Changeset 721

Timestamp:

11/08/07 13:08:10 (1 year ago)

Author:

markku

Message:

User permission disabling setting. Closes #480

Files:

• trunk/app/controllers/application.rb (modified) (2 diffs)
• trunk/app/controllers/asset_permission_controller.rb (modified) (2 diffs)
• trunk/app/controllers/data_permission_controller.rb (modified) (2 diffs)
• trunk/app/controllers/setting_controller.rb (added)
• trunk/app/helpers/application_helper.rb (modified) (2 diffs)
• trunk/app/helpers/setting_helper.rb (added)
• trunk/app/models/asset.rb (modified) (13 diffs)
• trunk/app/models/asset_type.rb (modified) (2 diffs)
• trunk/app/models/protected_asset_data.rb (modified) (2 diffs)
• trunk/app/models/protected_data.rb (modified) (6 diffs)
• trunk/app/models/protector_model.rb (modified) (3 diffs)
• trunk/app/models/setting.rb (added)
• trunk/app/models/task.rb (modified) (2 diffs)
• trunk/app/models/user_account.rb (modified) (1 diff)
• trunk/app/views/asset_tree/_asset_tree.rhtml (modified) (1 diff)
• trunk/app/views/attachment/attach.rhtml (modified) (1 diff)
• trunk/app/views/attachment/view.rhtml (modified) (1 diff)
• trunk/app/views/form/_creation_form.rhtml (modified) (1 diff)
• trunk/app/views/form/view.rhtml (modified) (1 diff)
• trunk/app/views/layouts/mainlevel.rhtml (modified) (1 diff)
• trunk/app/views/setting (added)
• trunk/app/views/setting/access_control.rhtml (added)
• trunk/app/views/task/create.rhtml (modified) (1 diff)
• trunk/app/views/task/view.rhtml (modified) (2 diffs)
• trunk/config/menu.rb (modified) (1 diff)
• trunk/db/migrate/011_create_settings.rb (added)
• trunk/doc/manual/latex/tex/configuration_section.tex (modified) (3 diffs)
• trunk/doc/manual/latex/tex/customer_interface.tex (modified) (1 diff)
• trunk/public/images/22x22/settings.gif (added)
• trunk/test/functional/asset_controller_test.rb (modified) (1 diff)
• trunk/test/functional/asset_field_controller_test.rb (modified) (1 diff)
• trunk/test/functional/asset_permission_controller_test.rb (modified) (1 diff)
• trunk/test/functional/search_controller_test.rb (modified) (1 diff)
• trunk/test/functional/setting_controller_test.rb (added)
• trunk/test/test_helper.rb (modified) (2 diffs)
• trunk/test/unit/asset_test.rb (modified) (2 diffs)
• trunk/test/unit/asset_type_test.rb (modified) (1 diff)
• trunk/test/unit/assets_user_group_test.rb (modified) (1 diff)
• trunk/test/unit/attachment_test.rb (modified) (1 diff)
• trunk/test/unit/customer_test.rb (modified) (1 diff)
• trunk/test/unit/data_permission_profile_test.rb (modified) (1 diff)
• trunk/test/unit/data_permission_test.rb (modified) (1 diff)
• trunk/test/unit/form_template_test.rb (modified) (1 diff)
• trunk/test/unit/form_test.rb (modified) (1 diff)
• trunk/test/unit/form_type_test.rb (modified) (2 diffs)
• trunk/test/unit/notification_mailer_test.rb (modified) (1 diff)
• trunk/test/unit/protected_asset_data_test.rb (modified) (1 diff)
• trunk/test/unit/protected_asset_type_data_test.rb (modified) (1 diff)
• trunk/test/unit/protected_data_test.rb (modified) (2 diffs)
• trunk/test/unit/setting_test.rb (added)
• trunk/test/unit/task_template_test.rb (modified) (2 diffs)
• trunk/test/unit/task_test.rb (modified) (1 diff)
• trunk/test/unit/type_attachment_test.rb (modified) (2 diffs)

