From 44b2ee3485ba0845e5910cefcb4b1e2f84f34470 Mon Sep 17 00:00:00 2001 From: Eugen Rochko Date: Tue, 5 Jul 2022 02:41:40 +0200 Subject: Add customizable user roles (#18641) * Add customizable user roles * Various fixes and improvements * Add migration for old settings and fix tootctl role management --- app/policies/account_moderation_note_policy.rb | 4 +-- app/policies/account_policy.rb | 40 +++++++++++--------------- app/policies/account_warning_policy.rb | 2 +- app/policies/account_warning_preset_policy.rb | 8 +++--- app/policies/announcement_policy.rb | 8 +++--- app/policies/appeal_policy.rb | 8 ++++-- app/policies/application_policy.rb | 6 ++-- app/policies/audit_log_policy.rb | 7 +++++ app/policies/custom_emoji_policy.rb | 14 ++++----- app/policies/dashboard_policy.rb | 7 +++++ app/policies/delivery_policy.rb | 6 ++-- app/policies/domain_allow_policy.rb | 8 +++--- app/policies/domain_block_policy.rb | 10 +++---- app/policies/email_domain_block_policy.rb | 6 ++-- app/policies/follow_recommendation_policy.rb | 6 ++-- app/policies/instance_policy.rb | 6 ++-- app/policies/invite_policy.rb | 12 +++----- app/policies/ip_block_policy.rb | 6 ++-- app/policies/preview_card_policy.rb | 4 +-- app/policies/preview_card_provider_policy.rb | 4 +-- app/policies/relay_policy.rb | 2 +- app/policies/report_note_policy.rb | 4 +-- app/policies/report_policy.rb | 6 ++-- app/policies/rule_policy.rb | 8 +++--- app/policies/settings_policy.rb | 6 ++-- app/policies/status_policy.rb | 8 +++--- app/policies/tag_policy.rb | 8 +++--- app/policies/user_policy.rb | 38 ++++++++---------------- app/policies/user_role_policy.rb | 19 ++++++++++++ app/policies/webhook_policy.rb | 16 +++++------ 30 files changed, 149 insertions(+), 138 deletions(-) create mode 100644 app/policies/audit_log_policy.rb create mode 100644 app/policies/dashboard_policy.rb create mode 100644 app/policies/user_role_policy.rb (limited to 'app/policies') diff --git a/app/policies/account_moderation_note_policy.rb b/app/policies/account_moderation_note_policy.rb index 885411a5b..310ce854c 100644 --- a/app/policies/account_moderation_note_policy.rb +++ b/app/policies/account_moderation_note_policy.rb @@ -2,11 +2,11 @@ class AccountModerationNotePolicy < ApplicationPolicy def create? - staff? + role.can?(:manage_reports) end def destroy? - admin? || owner? + owner? || (role.can?(:manage_reports) && role.overrides?(record.account.user_role)) end private diff --git a/app/policies/account_policy.rb b/app/policies/account_policy.rb index cc23771e7..a744af81d 100644 --- a/app/policies/account_policy.rb +++ b/app/policies/account_policy.rb @@ -2,74 +2,66 @@ class AccountPolicy < ApplicationPolicy def index? - staff? + role.can?(:manage_users) end def show? - staff? + role.can?(:manage_users) end def warn? - staff? && !record.user&.staff? + role.can?(:manage_users, :manage_reports) && role.overrides?(record.user_role) end def suspend? - staff? && !record.user&.staff? && !record.instance_actor? + role.can?(:manage_users, :manage_reports) && role.overrides?(record.user_role) && !record.instance_actor? end def destroy? - record.suspended_temporarily? && admin? + record.suspended_temporarily? && role.can?(:delete_user_data) end def unsuspend? - staff? && record.suspension_origin_local? + role.can?(:manage_users) && record.suspension_origin_local? end def sensitive? - staff? && !record.user&.staff? + role.can?(:manage_users, :manage_reports) && role.overrides?(record.user_role) end def unsensitive? - staff? + role.can?(:manage_users) end def silence? - staff? && !record.user&.staff? + role.can?(:manage_users, :manage_reports) && role.overrides?(record.user_role) end def unsilence? - staff? + role.can?(:manage_users) end def redownload? - admin? + role.can?(:manage_federation) end def remove_avatar? - staff? + role.can?(:manage_users, :manage_reports) && role.overrides?(record.user_role) end def remove_header? - staff? - end - - def subscribe? - admin? - end - - def unsubscribe? - admin? + role.can?