From 576bffbf78c16c278b27eefd445a8f6368f70884 Mon Sep 17 00:00:00 2001
From: dleadbetter <derek@performantsoftware.com>
Date: Fri, 27 Dec 2024 06:46:47 -0500
Subject: [PATCH 1/3] BASIRA #294 - Updating base_controller to allow users to
 update/delete records created by themselves

---
 app/controllers/api/base_controller.rb | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/app/controllers/api/base_controller.rb b/app/controllers/api/base_controller.rb
index 40d58f6..f8bd956 100644
--- a/app/controllers/api/base_controller.rb
+++ b/app/controllers/api/base_controller.rb
@@ -23,12 +23,17 @@ def prepare_params
 
   private
 
+  def is_owned?
+    item = item_class.find(params[:id])
+    item.created_by_id == current_user.id
+  end
+
   def validate_delete_authorization
-    render json: { errors: [I18n.t('errors.unauthorized')] }, status: :unauthorized unless current_user.admin?
+    render json: { errors: [I18n.t('errors.unauthorized')] }, status: :unauthorized unless current_user.admin? || is_owned?
   end
 
   def validate_update_authorization
-    return if current_user.admin?
+    return if current_user.admin? || is_owned?
 
     unauthorized = false
 

From ba4bf0a1da39422b15964e5cb6fdefac18827a94 Mon Sep 17 00:00:00 2001
From: dleadbetter <derek@performantsoftware.com>
Date: Fri, 27 Dec 2024 06:47:11 -0500
Subject: [PATCH 2/3] BASIRA #294 - Adding created_by_id to serializers

---
 app/serializers/artworks_serializer.rb            | 6 +++---
 app/serializers/documents_serializer.rb           | 7 ++++---
 app/serializers/physical_components_serializer.rb | 6 +++---
 app/serializers/visual_contexts_serializer.rb     | 6 +++---
 4 files changed, 13 insertions(+), 12 deletions(-)

diff --git a/app/serializers/artworks_serializer.rb b/app/serializers/artworks_serializer.rb
index 2730542..c5cbb40 100644
--- a/app/serializers/artworks_serializer.rb
+++ b/app/serializers/artworks_serializer.rb
@@ -4,18 +4,18 @@ class ArtworksSerializer < BaseSerializer
   include LocateableSerializer
   include NestableSerializer
 
-  index_attributes :id, :date_start, :date_end, :date_descriptor, :published, :created_at, :updated_at,
+  index_attributes :id, :date_start, :date_end, :date_descriptor, :published, :created_at, :updated_at, :created_by_id,
                     primary_title: [:id, :title, qualifications: QualificationsSerializer],
                     updated_by: UsersSerializer, created_by: UsersSerializer
 
   show_attributes :id, :date_start, :date_end, :date_descriptor, :published, :height, :width, :depth,
                   :notes_external, :notes_internal, :repository_work_url, :accession_number,
-                  :documents_count, :number_documents_visible, :created_at, :updated_at,
+                  :documents_count, :number_documents_visible, :created_at, :updated_at, :created_by_id,
                   artwork_titles: [:id, :title, :notes, :primary, qualifications: QualificationsSerializer],
                   updated_by: UsersSerializer, created_by: UsersSerializer,
                   participations: ParticipationsSerializer, qualifications: QualificationsSerializer
 
-  nested_attributes :id, primary_title: [:id, :title, qualifications: QualificationsSerializer],
+  nested_attributes :id, :created_by_id, primary_title: [:id, :title, qualifications: QualificationsSerializer],
                     primary_attachment: [:id, :file_url, :primary, :thumbnail_url],
                     children: { physical_components: PhysicalComponentsSerializer }
 end
diff --git a/app/serializers/documents_serializer.rb b/app/serializers/documents_serializer.rb
index fb8845f..060d3b9 100644
--- a/app/serializers/documents_serializer.rb
+++ b/app/serializers/documents_serializer.rb
@@ -3,12 +3,12 @@ class DocumentsSerializer < BaseSerializer
   include AttachableSerializer
   include NestableSerializer
 
