Revert "Revert "Reader permission fixes"" (hackclub#10853)

Author: sampoder

app/controllers/receiptables_controller.rb

@@ -5,6 +5,8 @@ class ReceiptablesController < ApplicationController
   skip_after_action :verify_authorized # do not force pundit
 
   def mark_no_or_lost
+    authorize @receiptable, policy_class: ReceiptablePolicy
+
     if @receiptable.no_or_lost_receipt!
       flash[:success] = "Marked no/lost receipt on that transaction."
       redirect_to @receiptable

app/policies/receiptable_policy.rb

@@ -1,16 +1,20 @@
 # frozen_string_literal: true
 
 class ReceiptablePolicy < ApplicationPolicy
-  def link?
+  def upload?
     user&.admin? || present_in_events? || Pundit.policy(user, record).try(:receiptable_upload?)
   end
 
+  def link?
+    upload?
+  end
+
   def link_modal?
-    user&.admin? || present_in_events? || Pundit.policy(user, record).try(:receiptable_upload?)
+    upload?
   end
 
-  def upload?
-    user&.admin? || present_in_events? || Pundit.policy(user, record).try(:receiptable_upload?)
+  def mark_no_or_lost?
+    upload?
   end
 
   private

app/views/canonical_pending_transactions/_canonical_pending_transaction.html.erb

@@ -85,27 +85,29 @@
             <% end %>
           </div>
         <% end %>
-        <div class="overflow-visible relative" style="margin-left: 0.5rem;" data-controller="menu" data-menu-append-to-value="turbo-frame#ledger">
-          <button class="list-badge add-tag-badge ml0 menu__toggle menu__toggle--arrowless" data-menu-target="toggle" data-action="menu#toggle click@document->menu#close keydown@document->menu#keydown">+ Add tag</button>
-          <div class="menu__content menu__content--2 menu__content--compact menu__content--left text-sm" data-menu-target="content">
-            <% (@event || pt.local_hcb_code.event).tags.each do |tag| %>
-              <div class="flex items-center" data-tag="<%= tag.id %>">
-                <%= button_to toggle_tag_hcb_code_path(id: pt.local_hcb_code.hashid, tag_id: tag.id), class: "menu__action #{tag_dom_id(pt.local_hcb_code, tag, "_toggle")}", form_class: "flex-auto", form: { "data-turbo" => "true" } do %>
-                  <%= render partial: "canonical_transactions/tag_icon", locals: { tag: } %>
-                  <%= tag.label %>
-                  <%= "✓" if tagged_with.include?(tag) %>
-                <% end %>
-                <%= button_to event_tag_path(@event || pt.local_hcb_code.event, tag), class: "menu__action", method: :delete, title: "Delete this tag", form: { "data-turbo" => "true", "data-turbo-confirm" => tag.removal_confirmation_message } do %>
-                  <%= inline_icon "delete", size: 18, style: "margin: 0" %>
-                <% end %>
-              </div>
-            <% end %>
-            <% if (@event || pt.local_hcb_code.event).tags.any? %>
-              <div class="menu__divider tags__divider"></div>
-            <% end %>
-            <%= render partial: "hcb_codes/create_tag", locals: { button: pt.local_hcb_code.hashid } %>
+        <% if policy(pt.local_hcb_code).toggle_tag? %>
+          <div class="overflow-visible relative" style="margin-left: 0.5rem;" data-controller="menu" data-menu-append-to-value="turbo-frame#ledger">
+            <button class="list-badge add-tag-badge ml0 menu__toggle menu__toggle--arrowless" data-menu-target="toggle" data-action="menu#toggle click@document->menu#close keydown@document->menu#keydown">+ Add tag</button>
+            <div class="menu__content menu__content--2 menu__content--compact menu__content--left text-sm" data-menu-target="content">
+              <% (@event || pt.local_hcb_code.event).tags.each do |tag| %>
+                <div class="flex items-center" data-tag="<%= tag.id %>">
+                  <%= button_to toggle_tag_hcb_code_path(id: pt.local_hcb_code.hashid, tag_id: tag.id), class: "menu__action #{tag_dom_id(pt.local_hcb_code, tag, "_toggle")}", form_class: "flex-auto", form: { "data-turbo" => "true" } do %>
+                    <%= render partial: "canonical_transactions/tag_icon", locals: { tag: } %>
+                    <%= tag.label %>
+                    <%= "✓" if tagged_with.include?(tag) %>
+                  <% end %>
+                  <%= button_to event_tag_path(@event || pt.local_hcb_code.event, tag), class: "menu__action", method: :delete, title: "Delete this tag", form: { "data-turbo" => "true", "data-turbo-confirm" => tag.removal_confirmation_message } do %>
+                    <%= inline_icon "delete", size: 18, style: "margin: 0" %>
+                  <% end %>
+                </div>
+              <% end %>
+              <% if (@event || pt.local_hcb_code.event).tags.any? %>
+                <div class="menu__divider tags__divider"></div>
+              <% end %>
+              <%= render partial: "hcb_codes/create_tag", locals: { button: pt.local_hcb_code.hashid } %>
+            </div>
           </div>
-        </div>
+        <% end %>
       <% end %>
       <% if pt.local_hcb_code %>
         <%= list_badge_for auditor_signed_in? ? pt.local_hcb_code.comments.size : pt.local_hcb_code.not_admin_only_comments_count, "comment", "post", optional: true %>

