added configuration

README.md

@@ -1,11 +1,21 @@
+
 Redmine Custom Tables
 ==================
 
 This plugin provides a possibility to create custom tables. The table is built with Redmine custom fields. It allows you to create any databases you need for your business and integrate it into your workflow processes.
 
-<img src="custom_tables_v2.png" width="800"/>
+<img src="Images/custom_tables_v2.png" width="800"/>
+
+## 🆕 Enhanced Features & Modifications
+
+**Custom Modifications Added:**
+- **Advanced Permission System** - Configurable group-based access control
+- **Role-Based Restrictions** - Fine-grained control over edit/delete permissions
+- **Admin Settings Interface** - Easy configuration via plugin settings page
+- **Enhanced Security** - Controller-level and view-level permission checks
 
-[Online demo](https://redmineplus.com/sign-up-to-redmine-plus/)
+<img src="Images/custom_table_configure.png" width="800"/>
+<img src="Images/custom_table_permission.png" width="800"/>
 
 Features
 -------------
@@ -18,6 +28,9 @@ Features
 * Commenting entities
 * Export CSV/PDF
 * API
+* **🆕 Configurable permission system** - Control which user groups can edit and delete records
+* **🆕 Role-based access control** - Restrict operations to specific roles (Administrator, Manager)
+* **🆕 Settings configuration page** - Easy management of permissions via admin interface
 
 Compatibility
 -------------
@@ -26,10 +39,10 @@ Compatibility
 Installation and Setup
 ----------------------
 
-* Clone or [download](https://github.com/frywer/custom_tables/archive/master.zip) this repo into your **redmine_root/plugins/** folder
+* Clone or [download](https://github.com/Arean82/custom_tables/archive/refs/heads/master.zip) this repo into your **redmine_root/plugins/** folder
 
 ```
-$ git clone https://github.com/frywer/custom_tables.git
+$ git clone https://github.com/Arean82/custom_tables.git
 ```
 * If you downloaded a tarball / zip from master branch, make sure you rename the extracted folder to `custom_tables`
 * You have to run the plugin rake task to provide the assets (from the Redmine root directory):
@@ -40,7 +53,82 @@ $ bundle exec rake redmine:plugins:migrate RAILS_ENV=production
 
 Usage
 ----------------------
-1) Visit **Administration->Custom tables** to open table constructor. 
+### Basic Setup
+1) Visit **Administration → Custom tables** to open table constructor. 
 2) Press button **New table**. Fill the name field, select projects you want to enable table on and submit the form.
 3) Add custom fields to your new table.
-4) Give access to the users **Administration -> Roles and permissions -> Project -> Manage custom tables**
+4) Give access to the users **Administration → Roles and permissions → Project → Manage custom tables**
+5) **🆕 Configure permissions** by going to **Administration → Plugins → Custom Tables plugin → Configure** to set up which user groups can edit and delete records *(All users can view and add records, but only authorized users can edit or delete)*
+
+### 🆕 Enhanced Permission Configuration
+The plugin includes a **flexible and configurable permission system** that allows precise control over who can edit and delete custom table records:
+
+#### Default Behavior (When Custom Permissions Disabled)
+- **Administrators**: Full access (create, edit, delete)
+- **Managers**: Full access (create, edit, delete)  
+- **Other Users**: View and add records only (edit/delete buttons hidden)
+
+#### 🆕 Custom Group Permissions (Enhanced Feature)
+You can configure specific user groups to have full access via the admin interface:
+
+1. Go to **Administration → Plugins → Custom Tables plugin → Configure**
+2. Check **"Enable Custom Group Permissions"** to activate custom group-based access
+3. Select the user groups that should have full edit/delete permissions
+4. Click **Save** to apply changes
+
+#### 🆕 Multi-Layer Security
+- **View-Level Security**: Delete/edit buttons are hidden from unauthorized users
+- **Controller-Level Security**: All destructive actions are blocked at the controller level
+- **Role-Based Security**: Built-in support for Administrator and Manager roles
+- **Group-Based Security**: Custom group permissions via settings configuration
+
+#### Permission Levels
+- **Full Access Users** (Admins, Managers, or selected groups): Can create, edit, and delete tables and records
+- **Standard Users**: Can view and add records, but cannot edit or delete existing ones
+
+### 🆕 Technical Implementation Details
+The enhanced permission system includes:
+- **CustomTablesPermissionHelper** - Centralized permission logic
+- **Controller-level before_actions** - Security at the action level
+- **View-level conditionals** - UI element visibility control
+- **Settings management** - Persistent configuration storage
+- **Role and group validation** - Multi-factor permission checking
+
+### API Access
+The plugin provides API endpoints for managing custom tables and entities. API access follows the same permission rules as the web interface.
+
+Support
+-------
+If you find any bugs, feel free to create an issue on GitHub or make a pull request.
+https://github.com/frywer/custom_tables
+
+Contributors
+------------
+* Ivan Ivon (@frywer)
+* **🆕 Plugin customization and enhanced permission system** - Added configurable group-based permissions, role restrictions, and admin settings interface
+
+License
+-------
+The plugin is available under the MIT license.
+
+## 🆕 Changelog
+
+### Enhanced Version Features:
+- ✅ Configurable group-based permission system
+- ✅ Admin settings page for easy permission management  
+- ✅ Role-based restrictions (Administrator, Manager)
+- ✅ Multi-layer security (view + controller level)
+- ✅ Enhanced UI with conditional button visibility
+- ✅ Persistent settings configuration
+- ✅ Backward compatibility with existing installations
+
+
+## Key Highlights of Your Modifications:
+
+1. **🆕 Enhanced Features Section** - Clear overview of what you added
+2. **🆕 Icon indicators** - Visual markers for new features
+3. **🆕 Technical Details** - Explanation of the multi-layer security
+4. **🆕 Implementation Details** - Technical architecture of your permission system
+5. **🆕 Updated Contributors** - Credit for your enhancements
+6. **🆕 Changelog** - Summary of all new features
+