(:manage_users, :manage_reports) && role.overrides?(record.user_role) end def memorialize? - admin? && !record.user&.admin? && !record.instance_actor? + role.can?(:delete_user_data) && role.overrides?(record.user_role) && !record.instance_actor? end def unblock_email? - staff? + role.can?(:manage_users) end def review? - staff? + role.can?(:manage_taxonomies) end end diff --git a/app/policies/account_warning_policy.rb b/app/policies/account_warning_policy.rb index 65707dfa7..4f8df7420 100644 --- a/app/policies/account_warning_policy.rb +++ b/app/policies/account_warning_policy.rb @@ -2,7 +2,7 @@ class AccountWarningPolicy < ApplicationPolicy def show? - target? || staff? + target? || role.can?(:manage_appeals) end def appeal? diff --git a/app/policies/account_warning_preset_policy.rb b/app/policies/account_warning_preset_policy.rb index bccbd33ef..59514e951 100644 --- a/app/policies/account_warning_preset_policy.rb +++ b/app/policies/account_warning_preset_policy.rb @@ -2,18 +2,18 @@ class AccountWarningPresetPolicy < ApplicationPolicy def index? - staff? + role.can?(:manage_settings) end def create? - staff? + role.can?(:manage_settings) end def update? - staff? + role.can?(:manage_settings) end def destroy? - staff? + role.can?(:manage_settings) end end diff --git a/app/policies/announcement_policy.rb b/app/policies/announcement_policy.rb index 0a4e4575c..b5dc6a18a 100644 --- a/app/policies/announcement_policy.rb +++ b/app/policies/announcement_policy.rb @@ -2,18 +2,18 @@ class AnnouncementPolicy < ApplicationPolicy def index? - staff? + role.can?(:manage_announcements) end def create? - admin? + role.can?(:manage_announcements) end def update? - admin? + role.can?(:manage_announcements) end def destroy? - admin? + role.can?(:manage_announcements) end end diff --git a/app/policies/appeal_policy.rb b/app/policies/appeal_policy.rb index a25187172..7466b334b 100644 --- a/app/policies/appeal_policy.rb +++ b/app/policies/appeal_policy.rb @@ -2,12 +2,14 @@ class AppealPolicy < ApplicationPolicy def index? - staff? + role.can?(:manage_appeals) end def approve? - record.pending? && staff? + record.pending? && role.can?(:manage_appeals) end - alias reject? approve? + def reject? + record.pending? && role.can?(:manage_appeals) + end end diff --git a/app/policies/application_policy.rb b/app/policies/application_policy.rb index d1de5e81a..163b81e9e 100644 --- a/app/policies/application_policy.rb +++ b/app/policies/application_policy.rb @@ -8,8 +8,6 @@ class ApplicationPolicy @record = record end - delegate :admin?, :moderator?, :staff?, to: :current_user, allow_nil: true - private def current_user @@ -19,4 +17,8 @@ class ApplicationPolicy def user_signed_in? !current_user.nil? end + + def role + current_user&.role || UserRole.nobody + end end diff --git a/app/policies/audit_log_policy.rb b/app/policies/audit_log_policy.rb new file mode 100644 index 000000000..f78aa9a8e --- /dev/null +++ b/app/policies/audit_log_policy.rb @@ -0,0 +1,7 @@ +# frozen_string_literal: true + +class AuditLogPolicy < ApplicationPolicy + def index? + role.can?(:view_audit_log) + end +end diff --git a/app/policies/custom_emoji_policy.rb b/app/policies/custom_emoji_policy.rb index a8c3cbc73..18de71c19 100644 --- a/app/policies/custom_emoji_policy.rb +++ b/app/policies/custom_emoji_policy.rb @@ -2,30 +2,30 @@ class CustomEmojiPolicy < ApplicationPolicy def index? - staff? + role.can?(:manage_custom_emojis) end def create? - admin? + role.can?(:manage_custom_emojis) end def update? - admin? + role.can?(:manage_custom_emojis) end def copy? - admin? + role.can?(:manage_custom_emojis) end def enable? - staff? + role.can?(:manage_custom_emojis) end def disable? - staff? + role.can?(:manage_custom_emojis) end def destroy? - admin? + role.can?