app/views/canonical_transactions/_canonical_transaction.html.erb

@@ -83,27 +83,29 @@
             <% end %>
           </div>
         <% end %>
-        <div class="overflow-visible relative" style="margin-left: 0.5rem;" data-controller="menu" data-menu-append-to-value="turbo-frame#ledger">
-          <button class="list-badge add-tag-badge ml0 menu__toggle menu__toggle--arrowless" data-menu-target="toggle" data-action="menu#toggle click@document->menu#close keydown@document->menu#keydown">+ Add tag</button>
-          <div class="menu__content menu__content--2 menu__content--compact menu__content--left text-sm" data-menu-target="content">
-            <% (@event || ct.local_hcb_code.event).tags.each do |tag| %>
-              <div class="flex items-center" data-tag="<%= tag.id %>">
-                <%= button_to toggle_tag_hcb_code_path(id: ct.local_hcb_code.hashid, tag_id: tag.id), class: "menu__action #{tag_dom_id(ct.local_hcb_code, tag, "_toggle")}", form_class: "flex-auto", form: { "data-turbo" => "true" } do %>
-                  <%= render partial: "canonical_transactions/tag_icon", locals: { tag: } %>
-                  <%= tag.label %>
-                  <%= "✓" if tagged_with.include?(tag) %>
-                <% end %>
-                <%= button_to event_tag_path(@event || ct.local_hcb_code.event, tag), class: "menu__action", method: :delete, title: "Delete this tag", form: { "data-turbo" => "true", "data-turbo-confirm" => tag.removal_confirmation_message } do %>
-                  <%= inline_icon "delete", size: 18, style: "margin: 0" %>
-                <% end %>
-              </div>
-            <% end %>
-            <% if (@event || ct.local_hcb_code.event).tags.any? %>
-              <div class="menu__divider tags__divider"></div>
-            <% end %>
-            <%= render partial: "hcb_codes/create_tag", locals: { button: ct.local_hcb_code.hashid } %>
+        <% if policy(ct.local_hcb_code).toggle_tag? %>
+          <div class="overflow-visible relative" style="margin-left: 0.5rem;" data-controller="menu" data-menu-append-to-value="turbo-frame#ledger">
+            <button class="list-badge add-tag-badge ml0 menu__toggle menu__toggle--arrowless" data-menu-target="toggle" data-action="menu#toggle click@document->menu#close keydown@document->menu#keydown">+ Add tag</button>
+            <div class="menu__content menu__content--2 menu__content--compact menu__content--left text-sm" data-menu-target="content">
+              <% (@event || ct.local_hcb_code.event).tags.each do |tag| %>
+                <div class="flex items-center" data-tag="<%= tag.id %>">
+                  <%= button_to toggle_tag_hcb_code_path(id: ct.local_hcb_code.hashid, tag_id: tag.id), class: "menu__action #{tag_dom_id(ct.local_hcb_code, tag, "_toggle")}", form_class: "flex-auto", form: { "data-turbo" => "true" } do %>
+                    <%= render partial: "canonical_transactions/tag_icon", locals: { tag: } %>
+                    <%= tag.label %>
+                    <%= "✓" if tagged_with.include?(tag) %>
+                  <% end %>
+                  <%= button_to event_tag_path(@event || ct.local_hcb_code.event, tag), class: "menu__action", method: :delete, title: "Delete this tag", form: { "data-turbo" => "true", "data-turbo-confirm" => tag.removal_confirmation_message } do %>
+                    <%= inline_icon "delete", size: 18, style: "margin: 0" %>
+                  <% end %>
+                </div>
+              <% end %>
+              <% if (@event || ct.local_hcb_code.event).tags.any? %>
+                <div class="menu__divider tags__divider"></div>
+              <% end %>
+              <%= render partial: "hcb_codes/create_tag", locals: { button: ct.local_hcb_code.hashid } %>
+            </div>
           </div>
-        </div>
+        <% end %>
       <% end %>
       <% if ct.local_hcb_code %>
         <%= list_badge_for auditor_signed_in? ? ct.local_hcb_code.comments.size : ct.local_hcb_code.not_admin_only_comments_count, "comment", "post", optional: true %>