trunk/app/controllers/application.rb

@@ -21 +21 @@
-  layout 'mainlevel'
-  before_filter :set_current_user, :set_selected_asset, :prepare_tree_view, :protect_page_groups, :handle_cancel_submit, :set_host, :check_new_service_requests
+  prepend_before_filter :load_settings
-  after_filter :reset_timedout_session, :process_model_events
-
@@ -690 +691 @@
-    @service_request_id = Task.find_authorized_to_read(:first, :conditions => conditions).id if @service_request_count == 1
-  end
+
+  # Function: load_settings
+  # =======================
+  # Loads the system settings from the database.
+  #
+  def load_settings
+    Setting.load_settings
+    @enable_user_permissions = Setting.enable_user_permissions
+    return true
+  end
-end

trunk/app/controllers/asset_permission_controller.rb

@@ -14 +14 @@
-class AssetPermissionController < ApplicationController
-  prepend_before_filter :login_required
-
+check_settings, :
-  LOCK_DURATION = 1.hour
-
@@ -318 +318 @@
-    return true
-  end
+
+  # Method: check_settings
+  # ======================
+  # Makes sure that this controller can be accessed only if the user
+  # permission system is enabled.
+  def check_settings
+    invalid_request unless Setting.enable_user_permissions
+  end
-end

trunk/app/controllers/data_permission_controller.rb

@@ -13 +13 @@
-class DataPermissionController < ApplicationController
-  prepend_before_filter :login_required
+  append_before_filter :check_settings
-
-  # Function: edit
@@ -121 +122 @@
-    @object = Object.const_get(datatype).find(id)
-  end
+
+  # Method: check_settings
+  # ======================
+  # Makes sure that this controller can be accessed only if the user
+  # permission system is enabled.
+  def check_settings
+    invalid_request unless Setting.enable_user_permissions
+  end
-end

trunk/app/helpers/application_helper.rb

@@ -703 +703 @@
-  end
-
+  # Method: find_asset_tree_nodes
+  # =============================
+  # Finds nodes for the asset tree. Each node level is a ul-tag and
+  # each node (i.e. asset) is a li-tag. If user is authorized to read an asset,
+  # the corresponding node is link to the asset.
+  #
-  def find_asset_tree_nodes(group_ids, parent_id = nil, open_parent = true, branch_depth = nil)
-    asset_code_and_name_sql = ActiveRecord::Base.connection.sql_concat(:code, ' (', :name, ')')
@@ -754 +760 @@
-  end
-
+  # Method: find_all_asset_tree_nodes
+  # =================================
+  # Finds nodes for the asset tree without any permission checking.
+  #
+  # See also:
+  # ---------
+  # Documentation for the <find_asset_tree_nodes> method.
+  #
+  def find_all_asset_tree_nodes(parent_id = nil, open_parent = true, branch_depth = nil)
+    asset_code_and_name_sql = ActiveRecord::Base.connection.sql_concat(:code, ' (', :name, ')')
+    parent_condition = parent_id ? "parent_id = #{parent_id}" : 'parent_id IS NULL'
+    nodes = Asset.connection.execute("SELECT id, #{asset_code_and_name_sql}, asset_type_id, (SELECT COUNT(*) FROM assets T1 WHERE T1.parent_id = assets.id) AS child_count FROM assets WHERE #{parent_condition} ORDER BY code")
+
+    results = []
+    nodes.each do |node|
+      is_open = parent_id.nil? ? true : (open_parent and @open_node_list and @open_node_list.include?(node[0].to_i))
+      depth = @selected_asset.id == node[0].to_i ? 0 : branch_depth
+
+      # Recurse if node has children
+      children = node[3] == '0' ? '' : find_all_asset_tree_nodes(node[0], is_open, depth ? depth + 1 : nil)
+
+      is_leaf = (children == '')
+      link_text = '<span class="' + (node[2] ? 'asset_type_' + node[2] : 'asset_type_0') + '">' + node[1] + '</span>'
+      tree_symbol = is_open ? image_tag('16x16/folder_min.gif') : image_tag('16x16/folder_plu.gif')
+
+      result = '<li class="' + (is_leaf ? 'tree_leaf' : 'tree') + '">'
+      result += '<a name="asset_' + node[0].to_s + '"/>'
+      result += '<a href="/asset_tree/toggle_tree_node_open?node_id=' + node[0] + '" class="tree_open_close">' + tree_symbol + '</a>' unless is_leaf or parent_id == nil
+      case session[:asset_tree_mode]
+        when 'move'
+        result += radio_button_tag('new_parent_id', node[0], false, :disabled => (@selected_asset.id == node[0].to_i or (branch_depth and branch_depth > 0) or Asset.connection.select_values("SELECT code FROM assets WHERE parent_id = #{node[0]}").include?(@selected_asset.code)))
+        result += '<span class="' + link_class_for_asset_tree_node(node[0].to_i, node[2].to_i, branch_depth) + '">' + link_text + '</span>'
+        when 'clone'
+          result += radio_button_tag('clone_parent_id', node[0], false, :disabled => (@selected_asset.parent_id == node[0].to_i or Asset.connection.select_values("SELECT code FROM assets WHERE parent_id = #{node[0]}").include?(@selected_asset.code)))
+        result += '<span class="' + link_class_for_asset_tree_node(node[0].to_i, node[2].to_i, branch_depth) + '">' + link_text + '</span>'
+        else
+          result += '<a href="/asset_tree/select/' + node[0] + '" class="' + link_class_for_asset_tree_node(node[0].to_i, node[2].to_i, branch_depth) + '">' + link_text + '</a>'
+      end
+      result += '<ul class="tree">' + children + '</ul>' if is_open and not is_leaf
+      result += '</li>'
+      results.push(result)
+    end
+    return results.join
+  end
+
-  # Select tag that support option collections. The collection is converted
-  # to option tags with options_for_select.