-  index_attributes :id, :name
+  index_attributes :id, :name, :created_by_id
 
   show_attributes :id, :name, :visual_context_id, :notes, :number_sewing_supports, :number_fastenings,
                   :inscriptions_on_binding, :inscription_text, :endband_present, :uncut_fore_edges, :fore_edge_text,
                   :bookmarks_registers, :text_columns, :ruling, :rubrication, :transcription, :transcription_expanded,
-                  :transcription_translation, :identity, :created_at, :updated_at,
+                  :transcription_translation, :identity, :created_at, :updated_at, :created_by_id,
                   qualifications: QualificationsSerializer, actions: [:id, :document_id, :notes,
                   qualifications: QualificationsSerializer]
 
@@ -23,5 +23,6 @@ class DocumentsSerializer < BaseSerializer
     }
   end
 
-  nested_attributes :id, :visual_context_id, :name, primary_attachment: [:id, :file_url, :primary, :thumbnail_url]
+  nested_attributes :id, :visual_context_id, :name, :created_by_id,
+                    primary_attachment: [:id, :file_url, :primary, :thumbnail_url]
 end
diff --git a/app/serializers/physical_components_serializer.rb b/app/serializers/physical_components_serializer.rb
index 8313540..69637d7 100644
--- a/app/serializers/physical_components_serializer.rb
+++ b/app/serializers/physical_components_serializer.rb
@@ -3,11 +3,11 @@ class PhysicalComponentsSerializer < BaseSerializer
   include AttachableSerializer
   include NestableSerializer
 
-  index_attributes :id, :name
+  index_attributes :id, :name, :created_by_id
 
-  show_attributes :id, :artwork_id, :name, :height, :width, :depth, :notes, :created_at, :updated_at
+  show_attributes :id, :artwork_id, :name, :height, :width, :depth, :notes, :created_at, :updated_at, :created_by_id
 
-  nested_attributes :id, :artwork_id, :name,
+  nested_attributes :id, :artwork_id, :name, :created_by_id,
                     primary_attachment: [:id, :file_url, :primary, :thumbnail_url],
                     children: { visual_contexts: VisualContextsSerializer }
 end
diff --git a/app/serializers/visual_contexts_serializer.rb b/app/serializers/visual_contexts_serializer.rb
index 0dea42b..ec1c76f 100644
--- a/app/serializers/visual_contexts_serializer.rb
+++ b/app/serializers/visual_contexts_serializer.rb
@@ -3,14 +3,14 @@ class VisualContextsSerializer < BaseSerializer
   include AttachableSerializer
   include NestableSerializer
 
-  index_attributes :id, :name
+  index_attributes :id, :name, :created_by_id
 
   show_attributes :id, :physical_component_id, :name, :height, :width, :depth, :notes, :beta, :created_at, :updated_at,
-                  qualifications: QualificationsSerializer
+                  :created_by_id, qualifications: QualificationsSerializer
 
   show_attributes(:artwork_id) { |visual_context| visual_context.physical_component&.artwork_id }
 
-  nested_attributes :id, :physical_component_id, :name,
+  nested_attributes :id, :physical_component_id, :name, :created_by_id,
                     primary_attachment: [:id, :file_url, :primary, :thumbnail_url],
                     children: { documents: DocumentsSerializer }
 end

From a51bc2b4101e552cd2a833a6dfa567a46dd65373 Mon Sep 17 00:00:00 2001
From: dleadbetter <derek@performantsoftware.com>
Date: Fri, 27 Dec 2024 06:49:37 -0500
Subject: [PATCH 3/3] BASIRA #294 - Removing delete buttons when user does not
 have permissions

---
 client/src/components/AdminArtworkMenu.js | 43 +++++++++++-------
 client/src/components/ArtworkMenu.js      | 28 +++++-------
 client/src/pages/admin/Artworks.js        |  4 +-
 client/src/services/Permissions.js        | 55 +++++++++++++++++++++++
 client/src/services/Session.js            | 15 ++++++-
 client/src/types/Artwork.js               |  1 +
 client/src/types/Document.js              |  3 +-
 client/src/types/PhysicalComponent.js     |  3 +-
 client/src/types/VisualContext.js         |  3 +-
 9 files changed, 115 insertions(+), 40 deletions(-)
 create mode 100644 client/src/services/Permissions.js