(:manage_custom_emojis) end end diff --git a/app/policies/dashboard_policy.rb b/app/policies/dashboard_policy.rb new file mode 100644 index 000000000..3df1c3088 --- /dev/null +++ b/app/policies/dashboard_policy.rb @@ -0,0 +1,7 @@ +# frozen_string_literal: true + +class DashboardPolicy < ApplicationPolicy + def index? + role.can?(:view_dashboard) + end +end diff --git a/app/policies/delivery_policy.rb b/app/policies/delivery_policy.rb index 24d06c168..f6ba2eb18 100644 --- a/app/policies/delivery_policy.rb +++ b/app/policies/delivery_policy.rb @@ -2,14 +2,14 @@ class DeliveryPolicy < ApplicationPolicy def clear_delivery_errors? - admin? + role.can?(:manage_federation) end def restart_delivery? - admin? + role.can?(:manage_federation) end def stop_delivery? - admin? + role.can?(:manage_federation) end end diff --git a/app/policies/domain_allow_policy.rb b/app/policies/domain_allow_policy.rb index 7a5b5d780..45c797ecd 100644 --- a/app/policies/domain_allow_policy.rb +++ b/app/policies/domain_allow_policy.rb @@ -2,18 +2,18 @@ class DomainAllowPolicy < ApplicationPolicy def index? - admin? + role.can?(:manage_federation) end def show? - admin? + role.can?(:manage_federation) end def create? - admin? + role.can?(:manage_federation) end def destroy? - admin? + role.can?(:manage_federation) end end diff --git a/app/policies/domain_block_policy.rb b/app/policies/domain_block_policy.rb index 543259cce..0fea2e035 100644 --- a/app/policies/domain_block_policy.rb +++ b/app/policies/domain_block_policy.rb @@ -2,22 +2,22 @@ class DomainBlockPolicy < ApplicationPolicy def index? - admin? + role.can?(:manage_federation) end def show? - admin? + role.can?(:manage_federation) end def create? - admin? + role.can?(:manage_federation) end def update? - admin? + role.can?(:manage_federation) end def destroy? - admin? + role.can?(:manage_federation) end end diff --git a/app/policies/email_domain_block_policy.rb b/app/policies/email_domain_block_policy.rb index 5a75ee183..1a0ddfa87 100644 --- a/app/policies/email_domain_block_policy.rb +++ b/app/policies/email_domain_block_policy.rb @@ -2,14 +2,14 @@ class EmailDomainBlockPolicy < ApplicationPolicy def index? - admin? + role.can?(:manage_blocks) end def create? - admin? + role.can?(:manage_blocks) end def destroy? - admin? + role.can?(:manage_blocks) end end diff --git a/app/policies/follow_recommendation_policy.rb b/app/policies/follow_recommendation_policy.rb index 68cd0e547..9245733ea 100644 --- a/app/policies/follow_recommendation_policy.rb +++ b/app/policies/follow_recommendation_policy.rb @@ -2,14 +2,14 @@ class FollowRecommendationPolicy < ApplicationPolicy def show? - staff? + role.can?(:manage_taxonomies) end def suppress? - staff? + role.can?(:manage_taxonomies) end def unsuppress? - staff? + role.can?(:manage_taxonomies) end end diff --git a/app/policies/instance_policy.rb b/app/policies/instance_policy.rb index 801ca162e..b15e123fe 100644 --- a/app/policies/instance_policy.rb +++ b/app/policies/instance_policy.rb @@ -2,14 +2,14 @@ class InstancePolicy < ApplicationPolicy def index? - admin? + role.can?(:manage_federation) end def show? - admin? + role.can?(:manage_federation) end def destroy? - admin? + role.can?(:manage_federation) end end diff --git a/app/policies/invite_policy.rb b/app/policies/invite_policy.rb index 14236f78b..24eacd08e 100644 --- a/app/policies/invite_policy.rb +++ b/app/policies/invite_policy.rb @@ -2,19 +2,19 @@ class InvitePolicy < ApplicationPolicy def index? - staff? + role.can?(:manage_invites) end def create? - min_required_role? + role.can?(:invite_users) end def deactivate_all? - admin? + role.can?(:manage_invites) end def destroy? - owner? || (Setting.min_invite_role == 'admin' ? admin? : staff?) + owner? || role.can?(:manage_invites) end private @@ -22,8 +22,4 @@ class InvitePolicy < ApplicationPolicy def owner? record.user_id == current_user&.id end - - def min_required_role? - current_user&.role?