trunk/app/models/asset.rb

@@ -97 +97 @@
-  # Overwrite the implementation in the parent class
-  def Asset.find_authorized_to_read(*args)
-class == Customer
+instance_of?(Customer)
-
-    args = add_conditions_to_find_arguments(args, "#{self.table_name}.customer_id = ?", [UserAccount.current_user.id])
@@ -115 +115 @@
-  #
-  def Asset.find_authorized_to(operation, args)
-
+
+
+
-
-    group_ids = UserAccount.current_user.user_groups.map {|g| g.id }
@@ -175 +177 @@
-  end
-
+  # Method: Asset.update_permission_hierarchy
+  # =========================================
+  # Updates the use_parents_permissions hierarchy. Used when the
+  # Setting.enable_user_permissions setting is toggled to true.
+  #
+  def Asset.update_permission_hierarchy
+    # Do nothing if the asset permissions are enabled
+    return false if Setting.enable_user_permissions
+
+    # Find all assets which have their own permissions.
+    Asset.find(:all, :conditions => ['use_parents_permissions = ?', false]).each { |asset|
+      return false unless asset.copy_permissions_to_empty_subassets
+    }
+    return true
+  end
+
-  # Function: full_code
-  # ===================
@@ -264 +282 @@
-
-    # Customer is authorized to read his assets.
-
+
+
+
-
-    return !((UserAccount.current_user.user_groups & self.user_groups).empty?)
@@ -283 +303 @@
-  def authorized_to_create_task?
-    # Customer is authorized to create tasks to his assets
-class == Customer
+instance_of?(Customer)
-
-    return authorized_to(:create_task)
@@ -597 +617 @@
-  #             :create_subasset, :edit_permissions, :remove.
-  def authorized_to(operation)
-
+
+
+
-
-    authorized_user_groups = self.assets_user_groups.select { |aug| aug.send(operation) }.collect { |aug| aug.user_group }
@@ -755 +777 @@
-  # Cloning permission requires the reading permission to this asset and
-  # permission to create a sub-asset to some asset, other than the parent asset
-
+
+
-  def authorized_to_clone?
-    return false unless authorized_to_read?
-    count_args = [:create_subasset]
-    # Find ids of assets that have a child with the same code as this asset
-    exclude_parent_ids = Asset.find_all_by_code(self.code).map {|a| a.parent_id }.compact
-
-
+
+
+
+
+
+
+
+
+
+
+
-    return false
-  end
@@ -774 +805 @@
-  # to this asset and the permission to create a sub-asset to some asset(s)
-  # which this asset can be moved to.
+  #
-  def authorized_to_move?
-    return false unless not(is_root?) and authorized_to_edit? and authorized_to_edit_permissions?
@@ -779 +811 @@
-    exclude_parent_ids = Asset.find_all_by_code(self.code).map {|a| a.parent_id }.compact
-    exclude_parent_ids += self.id_and_subasset_ids
-
+
+
+
+
+
+
+
-    return false
+  end
+
+  # Method: copy_permissions_to_empty_subassets
+  # ========================================
