all users can create projects

sapcc · Nov 6, 2024 · e5d4307 · e5d4307
1 parent 4e3b56e
commit e5d4307
Show file tree

Hide file tree

Showing 3 changed files with 24 additions and 22 deletions.
diff --git a/plugins/identity/app/controllers/identity/domains/create_wizard_controller.rb b/plugins/identity/app/controllers/identity/domains/create_wizard_controller.rb
@@ -8,6 +8,7 @@ def new
         @project = services.identity.new_project
         @project.cost_control = {}
         return unless @inquiry
+
         @project.attributes = @inquiry.payload
       end
 
@@ -21,12 +22,12 @@ def create
         @project = services.identity.new_project
         @project.attributes = project_params
 
-        @project.enabled = @project.enabled == "true"
+        @project.enabled = @project.enabled == 'true'
 
         @project.escape_attributes!
 
         if @project.save
-          audit_logger.info(current_user, "has created", @project)
+          audit_logger.info(current_user, 'has created', @project)
 
           flash.now[:notice] = "Project #{@project.name} successfully created."
           if @inquiry
@@ -41,14 +42,14 @@ def create
                 :approved,
                 "Project #{@project.name} approved and \
               created by #{current_user.full_name}",
-                current_user,
+                current_user
               )
             services.identity.grant_project_user_role_by_role_name(
               @project.id,
               inquiry.requester.uid,
-              "admin",
+              'admin'
             )
-            render "identity/domains/create_wizard/create", formats: :js
+            render 'identity/domains/create_wizard/create', formats: :js
           else
             # there is no requiry -> current user is the creator of this
             # project. give current user all needed roles
@@ -68,28 +69,29 @@ def create
 
       def load_and_authorize_inquiry
         return if params[:inquiry_id].blank?
+
         @inquiry = services.inquiry.get_inquiry(params[:inquiry_id])
 
         if @inquiry
           enforce_permissions(
-            "identity:project_create",
+            'identity:project_create',
             project: {
-              domain_id: @scoped_domain_id,
-            },
+              domain_id: @scoped_domain_id
+            }
           )
         else
-          render template: "/identity/domains/create_wizard/not_found"
+          render template: '/identity/domains/create_wizard/not_found'
         end
       end
 
       protected
 
       def assign_needed_roles(project_id, user_id)
         %w[admin member network_admin resource_admin].each do |role_name|
-          services.identity.grant_project_user_role_by_role_name(
+          service_user.identity.grant_project_user_role_by_role_name(
             project_id,
             user_id,
-            role_name,
+            role_name
           )
         end
       end

diff --git a/plugins/identity/app/views/identity/domains/show.html.haml b/plugins/identity/app/views/identity/domains/show.html.haml
@@ -89,15 +89,6 @@
             %li
               = link_to "User Management", plugin('identity').domains_users_path
 
-        -  if current_user.is_allowed?('identity:project_create',{project: {domain_id: @scoped_domain_id}})
-          %h5
-            %i.project-icon
-            Projects
-
-          %ul.plain-list
-            %li
-              = link_to 'Create a New Project', plugin('identity').domains_create_project_path, data: {modal: true}
-
     - if plugin_available?('lookup') && current_user.is_allowed?('lookup:reverse_lookup_list', domain_id: @scoped_domain_id)
       %h5
         %i.lookup-icon
@@ -119,6 +110,15 @@
             = " (#{::Inquiry::Inquiry.requestor_requests_count(@scoped_domain_id, current_user.id)})"
 
 
+    -  if current_user.is_allowed?('identity:project_create',{project: {domain_id: @scoped_domain_id}})
+      %h5
+        %i.project-icon
+        Projects
+
+      %ul.plain-list
+        %li
+          = link_to 'Create a New Project', plugin('identity').domains_create_project_path, data: {modal: true}
+
     - if current_user.is_allowed?('identity:project_request', domain_id: @scoped_domain_id) && plugin_available?(:identity)
       %h5
         %i.project-icon

diff --git a/plugins/identity/config/policy.json b/plugins/identity/config/policy.json
@@ -12,8 +12,8 @@
   "identity:project_update": "rule:cloud_admin or rule:admin_and_matching_target_project_domain_id or rule:admin_and_matching_target_project_id",
   "identity:project_delete": "rule:cloud_admin or rule:admin_and_matching_target_project_domain_id or rule:admin_and_matching_target_project_id",
 
-  "identity:project_create": "rule:cloud_admin or rule:admin_and_matching_project_domain_id",
-  "identity:project_request": "not(project_id:nil and role:admin)",
+  "identity:project_create": "@",
+  "identity:project_request": "!",
 
   "identity:project_api_endpoints": "not(project_id:nil)",
   "identity:project_download_openrc": "not(project_id:nil)",