(Setting.min_invite_role) - end end diff --git a/app/policies/ip_block_policy.rb b/app/policies/ip_block_policy.rb index 34dbd746a..1abc97ad8 100644 --- a/app/policies/ip_block_policy.rb +++ b/app/policies/ip_block_policy.rb @@ -2,14 +2,14 @@ class IpBlockPolicy < ApplicationPolicy def index? - admin? + role.can?(:manage_blocks) end def create? - admin? + role.can?(:manage_blocks) end def destroy? - admin? + role.can?(:manage_blocks) end end diff --git a/app/policies/preview_card_policy.rb b/app/policies/preview_card_policy.rb index 0410987e4..a7bb41634 100644 --- a/app/policies/preview_card_policy.rb +++ b/app/policies/preview_card_policy.rb @@ -2,10 +2,10 @@ class PreviewCardPolicy < ApplicationPolicy def index? - staff? + role.can?(:manage_taxonomies) end def review? - staff? + role.can?(:manage_taxonomies) end end diff --git a/app/policies/preview_card_provider_policy.rb b/app/policies/preview_card_provider_policy.rb index 44d2ad5cf..131ccb5dd 100644 --- a/app/policies/preview_card_provider_policy.rb +++ b/app/policies/preview_card_provider_policy.rb @@ -2,10 +2,10 @@ class PreviewCardProviderPolicy < ApplicationPolicy def index? - staff? + role.can?(:manage_taxonomies) end def review? - staff? + role.can?(:manage_taxonomies) end end diff --git a/app/policies/relay_policy.rb b/app/policies/relay_policy.rb index bd75e2197..4305bcfaa 100644 --- a/app/policies/relay_policy.rb +++ b/app/policies/relay_policy.rb @@ -2,6 +2,6 @@ class RelayPolicy < ApplicationPolicy def update? - admin? + role.can?(:manage_federation) end end diff --git a/app/policies/report_note_policy.rb b/app/policies/report_note_policy.rb index 694bc096b..dc31416e8 100644 --- a/app/policies/report_note_policy.rb +++ b/app/policies/report_note_policy.rb @@ -2,11 +2,11 @@ class ReportNotePolicy < ApplicationPolicy def create? - staff? + role.can?(:manage_reports) end def destroy? - admin? || owner? + owner? || (role.can?(:manage_reports) && role.overrides?(record.account.user_role)) end private diff --git a/app/policies/report_policy.rb b/app/policies/report_policy.rb index 95b5c30c8..c9f7639bd 100644 --- a/app/policies/report_policy.rb +++ b/app/policies/report_policy.rb @@ -2,14 +2,14 @@ class ReportPolicy < ApplicationPolicy def update? - staff? + role.can?(:manage_reports) end def index? - staff? + role.can?(:manage_reports) end def show? - staff? + role.can?(:manage_reports) end end diff --git a/app/policies/rule_policy.rb b/app/policies/rule_policy.rb index 6a4def009..51b2a6977 100644 --- a/app/policies/rule_policy.rb +++ b/app/policies/rule_policy.rb @@ -2,18 +2,18 @@ class RulePolicy < ApplicationPolicy def index? - staff? + role.can?(:manage_rules) end def create? - admin? + role.can?(:manage_rules) end def update? - admin? + role.can?(:manage_rules) end def destroy? - admin? + role.can?(:manage_rules) end end diff --git a/app/policies/settings_policy.rb b/app/policies/settings_policy.rb index 874f97bab..2b052af27 100644 --- a/app/policies/settings_policy.rb +++ b/app/policies/settings_policy.rb @@ -2,14 +2,14 @@ class SettingsPolicy < ApplicationPolicy def update? - admin? + role.can?(:manage_settings) end def show? - admin? + role.can?(:manage_settings) end def destroy? - admin? + role.can?(:manage_settings) end end diff --git a/app/policies/status_policy.rb b/app/policies/status_policy.rb index 400f1ec79..2f48b5d70 100644 --- a/app/policies/status_policy.rb +++ b/app/policies/status_policy.rb @@ -8,7 +8,7 @@ class StatusPolicy < ApplicationPolicy end def index? - staff? + role.can?(:manage_reports, :manage_users) end def show? @@ -32,17 +32,17 @@ class StatusPolicy < ApplicationPolicy end def destroy? - staff? || owned? + role.can?(:manage_reports) || owned? end alias unreblog? destroy? def update? - staff? || owned? + role.can?(:manage_reports) || owned? end def review? - staff? + role.can?(:manage_taxonomies) end private diff --git a/app/policies/tag_policy.rb b/app/policies/tag_policy.rb index bdfcec0c9..bb1d37d6c 100644 --- a/app/policies/tag_policy.rb +++ b/app/policies/tag_policy.rb @@ -2,18 +2,18 @@ class TagPolicy < ApplicationPolicy def index? - staff? + role.can?