From 83a48d2d4fa5d125a9b64fa59c35ec72df65452b Mon Sep 17 00:00:00 2001
From: Graham Christensen <graham@grahamc.com>
Date: Sat, 30 Dec 2017 08:28:23 -0500
Subject: [PATCH] Add a restart-jobs role

Frequently users want Hydra access just to restart jobs. However,
prior to this commit the only way to grant that access was by giving
them full Admin access which isn't necessarily what we want to do.

By having a restart-jobs role, we can grant this privilege to users
who are known to the community and want to help, but aren't long-time
members.

I haven't tested this commit, but it looks good to me...
---
 src/lib/Hydra/Controller/JobsetEval.pm |  2 +-
 src/lib/Hydra/Helper/CatalystUtils.pm  | 24 +++++++++++++++++++++---
 src/root/user.tt                       |  1 +
 3 files changed, 23 insertions(+), 4 deletions(-)

diff --git a/src/lib/Hydra/Controller/JobsetEval.pm b/src/lib/Hydra/Controller/JobsetEval.pm
index 8593091d..21e3f731 100644
--- a/src/lib/Hydra/Controller/JobsetEval.pm
+++ b/src/lib/Hydra/Controller/JobsetEval.pm
@@ -188,7 +188,7 @@ sub cancel : Chained('evalChain') PathPart('cancel') Args(0) {
 
 sub restart {
     my ($self, $c, $condition) = @_;
-    requireProjectOwner($c, $c->stash->{eval}->project);
+    requireRestartPrivileges($c, $c->stash->{eval}->project);
     my $builds = $c->stash->{eval}->builds->search({ finished => 1, buildstatus => $condition });
     my $n = restartBuilds($c->model('DB')->schema, $builds);
     $c->flash->{successMsg} = "$n builds have been restarted.";
diff --git a/src/lib/Hydra/Helper/CatalystUtils.pm b/src/lib/Hydra/Helper/CatalystUtils.pm
index 76fa6a7d..a6401676 100644
--- a/src/lib/Hydra/Helper/CatalystUtils.pm
+++ b/src/lib/Hydra/Helper/CatalystUtils.pm
@@ -12,7 +12,7 @@ our @EXPORT = qw(
     getBuild getPreviousBuild getNextBuild getPreviousSuccessfulBuild
     searchBuildsAndEvalsForJobset
     error notFound gone accessDenied
-    forceLogin requireUser requireProjectOwner requireAdmin requirePost isAdmin isProjectOwner
+    forceLogin requireUser requireProjectOwner requireRestartPrivileges requireAdmin requirePost isAdmin isProjectOwner
     trim
     getLatestFinishedEval getFirstEval
     paramToList
@@ -172,7 +172,6 @@ sub requireUser {
     forceLogin($c) if !$c->user_exists;
 }
 
-
 sub isProjectOwner {
     my ($c, $project) = @_;
     return
@@ -182,6 +181,26 @@ sub isProjectOwner {
          defined $c->model('DB::ProjectMembers')->find({ project => $project, userName => $c->user->username }));
 }
 
+sub hasRestartJobsRole {
+    my ($c) = @_;
+    return $c->user_exists && $c->check_user_roles('restart-jobs');
+}
+
+sub mayRestartJobs {
+    my ($c, $project) = @_;
+    return
+        $c->user_exists &&
+        (isAdmin($c) ||
+         hasRestartJobsRole($c) ||
+         isProjectOwner($c, $project));
+}
+
+sub requireRestartPrivileges {
+    my ($c, $project) = @_;
+    requireUser($c);
+    accessDenied($c, "Only the project members, administrators, and accounts with restart-jobs privileges can perform this operation.")
+        unless mayRestartJobs($c, $project);
+}
 
 sub requireProjectOwner {
     my ($c, $project) = @_;
@@ -196,7 +215,6 @@ sub isAdmin {
     return $c->user_exists && $c->check_user_roles('admin');
 }
 
-
 sub requireAdmin {
     my ($c) = @_;
     requireUser($c);
diff --git a/src/root/user.tt b/src/root/user.tt
index ba765983..e95ee689 100644
--- a/src/root/user.tt
+++ b/src/root/user.tt
@@ -80,6 +80,7 @@
           <select multiple="multiple" name="roles" class="span3" [% IF !c.check_user_roles('admin') %]disabled="disabled"[% END %]>
             [% INCLUDE roleoption role="admin" %]
             [% INCLUDE roleoption role="create-projects" %]
+            [% INCLUDE roleoption role="restart-jobs" %]
           </select>
         </div>
       </div>