diff --git a/client/src/components/AdminArtworkMenu.js b/client/src/components/AdminArtworkMenu.js
index 6b422f1..89f0931 100644
--- a/client/src/components/AdminArtworkMenu.js
+++ b/client/src/components/AdminArtworkMenu.js
@@ -17,6 +17,7 @@ import ArtworksService from '../services/Artworks';
 import DocumentsService from '../services/Documents';
 import { getPhysicalComponents, getVisualContexts } from '../utils/Artwork';
 import ItemLabel from './ItemLabel';
+import PermissionsService from '../services/Permissions';
 import PhysicalComponentsService from '../services/PhysicalComponents';
 import Session from '../services/Session';
 import VisualContextsService from '../services/VisualContexts';
@@ -173,7 +174,7 @@ const AdminArtworkMenu = (props: Props) => {
           to={`/admin${path}`}
         />
       )}
-      { Session.isAdmin() && onDelete && (
+      { onDelete && (
         <Button
           icon='times'
           onClick={(e) => {
@@ -241,6 +242,11 @@ const AdminArtworkMenu = (props: Props) => {
   const renderRight = useCallback((item: ItemType) => {
     // Artwork type
     if (item.type === ItemTypes.artwork) {
+      const onDelete = () => setDeleteItem({
+        ...item,
+        onDelete: () => ArtworksService.delete(item)
+      });
+
       return renderActions({
         addPath: {
           pathname: '/admin/physical_components/new',
@@ -248,16 +254,18 @@ const AdminArtworkMenu = (props: Props) => {
             artwork_id: item.id
           }
         },
-        onDelete: () => setDeleteItem({
-          ...item,
-          onDelete: () => ArtworksService.delete(item)
-        }),
+        onDelete: PermissionsService.canDeleteArtwork(item) ? onDelete : undefined,
         path: item.path
       });
     }
 
     // Physical component type
     if (item.type === ItemTypes.physicalComponent) {
+      const onDelete = () => setDeleteItem({
+        ...item,
+        onDelete: () => PhysicalComponentsService.delete(item)
+      });
+
       return renderActions({
         addPath: {
           pathname: '/admin/visual_contexts/new',
@@ -266,16 +274,18 @@ const AdminArtworkMenu = (props: Props) => {
             physical_component_id: item.id
           }
         },
-        onDelete: () => setDeleteItem({
-          ...item,
-          onDelete: () => PhysicalComponentsService.delete(item)
-        }),
+        onDelete: PermissionsService.canDeletePhysicalComponent(item) ? onDelete : undefined,
         path: item.path
       });
     }
 
     // Visual context type
     if (item.type === ItemTypes.visualContext) {
+      const onDelete = () => setDeleteItem({
+        ...item,
+        onDelete: () => VisualContextsService.delete(item)
+      });
+
       return renderActions({
         addPath: {
           pathname: '/admin/documents/new',
@@ -284,10 +294,7 @@ const AdminArtworkMenu = (props: Props) => {
             visual_context_id: item.id
           }
         },
-        onDelete: () => setDeleteItem({
-          ...item,
-          onDelete: () => VisualContextsService.delete(item)
-        }),
+        onDelete: PermissionsService.canDeleteVisualContext(item) ? onDelete : undefined,
         onReorder: () => setReorderItem({
           ...item,
           onReorder: (parentId) => VisualContextsService.save({
@@ -301,11 +308,13 @@ const AdminArtworkMenu = (props: Props) => {
 
     // Document type
     if (item.type === ItemTypes.document) {
+      const onDelete = () => setDeleteItem({
+        ...item,
+        onDelete: () => DocumentsService.delete(item)
+      });
+
       return renderActions({
-        onDelete: () => setDeleteItem({
-          ...item,
-          onDelete: () => DocumentsService.delete(item)
-        }),
+        onDelete: PermissionsService.canDeleteDocument(item) ? onDelete : undefined,
         onReorder: () => setReorderItem({
           ...item,
           onReorder: (parentId) => DocumentsService.save({
diff --git a/client/src/components/ArtworkMenu.js b/client/src/components/ArtworkMenu.js
index 007508c..dacca5c 100644
--- a/client/src/components/ArtworkMenu.js
+++ b/client/src/components/ArtworkMenu.js
@@ -8,12 +8,12 @@ import React, {
   useState,
   type Node
 } from 'react';
+import { useLocation } from 'react-router-dom';
 import { Image, Loader } from 'semantic-ui-react';
 import _ from 'underscore';
 import ArtworksService from '../services/Artworks';
 import DocumentsService from '../services/Documents';
 import ItemLabel from './ItemLabel';
-import { useLocation } from 'react-router-dom';
 import './ArtworkMenu.css';
 
