Remove permissions architecture in favour of roles (#1185)

Thank you Pundit and the rich permissions structures you provided, we appreciate your service from when fine grained permissions were needed.

Gemfile

@@ -41,7 +41,6 @@ gem 'omniauth-rails_csrf_protection'
 gem 'postmark-rails'
 gem 'prophet-rb', '~> 0.5.3'
 gem 'puma'
-gem 'pundit'
 gem 'rails', '8.0.1'
 gem 'rails-html-sanitizer'
 gem 'rack-cors', '~> 2.0'

Gemfile.lock

@@ -362,8 +362,6 @@ GEM
     public_suffix (6.0.1)
     puma (6.5.0)
       nio4r (~> 2.0)
-    pundit (2.4.0)
-      activesupport (>= 3.0.0)
     raabro (1.4.0)
     racc (1.8.1)
     rack (3.1.8)
@@ -591,7 +589,6 @@ DEPENDENCIES
   postmark-rails
   prophet-rb (~> 0.5.3)
   puma
-  pundit
   rack-cors (~> 2.0)
   rails (= 8.0.1)
   rails-controller-testing

app/assets/javascripts/components/archive_case/_modal.html

@@ -3,14 +3,9 @@
   <h3 class="modal-title">Archive This Case for Later?</h3>
 </div>
 <div class="modal-body">
-  <p ng-show="ctrl.canDelete">You're about to put this case into deep freeze. You'll be able to unarchive it later through the "Archived Cases" filter in the Case Listings.</p>
-  <p ng-hide="ctrl.canDelete">You do not have delete (and archive) permissions for cases.</p>
-  <p ng-show="ctrl.canDelete && ctrl.notOwner()">
-  <div class="alert alert-warning" role="alert" ng-if="ctrl.canDelete && !ctrl.isOwnerOfCase()">
-    Only the owner of a case can restore it. You will take over ownership of this case from <i>{{ ctrl.theCase.ownerName}}</i> by archiving it.
-  </div>
+  <p>You're about to put this case into deep freeze. You'll be able to unarchive it later through the "Archived Cases" filter in the Case Listings.</p>  
 </div>
 <div class="modal-footer">
-  <button class="btn btn-danger" ng-show="ctrl.canDelete" ng-click="ctrl.ok()">Archive</button>
+  <button class="btn btn-danger"  ng-click="ctrl.ok()">Archive</button>
   <button class="btn btn-default" ng-click="ctrl.cancel()">Cancel</button>
 </div>

app/assets/javascripts/components/archive_case/archive_case_modal_instance_controller.js

@@ -8,18 +8,7 @@ angular.module('QuepidApp')
     function ($rootScope, $uibModalInstance, theCase) {
       var ctrl = this;
 
-      ctrl.theCase = theCase;
-      ctrl.canDelete = false;
-
-      $rootScope.$watch('currentUser', function() {
-        if ( $rootScope.currentUser ) {
-          ctrl.canDelete = $rootScope.currentUser.permissions.case.delete;
-        }
-      });
-
-      ctrl.isOwnerOfCase = function() {
-        return ($rootScope.currentUser.id === ctrl.theCase.ownerId);
-      };
+      ctrl.theCase = theCase;      
 
       ctrl.ok = function () {
         $uibModalInstance.close(true);