(:manage_taxonomies) end def show? - staff? + role.can?(:manage_taxonomies) end def update? - staff? + role.can?(:manage_taxonomies) end def review? - staff? + role.can?(:manage_taxonomies) end end diff --git a/app/policies/user_policy.rb b/app/policies/user_policy.rb index 140905e1f..6751b8b8f 100644 --- a/app/policies/user_policy.rb +++ b/app/policies/user_policy.rb @@ -2,52 +2,38 @@ class UserPolicy < ApplicationPolicy def reset_password? - staff? && !record.staff? + role.can?(:manage_user_access) && role.overrides?(record.role) end def change_email? - staff? && !record.staff? + role.can?(:manage_user_access) && role.overrides?(record.role) end def disable_2fa? - admin? && !record.staff? + role.can?(:manage_user_access) && role.overrides?(record.role) + end + + def change_role? + role.can?(:manage_roles) && role.overrides?(record.role) end def confirm? - staff? && !record.confirmed? + role.can?(:manage_user_access) && !record.confirmed? end def enable? - staff? + role.can?(:manage_users) end def approve? - staff? && !record.approved? + role.can?(:manage_users) && !record.approved? end def reject? - staff? && !record.approved? + role.can?(:manage_users) && !record.approved? end def disable? - staff? && !record.admin? - end - - def promote? - admin? && promotable? - end - - def demote? - admin? && !record.admin? && demoteable? - end - - private - - def promotable? - record.approved? && (!record.staff? || !record.admin?) - end - - def demoteable? - record.staff? + role.can?(:manage_users) && role.overrides?(record.role) end end diff --git a/app/policies/user_role_policy.rb b/app/policies/user_role_policy.rb new file mode 100644 index 000000000..7019637fc --- /dev/null +++ b/app/policies/user_role_policy.rb @@ -0,0 +1,19 @@ +# frozen_string_literal: true + +class UserRolePolicy < ApplicationPolicy + def index? + role.can?(:manage_roles) + end + + def create? + role.can?(:manage_roles) + end + + def update? + role.can?(:manage_roles) && role.overrides?(record) + end + + def destroy? + !record.everyone? && role.can?(:manage_roles) && role.overrides?(record) && role.id != record.id + end +end diff --git a/app/policies/webhook_policy.rb b/app/policies/webhook_policy.rb index 2c55703a1..a2199a333 100644 --- a/app/policies/webhook_policy.rb +++ b/app/policies/webhook_policy.rb @@ -2,34 +2,34 @@ class WebhookPolicy < ApplicationPolicy def index? - admin? + role.can?(:manage_webhooks) end def create? - admin? + role.can?(:manage_webhooks) end def show? - admin? + role.can?(:manage_webhooks) end def update? - admin? + role.can?(:manage_webhooks) end def enable? - admin? + role.can?(:manage_webhooks) end def disable? - admin? + role.can?(:manage_webhooks) end def rotate_secret? - admin? + role.can?(:manage_webhooks) end def destroy? - admin? + role.can?(:manage_webhooks) end end -- cgit From ecb3bb3256fe1bab0d7a63829cdce914b2b509a9 Mon Sep 17 00:00:00 2001 From: Claire Date: Sun, 17 Jul 2022 13:37:30 +0200 Subject: Add support for editing labelling of one's own role (#18812) Still disallow edition of rank or permissions --- app/models/user_role.rb | 7 +++++++ app/policies/user_role_policy.rb | 2 +- app/views/admin/roles/_form.html.haml | 23 +++++++++++++---------- config/locales/activerecord.en.yml | 2 ++ 4 files changed, 23 insertions(+), 11 deletions(-) (limited to 'app/policies') diff --git a/app/models/user_role.rb b/app/models/user_role.rb index 833b96d71..57a56c0b0 100644 --- a/app/models/user_role.rb +++ b/app/models/user_role.rb @@ -90,6 +90,7 @@ class UserRole < ApplicationRecord validate :validate_permissions_elevation validate :validate_position_elevation validate :validate_dangerous_permissions + validate :validate_own_role_edition before_validation :set_position @@ -165,6 +166,12 @@ class UserRole < ApplicationRecord self.position = -1 if everyone? end + def validate_own_role_edition + return unless defined?