app/views/events/promotions.html.erb

@@ -2,7 +2,7 @@
 <% page_md %>
 <%= render "events/nav", selected: :promotions %>
 
-<% @perks_available = organizer_signed_in? && [email protected]_mode? %>
+<% @perks_available = OrganizerPosition.role_at_least?(current_user, @event, :manager) && organizer_signed_in? && [email protected]_mode? %>
 
 <h1>
   Promotions &amp; perks
@@ -86,7 +86,7 @@
   </div>
 
   <p>
-    <%= link_to "The Event Helper", "https://www.theeventhelper.com/", target: :_blank %>
+    <%= link_to "The Event Helper", "https://www.theeventhelper.com/", class: ("disabled" unless @perks_available).to_s, target: :_blank %>
     is partnering with HCB to create a simplified way for your team to
     purchase event insurance. Just apply with your event details to receive a quote from the HCB team.
     All costs are directly from The Event Helper, we don't charge a fee on top.
@@ -146,14 +146,14 @@
 
   <% if @event.hackathon? %>
     <p class="mb0">
-      <%= link_to "1Password", "https://1password.com" %> is offering hackathons running on HCB
+      <%= link_to "1Password", "https://1password.com", class: ("disabled" unless @perks_available) %> is offering hackathons running on HCB
       a year-long 1Password plan for up to 5 people. This can handed out as a prize, however, it
       can only be claimed once per hackathon.
     </p>
   <% else %>
     <h3 class="mb0 mt0">Do you make open source software?</h3>
     <p class="mb0">
-      <%= link_to "1Password", "https://1password.com" %> is offering a lifetime 1Password Teams
+      <%= link_to "1Password", "https://1password.com", class: ("disabled" unless @perks_available) %> is offering a lifetime 1Password Teams
       license (up to 10 seats) to any open source project running on HCB.
     </p>
     <h3 class="mb0 mt2">Does your nonprofit do something else?</h3>