+  # Updates the use_parents_permissions hierarchy starting from this asset
+  # all the way down to the assets with use_parents_permissions false
+  # by copying the asset permissions to subassets which have no permissions
+  # (i.e. to those assets created while permission system was disabled).
+  #
+  def copy_permissions_to_empty_subassets
+    self.children.each { |asset|
+      next unless asset.use_parents_permissions
+      if asset.user_groups.empty?
+        asset.copy_permissions(self.assets_user_groups)
+        # Recursion is not needed here because the permissions propagate
+        # automatically to sub-assets which don't have any permissions.
+      else
+        asset.copy_permissions_to_empty_subassets
+      end
+    }
+    return true
-  end
-
@@ -807 +866 @@
-
-    raise(ActiveRecord::ActiveRecordError, "Asset #{self.full_code} doesn't have parent!") if self.parent.nil?
+
+    unless Setting.enable_user_permissions
+      _info("Creating sub-asset to asset #{self.parent.full_code}")
+      return true
+    end
-
-    if self.parent.authorized_to_create_subasset?
@@ -829 +893 @@
-    end
-
-
+
+
+
+
-
-    if locking_information_changed? and not (authorized_to_edit? or authorized_to_edit_permissions?)
@@ -874 +941 @@
-    if self.parent.nil?
-      self.use_parents_permissions = false
-
+Setting.enable_user_permissions and 
-      self.copy_permissions(self.parent.assets_user_groups)
-    end
@@ -1018 +1085 @@
-  #                    have to fulfill.
-  def Asset.count_authorized_to(operation, extra_conditions = nil)
+    raise 'User permissions have to be enabled' unless Setting.enable_user_permissions
+
-    return false unless UserAccount.current_user
-    user_group_ids = UserAccount.current_user.user_groups.map {|g| g.id }
-    return false if user_group_ids.empty?
+
-    case operation
-      when :read

trunk/app/models/asset_type.rb

@@ -29 +29 @@
-  # Returns true if the user is authorized to read this asset type
-  def authorized_to_read?
+    return true unless Setting.enable_user_permissions
+
-    self.assets.each { |asset|
-      return true if asset.authorized_to_read?
@@ -37 +39 @@
-  # Returns true if the user is authorized to create new instances of +datatype+ to this asset type
-  def authorized_to_create?(datatype)
+    return true unless Setting.enable_user_permissions
+
-    datatype = datatype.to_s.gsub(/^Type/, '')
-

trunk/app/models/protected_asset_data.rb

@@ -55 +55 @@
-  # Version of find that only retuns objects the user is authorized to perform +operation+ to.
-  def ProtectedAssetData.find_authorized_to(operation, args)
-
+return 
-  end
-
@@ -62 +62 @@
-    return records_not_found(args) unless user = UserAccount.current_user
-
-
-
-
-
-
-
+
+
+
+
+
+
+
+
+
-
-    return self.find(*args)