app/assets/javascripts/components/archive_search_endpoint/_modal.html

@@ -1,16 +0,0 @@
-<div class="modal-header">
-  <button type="button" class="close btn-core-close" ng-click="ctrl.cancel()" aria-label="Close"></button>
-  <h3 class="modal-title">Archive This Search Endpoint for Later?</h3>
-</div>
-<div class="modal-body">
-  <p ng-show="ctrl.canDelete">You're about to put this search endpoint into deep freeze. You'll be able to unarchive it later through the "Archived Search Endpoints" filter in the Search Endpoint Listings.</p>
-  <p ng-hide="ctrl.canDelete">You do not have delete (and archive) permissions for search endpoints.</p>
-  <p ng-show="ctrl.canDelete && ctrl.notOwner()">
-  <div class="alert alert-warning" role="alert" ng-if="ctrl.canDelete && !ctrl.isOwnerOfSearchEndpoint()">
-    Only the owner of a search endpoint can restore it. You will take over ownership of this search endpoint from <i>{{ ctrl.theSearchEndpoint.ownerName}}</i> by archiving it.
-  </div>
-</div>
-<div class="modal-footer">
-  <button class="btn btn-danger" ng-show="ctrl.canDelete" ng-click="ctrl.ok()">Archive</button>
-  <button class="btn btn-default" ng-click="ctrl.cancel()">Cancel</button>
-</div>

app/assets/javascripts/components/archive_search_endpoint/archive_search_endpoint_modal_instance_controller.js

@@ -9,18 +9,6 @@ angular.module('QuepidApp')
       var ctrl = this;
 
       ctrl.theSearchEndpoint = theSearchEndpoint;
-      //ctrl.canDelete = false;
-      ctrl.canDelete = true; // hard code that anyone can delete ;-(
-
-      //$rootScope.$watch('currentUser', function() {
-      //  if ( $rootScope.currentUser ) {
-      //    ctrl.canDelete = $rootScope.currentUser.permissions.search_endpoint.delete;
-      //  }
-      //});
-
-      ctrl.isOwnerOfSearchEndpoint = function() {
-        return ($rootScope.currentUser.id === ctrl.theSearchEndpoint.ownerId);
-      };
 
       ctrl.ok = function () {
         $uibModalInstance.close(true);

app/assets/javascripts/components/case_listing/case_listing_controller.js

@@ -7,14 +7,12 @@ angular.module('QuepidApp')
     '$rootScope',
     '$scope',
     '$location',
-    'flash',
     'caseTryNavSvc',
     'caseSvc',
     function (
       $rootScope,
       $scope,
       $location,
-      flash,
       caseTryNavSvc,
       caseSvc
     ) {
@@ -25,7 +23,6 @@ angular.module('QuepidApp')
       ctrl.clickToEdit.oldVal   = ctrl.thisCase.caseName.slice(0);
       ctrl.clickToEdit.currVal  = ctrl.thisCase.caseName.slice(0);
       ctrl.clickToEdit.clicked  = false;
-      ctrl.canUpdate = false;
 
       // Functions
       ctrl.cancel     = cancel;
@@ -39,19 +36,8 @@ angular.module('QuepidApp')
         $location.path(path);
       }
 
-      $rootScope.$watch('currentUser', function() {
-        if ( $rootScope.currentUser ) {
-          ctrl.canUpdate = $rootScope.currentUser.permissions.case.update;
-        }
-      });
-
-      function rename() {
-        if (ctrl.canUpdate) {
-          ctrl.clickToEdit.clicked = true;
-        }
-        else {
-          flash.error = 'You do not have update permissions for cases.';
-        }
+      function rename() {      
+        ctrl.clickToEdit.clicked = true;      
       }
 
       function cancel() {

app/assets/javascripts/components/clone_case/clone_case_controller.js

@@ -37,39 +37,26 @@ angular.module('QuepidApp')
           });
       }
 
-      function prompt() {
-        if ( !$rootScope.currentUser.permissions.case.create ) {
-          var deniedModalInstance = $uibModal.open({
-            templateUrl:  'new_case/_denied_modal.html',
-            controller:   'DeniedNewCaseModalInstanceCtrl',
-            controllerAs: 'ctrl'
-          });
-
-          deniedModalInstance.result.then(
-            function() { },
-            function() { }
-          );
-        } else {
-          var modalInstance = $uibModal.open({
-            templateUrl:  'clone_case/_modal.html',
-            controller:   'CloneCaseModalInstanceCtrl',
-            controllerAs: 'ctrl',
-            resolve:      {
-              theCase: function() {
-                return ctrl.acase;
-              }
+      function prompt() {      
+        var modalInstance = $uibModal.open({
+          templateUrl:  'clone_case/_modal.html',
+          controller:   'CloneCaseModalInstanceCtrl',
+          controllerAs: 'ctrl',
+          resolve:      {
+            theCase: function() {
+              return ctrl.acase;
             }
-          });
+          }
+        });
 