app/views/hcb_codes/_create_tag.html.erb

@@ -1,32 +1,34 @@
-<% if button %>
-  <%= link_to "#", class: "menu__input #{ "btn mt-3" if defined?(large)}", data: { behavior: "modal_trigger", modal: "create_tag" }, onclick: "document.getElementById('create_tag_hcb_code_id').value = #{button.to_json}" do %>
-    <%= inline_icon "plus", size: 15 %>
-      Create tag
-  <% end %>
-<% else %>
-<section class="modal modal--scroll max-w-md bg-snow" data-behavior="modal" role="dialog" id="create_tag">
-  <%= modal_header("Create tag") %>
-  <%= form_with url: event_tags_path(@event), id: "create_tag_form", data: { turbo: true } do |form| %>
-    <%= form.hidden_field :hcb_code_id, value: "", id: "create_tag_hcb_code_id" %>
-    <div class="flex flex-col gap-3 mb-2">
-      <div class="flex gap-3">
-        <div data-controller="emoji-picker" class="relative" data-emoji-picker-target="container">
-          <%= form.text_field :emoji, placeholder: "🏦", class: "!w-10 placeholder:opacity-50", autocomplete: "off", data: { turbo: true, "emoji-picker-target": "input", "action": "focus->emoji-picker#togglePicker input->emoji-picker#validateInput" }, required: true %>
-          <emoji-picker data-emoji-picker-target="picker" data-action="emoji-click->emoji-picker#addEmoji" class="fixed mt-3 z-[300]" style="display: none;"></emoji-picker>
+<% if OrganizerPosition.role_at_least?(current_user, @event, :member) %>
+  <% if button %>
+    <%= link_to "#", class: "menu__input #{ "btn mt-3" if defined?(large)}", data: { behavior: "modal_trigger", modal: "create_tag" }, onclick: "document.getElementById('create_tag_hcb_code_id').value = #{button.to_json}" do %>
+      <%= inline_icon "plus", size: 15 %>
+        Create tag
+    <% end %>
+  <% else %>
+    <section class="modal modal--scroll max-w-md bg-snow" data-behavior="modal" role="dialog" id="create_tag">
+      <%= modal_header("Create tag") %>
+      <%= form_with url: event_tags_path(@event), id: "create_tag_form", data: { turbo: true } do |form| %>
+        <%= form.hidden_field :hcb_code_id, value: "", id: "create_tag_hcb_code_id" %>
+        <div class="flex flex-col gap-3 mb-2">
+          <div class="flex gap-3">
+            <div data-controller="emoji-picker" class="relative" data-emoji-picker-target="container">
+              <%= form.text_field :emoji, placeholder: "🏦", class: "!w-10 placeholder:opacity-50", autocomplete: "off", data: { turbo: true, "emoji-picker-target": "input", "action": "focus->emoji-picker#togglePicker input->emoji-picker#validateInput" }, required: true %>
+              <emoji-picker data-emoji-picker-target="picker" data-action="emoji-click->emoji-picker#addEmoji" class="fixed mt-3 z-[300]" style="display: none;"></emoji-picker>
+            </div>
+            <%= form.text_field :label, autofocus: true, placeholder: "Tag name", style: "max-width: 100%", autocomplete: "off", data: { turbo: true }, required: true %>
+          </div>
+          <div class="flex gap-3">
+            <% Tag::COLORS.each do |color| %>
+              <label class="tags__radio">
+                <%# Default color: Muted %>
+                <%= form.radio_button :color, color, checked: color == "muted" %>
+                <div class="radio__control tag-darker tag-<%= color %>"></div>
+              </label>
+            <% end %>
+          </div>
         </div>
-        <%= form.text_field :label, autofocus: true, placeholder: "Tag name", style: "max-width: 100%", autocomplete: "off", data: { turbo: true }, required: true %>
-      </div>
-      <div class="flex gap-3">
-        <% Tag::COLORS.each do |color| %>
-          <label class="tags__radio">
-            <%# Default color: Muted %>
-            <%= form.radio_button :color, color, checked: color == "muted" %>
-            <div class="radio__control tag-darker tag-<%= color %>"></div>
-          </label>
-        <% end %>
-      </div>
-    </div>
-    <%= form.submit "Create", class: "btn bg-info mt-2 float-right" %>
+        <%= form.submit "Create", class: "btn bg-info mt-2 float-right" %>
+      <% end %>
+    </section>
   <% end %>
-</section>
 <% end %>