trunk/app/models/protected_data.rb

@@ -131 +131 @@
-  # See sub-classes for examples how this method can be used.
-  def ProtectedData.common_find_authorized_to(connection_model, asset_model_id_sql, operation, args)
+    return self.find(*args) unless Setting.enable_user_permissions
+
-    return records_not_found(args) unless user = UserAccount.current_user
-
@@ -150 +152 @@
-  # See sub-classes for examples how this method can be used.
-  def ProtectedData.common_count_authorized_to(connection_model, asset_model_id_sql, operation, conditions = nil)
+    return self.count(conditions) unless Setting.enable_user_permissions
+
-    return 0 unless user = UserAccount.current_user
-
@@ -258 +262 @@
-    end
-
+    return true unless Setting.enable_user_permissions
+
-    case operation
-    when :read
@@ -332 +338 @@
-  end
-
-
-
+
+
+
+
+
+
+
+
+
+
+
+
-  def create_data_permissions_from_users_permission_profiles
+    unless Setting.enable_user_permissions
+      self.other_read = true
+      self.other_change_state = true if has_change_state_permission?
+      self.other_edit = true
+      return true
+    end
+
-    case UserAccount.current_user.class.to_s
-      when 'User'
@@ -340 +363 @@
-        _info("Creating permissions for a #{self.class} succeeded") if self.create_data_permissions_from_profiles(profiles)
-      when 'Customer'
- Everyone can read and edit data created by customers
+
-        self.other_read = true
-        self.other_change_state = true if has_change_state_permission?
@@ -371 +394 @@
-
-      raise(ActiveRecord::ActiveRecordError, "Tried to change protected field of #{self.class}(id=#{self.id})! Possibly a failed attack!")
+    end
+
+    unless Setting.enable_user_permissions
+      _info("Saving #{self.class}(id=#{self.id})")
+      return true
-    end
-

trunk/app/models/protector_model.rb

@@ -46 +46 @@
-  # Redefine this method in sub-classes - by default users are unauthorized to operate on all data.
-  def ProtectorModel.find_authorized_to(operation, args)
-
+
+
-  end
-
@@ -52 +53 @@
-  # Redefine this method in sub-classes - by default users are unauthorized to operate on all data.
-  def authorized_to(operation)
+    return true unless Setting.enable_user_permissions
-    return false
-  end
@@ -68 +70 @@
-      _error("Have to be logged in to remove #{self.class}")
-      return false
+    end
+
+    unless Setting.enable_user_permissions
+      _info("Removing #{self.class}(id=#{self.id})")
+      return true
-    end
-

trunk/app/models/task.rb

@@ -309 +309 @@
-  #
-  def set_asset_if_customer
-s_a
+nstance_of
-    return true if self.asset
-    asset = UserAccount.current_user.assets.find(:first, :order => 'id')
@@ -325 +325 @@
-  #
-  def set_task_type_if_customer
-s_a
+nstance_of
-    self.task_type = TaskType.get_service_request_type
-    return true

trunk/app/models/user_account.rb

@@ -10 +10 @@
-#
-# This model expects a certain database layout and its based on the name/login pattern.
+#
+# Inherits:
+# ---------
+# <CmmsBase>
-#
-class UserAccount < CmmsBase

trunk/app/views/asset_tree/_asset_tree.rhtml

@@ -63 +63 @@
-  <ul class="root_tree">
-  <%=
-
-
+
+
+
+
+
+
-  %>
-  </ul>

trunk/app/views/attachment/attach.rhtml

@@ -18 +18 @@
-</form>
-
-
-
+
+
+
+
+

trunk/app/views/attachment/view.rhtml

@@ -35 +35 @@
-  <tr>
-    <td colspan="2" class="actions">
-
+
+
+
-      <%= link_to(image_tag('16x16/download.png') + _('Download'), { :action => 'download', :id => @file.id }) %>
-    </td>

trunk/app/views/form/_creation_form.rhtml

@@ -50 +50 @@
-  <% if action == 'create' -%>
-    <%= buttons_table(_('Done'), {:action => 'list'}) %>
-
+
+
+
-  <% elsif not preview -%>
-    <%= buttons_table(_('Save changes'), {:action => 'view', :id => form.id}) %>

trunk/app/views/form/view.rhtml

@@ -36 +36 @@
-      <td><%= link_to(image_tag('16x16/create.gif') + _('Create associated task'), { :controller => 'task', :action => 'create', :form_id => @form.id }) %></td>
-    <% end -%>
-
-
-
+
+
+
+
+
-    <td><%= link_to(image_tag('16x16/download.png') + _('Download'),
-                    {:action => 'download', :id => @form.id}) %></td>

