux(user:)
     ProjectMediaflux.save(project: self, user: user)
   end