Working on permission for wiki macros #3626

app/controllers/additionals_macros_controller.rb

@@ -2,6 +2,6 @@ class AdditionalsMacrosController < ApplicationController
   before_action :require_login
 
   def show
-    @available_macros = Redmine::WikiFormatting::Macros.available_macros.sort
+    @available_macros = AdditionalsMacro.all
   end
 end

app/models/additionals_macro.rb

@@ -0,0 +1,63 @@
+class AdditionalsMacro
+  # options:
+  # - project
+  # - only_names
+  def self.all(options = {})
+    all = Redmine::WikiFormatting::Macros.available_macros
+    options[:only_names] = false unless options[:only_names]
+    macros = {}
+    macro_list = []
+
+    global_permission = { view_issues: User.current.allowed_to?(:view_issues, nil, global: true),
+                          view_db_entries: User.current.allowed_to?(:view_db_entries, nil, global: true),
+                          view_passwords: User.current.allowed_to?(:view_password, nil, global: true),
+                          view_contacts: User.current.allowed_to?(:view_contacts, nil, global: true) }
+
+    all.each do |macro, macro_options|
+      next if macro == :hello_world
+      next unless macro_allowed(macro, options, global_permission)
+
+      macro_list << macro.to_s
+      macros[macro] = macro_options
+    end
+
+    if options[:only_names]
+      macro_list.sort
+    else
+      macros.sort
+    end
+  end
+
+  def self.macro_allowed(macro, options, global_permission)
+    return false unless check_macro_permission(macro,
+                                               options,
+                                               global_permission,
+                                               names: [:issue], permission: :view_issues)
+    return false unless check_macro_permission(macro,
+                                               options,
+                                               global_permission,
+                                               names: %i[password password_query password_tag password_tag_count], permission: :view_passwords)
+    return false unless check_macro_permission(macro,
+                                               options,
+                                               global_permission,
+                                               names: %i[contact deal contact_avatar contact_note contact_plain], permission: :view_contacts)
+    return false unless check_macro_permission(macro,
+                                               options,
+                                               global_permission,
+                                               names: %i[db db_query db_tag db_tag_count], permission: :view_db_entries)
+
+    true
+  end
+
+  def self.check_macro_permission(macro, options, global_permission, check)
+    names = check[:names]
+    permission = check[:permission]
+    return true if names.exclude?(macro)
+
+    if options[:project]
+      return true if User.current.allowed_to?(permission, options[:project])
+    elsif global_permission[permission]
+      return true
+    end
+  end
+end

lib/additionals/patches/formatting_helper_patch.rb

@@ -15,10 +15,7 @@ module Additionals
 
           return if @additionals_macro_list
 
-          @additionals_macro_list = []
-          Redmine::WikiFormatting::Macros.available_macros.sort.each do |macro, _options|
-            @additionals_macro_list << macro.to_s
-          end
+          @additionals_macro_list = AdditionalsMacro.all(project: @project, only_names: true)
 
           content_for :header_tags do
             render(partial: 'additionals_macros/button')