trunk/app/views/layouts/mainlevel.rhtml

@@ -10 +10 @@
-  top_menus = []
-  actions = []
+end
+
+# If user permissions are disabled remove some menu items
+unless @enable_user_permissions
+  actions = actions.reject { |item| item.controller == 'asset_permission' }
-end
--%>

trunk/app/views/task/create.rhtml

@@ -46 +46 @@
-</form>
-
-
+
+
+
-
-<script type="text/javascript">

trunk/app/views/task/view.rhtml

@@ -44 +44 @@
-        <%= radio_button_tag('task_action', 'leave', true) %><%= _('Leave as closed') %><br/>
-        <%= radio_button_tag('task_action', 'reopen') %><%= _('Reopen task') %><br/>
-    
+
-
-    <h4><%= _('Comments') %></h4>
@@ -75 +75 @@
-    <td><%= link_to(image_tag('16x16/move_selected.gif') + _('Move'),
-                    {:action=>'move', :id => @task.id}) %></td>
-
-
-
+
+
+
+
+
-    <td><%= link_to(image_tag('16x16/download.png') + _('Download'),
-                    {:action => 'download', :id => @task.id}) %></td>

trunk/config/menu.rb

@@ -94 +94 @@
-                      Page.new('user_group', 'users')
-                    ),
+                    MenuButton.new(_('Settings'), '22x22/settings.gif',
+                      MenuItem.new(_('Edit'), 'setting', 'access_control', '16x16/edit.gif')
+                    ),
-                    MenuButton.new(_('Keyrings'), '22x22/menu_permission.gif',
-                      MenuItem.new(_('List'), 'keyring', 'list', '16x16/list.gif'),

trunk/doc/manual/latex/tex/configuration_section.tex

@@ -204 +204 @@
-\subsection{Access control}
-\label{subsec:access_control}
-
+Settings, 
-
-\subsection{Keys}
@@ -237 +237 @@
-\paragraph{Create}
-You can create a new keyring by using the Create function. Enter information for the keyring to the creation form and submit it by selecting the 'Create' button. You can copy keys from an existing keyring to the created keyring by choosing the 'Copy keys from an existing keyring' option and by selecting a keyring from the selection before pushing the 'Create' button. In many cases this can ease the keyring creation, since adding keys to the created keyring one-by-one can be a laborious task.
+
+\subsection{Settings}
+\label{subsec:settings}
+In the Settings menu you can edit access control settings.
+
+The 'Enable the user permission system for assets' setting enables you to choose whether you want to use the user permission system or not. By default the user permission system is disabled. If the level of access control provided by the keys and keyrings is sufficient for you, we recommend you to leave the user permission system disabled. If you need user specific user rights for assets and their data, you  can enable the user permission system. In this case see the sub-section~\ref{subsec:user_groups} for more information.
-
-\subsection{User groups}
@@ -295 +301 @@
-Each asset in NorfelloCMMS OS can be associated with a customer. Usually a customer is a company or an organization or a person to whom you provide maintenance services. You can manage your customers in the 'Customers' menu.
-
-chapter~\ref{ch
+section~\ref{sec
-
-Each customer has the following fields where information is stored

trunk/doc/manual/latex/tex/customer_interface.tex

@@ -1 +1 @@
-\section{Customer interface}
+\label{sec:customer_interface}
-The sole purpose of the Customer interface is to help you to serve your customers better.  In the Customer interface your customers can:
-\begin{itemize}

trunk/test/functional/asset_controller_test.rb

@@ -11 +11 @@
-    @request    = ActionController::TestRequest.new
-    @response   = ActionController::TestResponse.new
+
+    setup_settings
-
-    @ref_url = 'http://test.host/redirect/back'

trunk/test/functional/asset_field_controller_test.rb

@@ -10 +10 @@
-    @request    = ActionController::TestRequest.new
-    @response   = ActionController::TestResponse.new
+
+    setup_settings
-
-    @user_group = create_user_group('Admins')

trunk/test/functional/asset_permission_controller_test.rb

@@ -10 +10 @@
-    @request    = ActionController::TestRequest.new
-    @response   = ActionController::TestResponse.new
+
+    setup_settings
-
-    # The service request task type

