Content
View differences
Updated by Klaus Zanders almost 3 years ago
To allow groups and users to be added to work packages, we can extend the existing `members` system to not only allow linking to a project, but also to an additional polymorphic relation called `entity`: a specific work package.
* We already know that we will need to extend the system in the future, because other models will need a membership concept in the future as well (we already know that `Meeting`s will need it). So the syetem The relation should be designed in mutually exclusive (a membership can either be to a polymorphic way.
project or to a work package, never both).
* To quickly access what projects a user has access to, For this we want to keep can either make the `project_id` field in the memberships relationship between members and **always** fill it out if project/work package into a polymorphic relationship. This would make `JOIN` queries more complicated, but would simplify the membership is somehow product related. modeling of the relation
* `project NULL`, `entity NULL` → used Another option would be, to assign global roles with global permissions
* `projet NOT NULL`, `entity NULL` → used add a `work_package_id` field to assign project roles with project scoped + entity based permissions the `members` table, and then adding a CONSTRAINT in the database, that apply prevents both columns to all entities within be filled. Additionally we can add a rails validation. The CONSTRAINT on the project
* `project NOT NULL`, `entity NOT NULL` → used DB level would be benefitial in my eyes, because we do write membership queries directly to assign entity specific roles with entity based permissions (i.e. for a specific work package)
* `~~project NULL~~`~~,~~ `~~entity NOT NULL~~` → This case is currently unused the DB, and thus we are not considering it for now. would need another security layer instead of only relying on AR:
```sql
ALTER TABLE members
ADD CONSTRAINT either_member_of_work_package_or_project CHECK (num_nulls(work_package_id, project_id) >= 1);
```
* The permission checks have to be adjusted:
* The current check checks for a permission checking system only works on the project or globally. This check `project` level. The `user.allowed_to?` method needs to be adjusted extended to also check that the `entity` is NULL, otherwise giving access to allow passing in a single `entity`, will give access to the entire project or a work package.
* Also, When a work package permission is requested, the check code needs to be extended that we can pass in an `entity` instead of check if the permission is granted either through the project to or directly on the check method and for this. When work package. As work package permissions might elevate the entity is bound to users permissions on a project (`respond_to?(:project_id)`), specific work package, we need always have to check for permissions on the both paths.
* When a project itself **and** on is given, the specific entity.
test should stay as it is right now.
* For this, we need to implement entity specifc roles ##49493 Copying a work package, or copying the entire project should ensure that all memberships are correctly copied over
* We already know that we will need to extend the system in the future, because other models will need a membership concept in the future as well (we already know that `Meeting`s will need it). So the syetem
* `project NULL`, `entity NULL` → used
* `projet NOT NULL`, `entity NULL` → used
* `project NOT NULL`, `entity NOT NULL` → used
* `~~project NULL~~`~~,~~ `~~entity NOT NULL~~` → This case is currently unused
```sql
ADD CONSTRAINT either_member_of_work_package_or_project CHECK (num_nulls(work_package_id, project_id) >= 1);
```
* The current check checks for a permission
* Also,
* When a