Added Registrar roles with super, epp, billing

app/controllers/admin/api_users_controller.rb

@@ -55,6 +55,8 @@ class Admin::ApiUsersController < AdminController
   end
 
   def api_user_params
-    params.require(:api_user).permit(:username, :password, :active, :registrar_id, :registrar_typeahead, :identity_code)
+    params.require(:api_user).permit(:username, :password, :active, 
+                                     :registrar_id, :registrar_typeahead, 
+                                     :identity_code, { roles: [] })
   end
 end

app/controllers/registrar/sessions_controller.rb

@@ -145,6 +145,7 @@ class Registrar::SessionsController < Devise::SessionsController
   private
 
   def check_ip
+    return if Rails.env.development?
     return if WhiteIp.registrar_ip_white?(request.ip)
     render text: t('ip_is_not_whitelisted') and return
   end

app/controllers/registrar_controller.rb

@@ -12,6 +12,11 @@ class RegistrarController < ApplicationController
 
   def check_ip
     return unless current_user
+    unless current_user.is_a? ApiUser
+      sign_out(current_user)
+      return
+    end
+
     return if current_user.registrar.registrar_ip_white?(request.ip)
     flash[:alert] = t('ip_is_not_whitelisted')
     sign_out(current_user)

app/models/ability.rb

@@ -1,6 +1,8 @@
 class Ability
   include CanCan::Ability
-
+  # rubocop: disable Metrics/CyclomaticComplexity
+  # rubocop: disable Metrics/PerceivedComplexity
+  # rubocop: disable Metrics/LineLength
   def initialize(user)
     alias_action :show, to: :view
     alias_action :show, :create, :update, :destroy, to: :crud
@@ -11,11 +13,11 @@ class Ability
     when 'AdminUser'
       @user.roles.each { |role| send(role) } if @user.roles
     when 'ApiUser'
-      epp
+      @user.roles.each { |role| send(role) } if @user.roles
-      registrar
+      static_epp
-      registrant # refactor
+      static_registrar
     when 'RegistrantUser'
-      registrant
+      static_registrant
     end
 
     # Public user
@@ -23,10 +25,7 @@ class Ability
     can :create, :registrant_domain_update_confirm
   end
 
-  # rubocop: disable Metrics/CyclomaticComplexity
+  def static_epp
-  # rubocop: disable Metrics/PerceivedComplexity
-  # rubocop: disable Metrics/LineLength
-  def epp
     # Epp::Domain
     can(:info,     Epp::Domain) { |d, pw| d.registrar_id == @user.registrar_id || pw.blank? ? true : d.auth_info == pw }
     can(:check,    Epp::Domain)
@@ -47,12 +46,8 @@ class Ability
     can(:renew,  Epp::Contact)
     can(:view_password, Epp::Contact) { |c, pw| c.registrar_id == @user.registrar_id || c.auth_info == pw }
   end
-  # rubocop: enable Metrics/LineLength
-  # rubocop: enable Metrics/CyclomaticComplexity
-  # rubocop: enable Metrics/PerceivedComplexity
 
-  def registrar
+  def static_registrar
-    can :manage, Invoice
     can :read, AccountActivity
     can :manage, Nameserver
     can :view, :registrar_dashboard
@@ -68,15 +63,38 @@ class Ability
     can :manage, :deposit
   end
 
-  def registrant
+  def static_registrant
     can :manage, :registrant_whois
     can :manage, Depp::Domain
   end
 
+  def static_billing
+    can :manage, Invoice
+  end
+
   def user
     can :show, :dashboard
   end
 
+  # api_user dynamic role
+  def super
+    static_epp
+    static_registrar
+  end
+
+  # api_user dynamic role
+  def epp
+    static_epp
+    static_registrar
+  end
+
+  # api_user dynamic role
+  def billing
+    static_registrar
+    static_billing
+  end
+
+  # admin dynamic role
   def customer_service
     user
     can :manage, Domain
@@ -84,6 +102,7 @@ class Ability
     can :manage, Registrar
   end
 