 type ItemType = {
@@ -159,14 +159,13 @@ const ArtworkMenu = (props: Props) => {
    * level: number, name, id, type: string}}
    */
   const transformDocument = useCallback((parent, doc) => ({
-    id: doc.id,
-    name: doc.name,
+    ..._.pick(doc, 'id', 'name', 'created_by_id'),
     image: doc.primary_attachment && doc.primary_attachment.thumbnail_url,
     type: ItemTypes.document,
     level: 3,
     path: `/documents/${doc.id}`,
     parent: { ...parent, path: `/admin/visual_contexts/${parent.id}` },
-    onDelete: () => DocumentsService.delete(doc)
+    onDelete: () => DocumentsService.delete(doc),
   }), []);
 
   /**
@@ -179,14 +178,13 @@ const ArtworkMenu = (props: Props) => {
    * level: number, children, name, id, type: string, onAdd: (function(): *)}}
    */
   const transformVisualContext = useCallback((parent, vc) => ({
-      id: vc.id,
-      name: vc.name,
-      image: vc.primary_attachment && vc.primary_attachment.thumbnail_url,
-      type: ItemTypes.visualContext,
-      level: 2,
-      path: `/visual_contexts/${vc.id}`,
-      parent: { ...parent, path: `/physical_components/${parent.id}` },
-      children: _.map(vc.documents, transformDocument.bind(this, vc))
+    ..._.pick(vc, 'id', 'name', 'created_by_id'),
+    image: vc.primary_attachment && vc.primary_attachment.thumbnail_url,
+    type: ItemTypes.visualContext,
+    level: 2,
+    path: `/visual_contexts/${vc.id}`,
+    parent: { ...parent, path: `/physical_components/${parent.id}` },
+    children: _.map(vc.documents, transformDocument.bind(this, vc))
   }), [transformDocument]);
 
   /**
@@ -199,8 +197,7 @@ const ArtworkMenu = (props: Props) => {
    * level: number, children, name, id, type: string, onAdd: (function(): *)}}
    */
   const transformPhysicalComponent = useCallback((parent, pc) => ({
-    id: pc.id,
-    name: pc.name,
+    ..._.pick(pc, 'id', 'name', 'created_by_id'),
     image: pc.primary_attachment && pc.primary_attachment.thumbnail_url,
     type: ItemTypes.physicalComponent,
     level: 1,
@@ -218,8 +215,7 @@ const ArtworkMenu = (props: Props) => {
    * level: number, children, name: *, id, type: string, onAdd: (function(): *)}}
    */
   const transformArtwork = useCallback((a) => ({
-    id: a.id,
-    name: a.primary_title && a.primary_title.title,
+    ..._.pick(a, 'id', 'name', 'created_by_id'),
     image: a.primary_attachment && a.primary_attachment.thumbnail_url,
     type: ItemTypes.artwork,
     level: 0,
diff --git a/client/src/pages/admin/Artworks.js b/client/src/pages/admin/Artworks.js
index 9cbde4d..2113d19 100644
--- a/client/src/pages/admin/Artworks.js
+++ b/client/src/pages/admin/Artworks.js
@@ -7,7 +7,7 @@ import { Container, Header } from 'semantic-ui-react';
 import _ from 'underscore';
 import ArtworksService from '../../services/Artworks';
 import Authorization from '../../utils/Authorization';
-import Session from '../../services/Session';
+import PermissionsService from '../../services/Permissions';
 import Thumbnail from '../../components/Thumbnail';
 import User from '../../transforms/User';
 import Users from '../../services/Users';
@@ -28,7 +28,7 @@ const Artworks = (props: Props) => (
         name: 'edit',
         onClick: (item) => props.history.push(`/admin/artworks/${item.id}`)
       }, {
-        accept: () => Session.isAdmin(),
+        accept: (item) => PermissionsService.canDeleteArtwork(item),
         icon: 'times',
         name: 'delete'
       }, {
diff --git a/client/src/services/Permissions.js b/client/src/services/Permissions.js
new file mode 100644
index 0000000..a5e4342
--- /dev/null
+++ b/client/src/services/Permissions.js
@@ -0,0 +1,55 @@
+// @flow
+
+import type { Artwork } from '../types/Artwork';
+import Session from './Session';
+import type { PhysicalComponent } from '../types/PhysicalComponent';
+import type { Document } from '../types/Document';
+import type { VisualContext } from '../types/VisualContext';
+
+class Permissions {
+  /**
+   * Returns `true` if the passed artwork can be deleted by the current user.
+   *
+   * @param artwork
+   *
+   * @returns {*|boolean}
+   */
+  canDeleteArtwork(artwork: Artwork) {
+    return Session.isAdmin() || Session.getUserId() === artwork.created_by_id;
+  }
+
+  /**
+   * Returns `true` if the passed document can be deleted by the current user.
+   *
+   * @param document
+   *
+   * @returns {*|boolean}
+   */
+  canDeleteDocument(document: Document) {
+    return Session.isAdmin() || Session.getUserId() === document.created_by_id;
+  }
+
+  /**
+   * Returns `true` if the passed physical component can be deleted by the current user.
+   *
+   * @param physicalComponent
+   *
+   * @returns {*|boolean}
+   */
+  canDeletePhysicalComponent(physicalComponent: PhysicalComponent) {
+    return Session.isAdmin() || Session.getUserId() === physicalComponent.created_by_id;
+  }
+
+  /**
+   * Returns `true` if the passed visual context can be deleted by the current user.
+   *
+   * @param visualContext
+   *
+   * @returns {*|boolean}
+   */
+  canDeleteVisualContext(visualContext: VisualContext) {
+    return Session.isAdmin() || Session.getUserId() === visualContext.created_by_id;
+  }
+}
+
+export default new Permissions();
\ No newline at end of file
diff --git a/client/src/services/Session.js b/client/src/services/Session.js
index a85b64d..960853c 100644
--- a/client/src/services/Session.js
+++ b/client/src/services/Session.js
@@ -10,7 +10,7 @@ class Session {
    * @param response
    */
   create(response: any) {
-    const { name, uid, admin } = response.data.data;
+    const { name, uid, admin, id } = response.data.data;
 