trunk/test/functional/search_controller_test.rb

@@ -14 +14 @@
-    @ref_url = 'http://test.host/redirect/back'
-    @request.env['HTTP_REFERER'] = @ref_url
+
+    setup_settings
-
-    # The service request task type

trunk/test/test_helper.rb

@@ -40 +40 @@
-
-  # Add more helper methods to be used by all tests here...
+
+  # Method: setup_settings
+  # ======================
+  # Sets up "hardcoded" system settings
+  #
+  def setup_settings(enable_user_permissions = true)
+    Setting.set('enable_user_permissions', enable_user_permissions)
+    Setting.load_settings
+  end
-
-  # Creates an asset, a user, a user group and a keyring.
@@ -48 +57 @@
-    @ref_url = 'http://test.host/redirect/back'
-    @request.env['HTTP_REFERER'] = @ref_url
+
+    setup_settings
-
-    # The service request task type

trunk/test/unit/asset_test.rb

@@ -4 +4 @@
-
-  def setup
+    setup_settings
+
-    @user_group = create_user_group('Admins')
-    @user = create_user('admin')
@@ -1165 +1167 @@
-  end
-
+  # Method: test_permissions_disabled
+  # =================================
+  # Check that the asset permissions can be disabled with the setting.
+  #
+  def test_permissions_disabled
+    # Disable the user permission system.
+    setup_settings(false)
+
+    # User without any permissions
+    UserAccount.current_user = create_user('test')
+
+    # All permission quering methods have to return true.
+    #
+    # It might seem odd to grant the edit_permissions permission. However,
+    # it's needed when the use_parents_permissions hierarchy is updated -
+    # This happens when the permission system is enabled.
+    #
+    assert_equal true, @root.authorized_to_read?
+    assert_equal true, @root.authorized_to_edit?
+    assert_equal true, @root.authorized_to_edit_permissions?
+    assert_equal true, @root.authorized_to_remove?
+    assert_equal true, @root.authorized_to_create_subasset?
+    assert_equal true, @root.authorized_to_create_task?
+    assert_equal true, @root.authorized_to_create_form?
+    assert_equal true, @root.authorized_to_attach_file?
+    assert_equal true, @root.authorized_to_edit_branch?
+    assert_equal true, @root.authorized_to_remove_branch?
+    assert_equal true, @root.authorized_to_clone?
+    assert_equal true, @unauthorized.authorized_to_clone?
+    assert_equal false, @root.authorized_to_move?
+    assert_equal true, @unauthorized.authorized_to_move?
+
+    # All finder methods have to return all assets
+    all_assets = Asset.find(:all, :order => 'id')
+    assert_equal all_assets, Asset.find_authorized_to_read(:all, :order => 'id')
+    assert_equal all_assets, Asset.find_authorized_to_edit(:all, :order => 'id')
+    assert_equal all_assets, Asset.find_authorized_to(:edit_permissions, [:all, {:order => 'id'}])
+    assert_equal all_assets, Asset.find_authorized_to(:edit_permissions, [:all, {:order => 'id'}])
+    assert_equal all_assets, Asset.find_authorized_to(:remove, [:all, {:order => 'id'}])
+    assert_equal all_assets, Asset.find_authorized_to(:create_subasset, [:all, {:order => 'id'}])
+    assert_equal all_assets, Asset.find_authorized_to(:create_task, [:all, {:order => 'id'}])
+    assert_equal all_assets, Asset.find_authorized_to(:create_form, [:all, {:order => 'id'}])
+    assert_equal all_assets, Asset.find_authorized_to(:attach_file, [:all, {:order => 'id'}])
+
+    # Check callbacks work.
+    #
+    # Create an asset
+    asset = Asset.new(:code => 'NEW', :name => 'New asset')
+    asset.parent = @root
+    assert_equal true, asset.save
+    assert_equal false, asset.new_record?
+    assert_equal true, asset.errors.empty?
+    assert_equal true, asset.use_parents_permissions
+    assert_equal true, asset.user_groups.empty?
+    #
+    # Update asset
+    asset.name += ' - Edited'
+    assert_equal true, asset.save