+  # admin dynamic role
   def admin
     customer_service
     can :manage, Setting
@@ -105,4 +124,7 @@ class Ability
     can :create, :zonefile
     can :access, :settings_menu
   end
+  # rubocop: enable Metrics/LineLength
+  # rubocop: enable Metrics/CyclomaticComplexity
+  # rubocop: enable Metrics/PerceivedComplexity
 end

app/models/admin_user.rb

@@ -6,7 +6,7 @@ class AdminUser < User
 
   validate :validate_identity_code, if: -> { country_code == 'EE' }
 
-  ROLES = %w(user customer_service admin)
+  ROLES = %w(user customer_service admin) # should not match to api_users roles
 
   devise :database_authenticatable, :rememberable, :trackable, :validatable, :lockable
 

app/models/api_user.rb

@@ -15,11 +15,13 @@ class ApiUser < User
   belongs_to :registrar
   has_many :certificates
 
-  validates :username, :password, :registrar, presence: true
+  validates :username, :password, :registrar, :roles, presence: true
   validates :username, uniqueness: true
 
   attr_accessor :registrar_typeahead
 
+  ROLES = %w(super epp billing) # should not match to admin roles
+
   def ability
     @ability ||= Ability.new(self)
   end

app/views/admin/api_users/_form.haml

@@ -29,11 +29,20 @@
             %span.glyphicon.glyphicon-ok.form-control-feedback.js-typeahead-ok.hidden
             %span.glyphicon.glyphicon-remove.form-control-feedback.js-typeahead-remove
             = f.hidden_field(:registrar_id, class: 'js-registrar-id')
-            .checkbox
+      .form-group
-              %label{for: 'api_user_active'}
+        .col-md-4.control-label
-                = f.check_box(:active)
+          = f.label :role
-                = t(:active)
+        .col-md-7
+          = select_tag 'api_user[roles][]', 
+            options_for_select(ApiUser::ROLES.map {|x| [t(x), x] }, @api_user.roles.try(:first)),
+            class: 'form-control selectize'
+          .checkbox
+            %label{for: 'api_user_active'}
+              = f.check_box(:active)
+              = t(:active)
+
   %hr
+
   .row
     .col-md-8.text-right
       = button_tag(t(:save), class: 'btn btn-primary')

app/views/admin/api_users/show.haml

@@ -26,6 +26,9 @@
           %dt= t(:registrar)
           %dd= link_to(@api_user.registrar, admin_registrar_path(@api_user.registrar))
 
+          %dt= t(:role)
+          %dd= @api_user.roles.join(', ')
+
           %dt= t(:active)
           %dd= @api_user.active
 .row

db/migrate/20150520163237_add_defalut_role.rb

@@ -0,0 +1,7 @@
+class AddDefalutRole < ActiveRecord::Migration
+  def change
+    ApiUser.all.each do |u|
+      u.update_column :roles, ['super'] if u.roles.blank?
+    end
+  end
+end

db/schema.rb

@@ -11,7 +11,7 @@
 #
 # It's strongly recommended that you check this file into your version control system.
 
-ActiveRecord::Schema.define(version: 20150519144118) do
+ActiveRecord::Schema.define(version: 20150520163237) do
 
   # These are extensions that must be enabled in order to support this database
   enable_extension "plpgsql"

spec/fabricators/api_user_fabricator.rb

@@ -5,6 +5,7 @@ Fabricator(:api_user) do
   identity_code '14212128025'
   registrar
   active true
+  roles ['super']
 end
 
 # use dedicated fabricator for fixed one

spec/models/api_user_spec.rb

@@ -13,7 +13,8 @@ describe ApiUser do
       @api_user.errors.full_messages.should match_array([
         "Password Password is missing",
         "Registrar Registrar is missing",
-        "Username Username is missing"
+        "Username Username is missing",
+        "Roles is missing"
       ])
     end