From 83a48d2d4fa5d125a9b64fa59c35ec72df65452b Mon Sep 17 00:00:00 2001 From: Graham Christensen Date: Sat, 30 Dec 2017 08:28:23 -0500 Subject: [PATCH] Add a restart-jobs role Frequently users want Hydra access just to restart jobs. However, prior to this commit the only way to grant that access was by giving them full Admin access which isn't necessarily what we want to do. By having a restart-jobs role, we can grant this privilege to users who are known to the community and want to help, but aren't long-time members. I haven't tested this commit, but it looks good to me... --- src/lib/Hydra/Controller/JobsetEval.pm | 2 +- src/lib/Hydra/Helper/CatalystUtils.pm | 24 +++++++++++++++++++++--- src/root/user.tt | 1 + 3 files changed, 23 insertions(+), 4 deletions(-) diff --git a/src/lib/Hydra/Controller/JobsetEval.pm b/src/lib/Hydra/Controller/JobsetEval.pm index 8593091d..21e3f731 100644 --- a/src/lib/Hydra/Controller/JobsetEval.pm +++ b/src/lib/Hydra/Controller/JobsetEval.pm @@ -188,7 +188,7 @@ sub cancel : Chained('evalChain') PathPart('cancel') Args(0) { sub restart { my ($self, $c, $condition) = @_; - requireProjectOwner($c, $c->stash->{eval}->project); + requireRestartPrivileges($c, $c->stash->{eval}->project); my $builds = $c->stash->{eval}->builds->search({ finished => 1, buildstatus => $condition }); my $n = restartBuilds($c->model('DB')->schema, $builds); $c->flash->{successMsg} = "$n builds have been restarted."; diff --git a/src/lib/Hydra/Helper/CatalystUtils.pm b/src/lib/Hydra/Helper/CatalystUtils.pm index 76fa6a7d..a6401676 100644 --- a/src/lib/Hydra/Helper/CatalystUtils.pm +++ b/src/lib/Hydra/Helper/CatalystUtils.pm @@ -12,7 +12,7 @@ our @EXPORT = qw( getBuild getPreviousBuild getNextBuild getPreviousSuccessfulBuild searchBuildsAndEvalsForJobset error notFound gone accessDenied - forceLogin requireUser requireProjectOwner requireAdmin requirePost isAdmin isProjectOwner + forceLogin requireUser requireProjectOwner requireRestartPrivileges requireAdmin requirePost isAdmin isProjectOwner trim getLatestFinishedEval getFirstEval paramToList @@ -172,7 +172,6 @@ sub requireUser { forceLogin($c) if !$c->user_exists; } - sub isProjectOwner { my ($c, $project) = @_; return @@ -182,6 +181,26 @@ sub isProjectOwner { defined $c->model('DB::ProjectMembers')->find({ project => $project, userName => $c->user->username })); } +sub hasRestartJobsRole { + my ($c) = @_; + return $c->user_exists && $c->check_user_roles('restart-jobs'); +} + +sub mayRestartJobs { + my ($c, $project) = @_; + return + $c->user_exists && + (isAdmin($c) || + hasRestartJobsRole($c) || + isProjectOwner($c, $project)); +} + +sub requireRestartPrivileges { + my ($c, $project) = @_; + requireUser($c); + accessDenied($c, "Only the project members, administrators, and accounts with restart-jobs privileges can perform this operation.") + unless mayRestartJobs($c, $project); +} sub requireProjectOwner { my ($c, $project) = @_; @@ -196,7 +215,6 @@ sub isAdmin { return $c->user_exists && $c->check_user_roles('admin'); } - sub requireAdmin { my ($c) = @_; requireUser($c); diff --git a/src/root/user.tt b/src/root/user.tt index ba765983..e95ee689 100644 --- a/src/root/user.tt +++ b/src/root/user.tt @@ -80,6 +80,7 @@