(@current_account) && @current_account.user_role.id == id + errors.add(:permissions_as_keys, :own_role) if permissions_changed? + errors.add(:position, :own_role) if position_changed? + end + def validate_permissions_elevation errors.add(:permissions_as_keys, :elevated) if defined?(@current_account) && @current_account.user_role.computed_permissions & permissions != permissions end diff --git a/app/policies/user_role_policy.rb b/app/policies/user_role_policy.rb index 7019637fc..6144a0ec4 100644 --- a/app/policies/user_role_policy.rb +++ b/app/policies/user_role_policy.rb @@ -10,7 +10,7 @@ class UserRolePolicy < ApplicationPolicy end def update? - role.can?(:manage_roles) && role.overrides?(record) + role.can?(:manage_roles) && (role.overrides?(record) || role.id == record.id) end def destroy? diff --git a/app/views/admin/roles/_form.html.haml b/app/views/admin/roles/_form.html.haml index 99a211eea..9beaf619f 100644 --- a/app/views/admin/roles/_form.html.haml +++ b/app/views/admin/roles/_form.html.haml @@ -8,8 +8,9 @@ .fields-group = f.input :name, wrapper: :with_label - .fields-group - = f.input :position, wrapper: :with_label, input_html: { max: current_user.role.position - 1 } + - unless current_user.role.id == @role.id + .fields-group + = f.input :position, wrapper: :with_label, input_html: { max: current_user.role.position - 1 } .fields-group = f.input :color, wrapper: :with_label, input_html: { placeholder: '#000000' } @@ -21,17 +22,19 @@ %hr.spacer/ - .field-group - .input.with_block_label - %label= t('simple_form.labels.user_role.permissions_as_keys') - %span.hint= t('simple_form.hints.user_role.permissions_as_keys') + - unless current_user.role.id == @role.id + + .field-group + .input.with_block_label + %label= t('simple_form.labels.user_role.permissions_as_keys') + %span.hint= t('simple_form.hints.user_role.permissions_as_keys') - - (@role.everyone? ? UserRole::Flags::CATEGORIES.slice(:invites) : UserRole::Flags::CATEGORIES).each do |category, permissions| - %h4= t(category, scope: 'admin.roles.categories') + - (@role.everyone? ? UserRole::Flags::CATEGORIES.slice(:invites) : UserRole::Flags::CATEGORIES).each do |category, permissions| + %h4= t(category, scope: 'admin.roles.categories') - = f.input :permissions_as_keys, collection: permissions, wrapper: :with_block_label, include_blank: false, label_method: lambda { |privilege| safe_join([t("admin.roles.privileges.#{privilege}"), content_tag(:span, t("admin.roles.privileges.#{privilege}_description"), class: 'hint')]) }, required: false, as: :check_boxes, collection_wrapper_tag: 'ul', item_wrapper_tag: 'li', label: false, hint: false, disabled: permissions.filter { |privilege| UserRole::FLAGS[privilege] & current_user.role.computed_permissions == 0 } + = f.input :permissions_as_keys, collection: permissions, wrapper: :with_block_label, include_blank: false, label_method: lambda { |privilege| safe_join([t("admin.roles.privileges.#{privilege}"), content_tag(:span, t("admin.roles.privileges.#{privilege}_description"), class: 'hint')]) }, required: false, as: :check_boxes, collection_wrapper_tag: 'ul', item_wrapper_tag: 'li', label: false, hint: false, disabled: permissions.filter { |privilege| UserRole::FLAGS[privilege] & current_user.role.computed_permissions == 0 } - %hr.spacer/ + %hr.spacer/ .actions = f.button :button, @role.new_record? ? t('admin.roles.add_new') : t('generic.save_changes'), type: :submit diff --git a/config/locales/activerecord.en.yml b/config/locales/activerecord.en.yml index daeed58b8..2dfa3b955 100644 --- a/config/locales/activerecord.en.yml +++ b/config/locales/activerecord.en.yml @@ -45,5 +45,7 @@ en: permissions_as_keys: dangerous: include permissions that are not safe for the base role elevated: cannot include permissions your current role does not possess + own_role: cannot be changed with your current role position: elevated: cannot be higher than your current role + own_role: cannot be changed with your current role -- cgit