     sessionStorage.setItem('user',
       JSON.stringify({
@@ -18,7 +18,8 @@ class Session {
         client: response.headers.client,
         name,
         uid,
-        admin
+        admin,
+        id
       }));
   }
 
@@ -39,6 +40,16 @@ class Session {
     return user.name;
   }
 
+  /**
+   * Returns the ID of the current user.
+   *
+   * @returns {*}
+   */
+  getUserId() {
+    const user = this.parseUser();
+    return user.id;
+  }
+
   /**
    * Returns true if the currently logged in user is an admin.
    *
diff --git a/client/src/types/Artwork.js b/client/src/types/Artwork.js
index 32ef6da..6753e14 100644
--- a/client/src/types/Artwork.js
+++ b/client/src/types/Artwork.js
@@ -21,6 +21,7 @@ export type Artwork = Attachable & Locateable & Participateable & {
   accession_number: string,
   documents_count: number,
   number_documents_visible: number,
+  created_by_id: number,
   created_by: User,
   updated_by: User,
   created_at: string,
diff --git a/client/src/types/Document.js b/client/src/types/Document.js
index fedf862..a792486 100644
--- a/client/src/types/Document.js
+++ b/client/src/types/Document.js
@@ -21,5 +21,6 @@ export type Document = {
   identity: string,
   transcription: string,
   transcription_expanded: string,
-  transcription_translation: string
+  transcription_translation: string,
+  created_by_id: number
 };
diff --git a/client/src/types/PhysicalComponent.js b/client/src/types/PhysicalComponent.js
index d9f4b5c..e51b848 100644
--- a/client/src/types/PhysicalComponent.js
+++ b/client/src/types/PhysicalComponent.js
@@ -7,5 +7,6 @@ export type PhysicalComponent = Attachable & {
   name: string,
   height: number,
   width: number,
-  depth: number
+  depth: number,
+  created_by_id: number
 };
diff --git a/client/src/types/VisualContext.js b/client/src/types/VisualContext.js
index 2df7a6c..c8bc88d 100644
--- a/client/src/types/VisualContext.js
+++ b/client/src/types/VisualContext.js
@@ -8,5 +8,6 @@ export type VisualContext = Attachable & {
   height: number,
   width: number,
   depth: number,
-  beta: boolean
+  beta: boolean,
+  created_by_id: number
 };