-          modalInstance.result.then(
-            function (options) {
-              ctrl.cloneCase(options);
-            },
-            function() {
-              $log.info('INFO: Modal dismissed');
-            }
-          );
-        }
+        modalInstance.result.then(
+          function (options) {
+            ctrl.cloneCase(options);
+          },
+          function() {
+            $log.info('INFO: Modal dismissed');
+          }
+        );
       }
     }
   ]);

app/assets/javascripts/components/clone_scorer/clone_scorer_controller.js

@@ -21,14 +21,6 @@ angular.module('QuepidApp')
       var ctrl = this;
       ctrl.buttonText = $scope.buttonText;
 
-      ctrl.cannotCreate = true;
-
-      $rootScope.$watch('currentUser', function() {
-        if ( $rootScope.currentUser ) {
-          ctrl.cannotCreate = !$rootScope.currentUser.permissions.team.create;
-        }
-      });
-
       // Functions
       ctrl.cloneScorer = cloneScorer;
 

app/assets/javascripts/components/delete_case/_modal.html

@@ -3,8 +3,7 @@
   <h3 class="modal-title">Delete This Case</h3>
 </div>
 <div class="modal-body">
-  <p ng-show="ctrl.canDelete">You're about to delete this case forever!  If you think you might want it later, use the Archive function instead.</p>
-  <p ng-hide="ctrl.canDelete">You do not have delete permissions for cases.</p>
+  <p>You're about to delete this case forever!  If you think you might want it later, use the Archive function instead.</p>
 </div>
 <div class="modal-footer">
   <button class="btn btn-danger" ng-show="ctrl.canDelete" ng-click="ctrl.ok()">Delete</button>

app/assets/javascripts/components/delete_case/delete_case_modal_instance_controller.js

@@ -7,14 +7,6 @@ angular.module('QuepidApp')
     function ($rootScope, $uibModalInstance) {
       var ctrl = this;
 
-      ctrl.canDelete = false;
-
-      $rootScope.$watch('currentUser', function() {
-        if ( $rootScope.currentUser ) {
-          ctrl.canDelete = $rootScope.currentUser.permissions.case.delete;
-        }
-      });
-
       ctrl.ok = function () {
         $uibModalInstance.close(true);
       };

app/assets/javascripts/components/delete_scorer/_modal.html

@@ -3,8 +3,7 @@
   <h3 class="modal-title">Delete This Scorer</h3>
 </div>
 <div class="modal-body">
-  <p ng-show="ctrl.canDelete">You're about to delete this scorer forever!</p>
-  <p ng-hide="ctrl.canDelete">You do not have delete permissions for scorers.</p>
+  <p>You're about to delete this scorer forever!</p>
 </div>
 <div class="modal-footer">
   <button class="btn btn-danger" ng-show="ctrl.canDelete" ng-click="ctrl.ok()">Delete</button>

app/assets/javascripts/components/delete_scorer/delete_scorer_modal_instance_controller.js

@@ -7,16 +7,6 @@ angular.module('QuepidApp')
     function ($rootScope, $uibModalInstance) {
       var ctrl = this;
 