app/views/hcb_codes/_tags.html.erb

@@ -6,7 +6,9 @@
     </div>
 
     <div data-controller="menu">
-      <button class="list-badge add-tag-badge ml0 menu__toggle menu__toggle--arrowless h-full" style="height: 1.6rem" data-menu-target="toggle" data-action="menu#toggle click@document->menu#close keydown@document->menu#keydown">+ Add tag</button>
+      <% if policy(Tag.new).create? %>
+        <button class="list-badge add-tag-badge ml0 menu__toggle menu__toggle--arrowless h-full" style="height: 1.6rem" data-menu-target="toggle" data-action="menu#toggle click@document->menu#close keydown@document->menu#keydown">+ Add tag</button>
+      <% end %>
       <div class="menu__content menu__content--2 menu__content--compact menu__content--left text-sm" data-menu-target="content">
         <% @event.tags.each do |tag| %>
           <div class="flex items-center" data-tag="<%= tag.id %>">
@@ -15,8 +17,10 @@
               <%= tag.label %>
               <%= "✓" if hcb_code.tags.include?(tag) %>
             <% end %>
-            <%= button_to event_tag_path(@event, tag), class: "menu__action", method: :delete, title: "Delete this tag", form: { "data-turbo" => "true", "data-turbo-confirm" => tag.removal_confirmation_message }  do %>
-              <%= inline_icon "delete", size: 16, style: "margin: 0" %>
+            <% if policy(tag).destroy? %>
+              <%= button_to event_tag_path(@event, tag), class: "menu__action", method: :delete, title: "Delete this tag", form: { "data-turbo" => "true", "data-turbo-confirm" => tag.removal_confirmation_message } do %>
+                <%= inline_icon "delete", size: 16, style: "margin: 0" %>
+              <% end %>
             <% end %>
           </div>
         <% end %>

app/views/receipts/_form_v3.html.erb

@@ -62,7 +62,12 @@
                                 "action"           => "change->form#submit"
                               } %>
           <span class="flex items-center justify-center flex-row flex-wrap" style="margin: -8px;">
-            <%= form.label :file, class: "btn m1 #{"bg-success" if local_assigns[:success]} #{"bg-error" if local_assigns[:error]}", id: "upload-receipt-button" do %>
+            <% additional_classes = [].tap do |array|
+                 array << "bg-success" if local_assigns[:success]
+                 array << "bg-error" if local_assigns[:error]
+                 array << "disabled" if defined?(receiptable) && !ReceiptablePolicy.new(current_user, receiptable).upload?
+               end.join(", ") %>
+            <%= form.label :file, class: "btn m1 #{additional_classes}", id: "upload-receipt-button" do %>
               <%= inline_icon "cloud-upload" %>
               <% if local_assigns[:success] || local_assigns[:error] %>
                 <span id="upload-receipt-button-text"><%= local_assigns[:success] || local_assigns[:error] %></span>
@@ -80,7 +85,7 @@
               <% end %>
             <% end %>
             <% if defined?(enable_linking) %>
-              <%= link_to my_receipts_upload_path(current_user), class: "btn bg-primary m1", data: defined?(inline_linking) ? nil : { behavior: "modal_trigger", modal: "link_receipt_#{instance}" }, onclick: defined?(inline_linking) ? "event.preventDefault(); $('#link_receipt_#{instance}_select').show(); $('#link_receipt_#{instance}_form').hide();" : "" do %>
+              <%= link_to my_receipts_upload_path(current_user), class: "btn bg-primary m1 #{"disabled" if defined?(receiptable) && !ReceiptablePolicy.new(current_user, receiptable).link_modal?}", data: defined?(inline_linking) ? nil : { behavior: "modal_trigger", modal: "link_receipt_#{instance}" }, onclick: defined?(inline_linking) ? "event.preventDefault(); $('#link_receipt_#{instance}_select').show(); $('#link_receipt_#{instance}_form').hide();" : "" do %>
                 <%= inline_icon "payment-docs" %>
                 <span>Select from Receipt Bin</span>
               <% end %>