-      // the whole canDelete this may not make sense to have as we don't really support 
-      // changing up these permissions..
-      ctrl.canDelete = false;
-
-      $rootScope.$watch('currentUser', function() {
-        if ( $rootScope.currentUser ) {
-          ctrl.canDelete = $rootScope.currentUser.permissions.scorer.delete;
-        }
-      });
-
       ctrl.ok = function () {
         $uibModalInstance.close(true);
       };

app/assets/javascripts/components/edit_scorer/edit_scorer_controller.js

@@ -26,7 +26,7 @@ angular.module('QuepidApp')
 
       function editScorer() {
         $log.info('INFO: Opened modal to edit scorer!');
-        if ( ctrl.lastSaved.communal && !$rootScope.currentUser.permissions.scorer.update_communal ) {
+        if ( ctrl.lastSaved.communal && !$rootScope.currentUser.administrator ) {
           var deniedModalInstance = $uibModal.open({
             templateUrl:  'edit_scorer/_denied_communal_modal.html',
             controller:   'DeniedEditScorerModalInstanceCtrl',
@@ -38,7 +38,7 @@ angular.module('QuepidApp')
             function() { }
           );
         }
-        else if ( !ctrl.lastSaved.communal && !$rootScope.currentUser.permissions.scorer.update ) {
+        else if ( !ctrl.lastSaved.communal && !$rootScope.currentUser.administrator ) {
           var deniedModalInstance2 = $uibModal.open({
             templateUrl:  'edit_scorer/_denied_modal.html',
             controller:   'DeniedEditScorerModalInstanceCtrl',

app/assets/javascripts/components/judgements/_modal.html

@@ -2,11 +2,8 @@
   <button type="button" class="close btn-core-close" ng-click="ctrl.cancel()" aria-label="Close"></button>
   <h3 class="modal-title">Judgements</h3>
 </div>
-<div class="modal-body" ng-hide="ctrl.canUpdateCase">
-  <p>You do not have edit permissions for cases.</p>
-</div>
 
-<div class="modal-body" ng-show="ctrl.canUpdateCase">
+<div class="modal-body">
   <div ng-show='ctrl.share.loading'>
     <p>
       Loading your teams, this will be quick I promise!

app/assets/javascripts/components/judgements/judgements_modal_instance_controller.js

@@ -26,20 +26,11 @@ angular.module('QuepidApp')
      ) {
       var ctrl = this;
 
-      ctrl.canUpdateCase = false;
-      ctrl.canCreateTeam = false;
       ctrl.refreshOnly = false;
       ctrl.updateAssociatedBook = false;
       ctrl.populateJudgements = false;
       ctrl.createMissingQueries = false;
 
-      $rootScope.$watch('currentUser', function() {
-        if ( $rootScope.currentUser ) {
-          ctrl.canUpdateCase = $rootScope.currentUser.permissions.case.update;
-          ctrl.canCreateTeam = $rootScope.currentUser.permissions.team.create;
-        }
-      });
-
       // why do we do this pattern?
       ctrl.share = {
         acase:            acase,

app/assets/javascripts/components/new_scorer/new_scorer_controller.js

@@ -23,14 +23,6 @@ angular.module('QuepidApp')
       var ctrl = this;
       ctrl.buttonText = $scope.buttonText;
 
-      ctrl.cannotCreate = true;
-
-      $rootScope.$watch('currentUser', function() {
-        if ( $rootScope.currentUser ) {
-          ctrl.cannotCreate = !$rootScope.currentUser.permissions.team.create;
-        }
-      });
-
       // Functions
       ctrl.newScorer = newScorer;
 

app/assets/javascripts/components/new_team/new_team_controller.js

@@ -21,14 +21,6 @@ angular.module('QuepidApp')
       var ctrl = this;
       ctrl.buttonText = $scope.buttonText;
 
-      ctrl.cannotCreate = true;
-
-      $rootScope.$watch('currentUser', function() {
-        if ( $rootScope.currentUser ) {
-          ctrl.cannotCreate = !$rootScope.currentUser.permissions.team.create;
-        }
-      });
-
       // Functions
       ctrl.newTeam = newTeam;