app/controllers/custom_entities_controller.rb

@@ -1,3 +1,5 @@
+#custom_entities_controller.rb
+
 class CustomEntitiesController < ApplicationController
   layout 'admin'
   self.main_menu = false
@@ -13,8 +15,14 @@ class CustomEntitiesController < ApplicationController
   helper :sort
   include SortHelper
   helper :custom_tables_pdf
+  # Add permission helper
+  helper :custom_tables_permission
+
+  #accept_api_auth :show, :create, :update, :destroy
+  accept_api_auth :index, :show, :create, :update, :destroy
 
-  accept_api_auth :show, :create, :update, :destroy
+  # Use the permission method
+  before_action :check_destroy_permission, only: [:destroy, :context_menu, :bulk_update]
 
   before_action :authorize_global
   before_action :find_custom_entity, only: [:show, :edit, :update, :add_belongs_to, :new_note]
@@ -57,10 +65,57 @@ def new_note
     end
   end
 
+
+  def destroy
+    Rails.logger.info "✅ ALLOWED: #{User.current.login} deleting CustomEntities: #{@custom_entities.map(&:id).join(', ')}"
+
+    custom_table = @custom_entities.first.custom_table
+    @custom_entities.destroy_all
+
+    respond_to do |format|
+      format.html {
+        flash[:notice] = l(:notice_successful_delete)
+        redirect_back_or_default custom_table_path(custom_table)
+      }
+      format.api { render_api_ok }
+    end
+  end
+
+  # Use the module method directly
+  def check_destroy_permission
+    unless custom_tables_user_has_full_access?
+      Rails.logger.warn "🚫 DESTROY BLOCKED: #{User.current.login}, needs full access"
+      render_403
+    end
+  end
+
+  def context_menu
+    if (@custom_entities.size == 1)
+      @custom_entity = @custom_entities.first
+    end
+    @custom_entity_ids = @custom_entities.map(&:id).sort
+
+    can_edit = @custom_entities.detect{|c| !c.editable?}.nil?
+    # Use the module method directly
+    can_delete = custom_tables_user_has_full_access?
+    @can = {:edit => can_edit, :delete => can_delete}
+    @back = back_url
+
+    @safe_attributes = @custom_entities.map(&:safe_attribute_names).reduce(:&)
+
+    render :layout => false
+  end
+
+
   def create
     @custom_entity = CustomEntity.new(author: User.current, custom_table_id: params[:custom_entity][:custom_table_id])
     @custom_entity.safe_attributes = params[:custom_entity]
 
+
+    @custom_entity.updated_by = User.current  # track updater
+    @custom_entity.updated_at = Time.current  # ensure timestamp if not automatically handled
+
+
     if @custom_entity.save
       flash[:notice] = l(:notice_successful_create)
       respond_to do |format|
@@ -88,6 +143,7 @@ def edit
   def update
     @custom_entity.init_journal(User.current)
     @custom_entity.safe_attributes = params[:custom_entity]
+    @custom_entity.updated_by = User.current  # track who updated
 
     if @custom_entity.save
       flash[:notice] = l(:notice_successful_update)
@@ -105,17 +161,24 @@ def update
     end
   end
 
-  def destroy
-    custom_table = @custom_entities.first.custom_table
-    @custom_entities.destroy_all
-
-    respond_to do |format|
-      format.html {
-        flash[:notice] = l(:notice_successful_delete)
-        redirect_back_or_default custom_table_path(custom_table)
-      }
-      format.api { render_api_ok }
+
+  def custom_tables_user_has_full_access?(user = User.current)
+    settings = Setting.plugin_custom_tables || {}
+
+    # If custom permissions are disabled, use your existing role-based logic
+    unless settings['enable_custom_permissions']
+      allowed_roles = ['Administrator', 'Manager']
+      user_roles = user.roles.map(&:name)
+      return user.admin? || user_roles.any? { |r| allowed_roles.include?(r) }
     end
+
+    # Custom permission logic
+    return true if user.admin?
+
+    allowed_group_ids = settings['allowed_groups'] || []
+    return false if allowed_group_ids.empty?
+
+    user.groups.any? { |group| allowed_group_ids.include?(group.id.to_s) }
   end
 
   def add_belongs_to
@@ -134,7 +197,7 @@ def context_menu
     @custom_entity_ids = @custom_entities.map(&:id).sort
 
     can_edit = @custom_entities.detect{|c| !c.editable?}.nil?
-    can_delete = @custom_entities.detect{|c| !c.deletable?}.nil?
+    can_delete = User.current.admin? || User.current.roles.any? { |r| ['Administrator', 'Manager'].include?(r.name) }
     @can = {:edit => can_edit, :delete => can_delete}
     @back = back_url
 

app/controllers/custom_tables_controller.rb

@@ -1,3 +1,5 @@
+# app/controllers/custom_tables_controller.rb
+
 class CustomTablesController < ApplicationController
   layout 'admin'
   self.main_menu = false
@@ -13,12 +15,18 @@ class CustomTablesController < ApplicationController
   helper :settings
   helper :custom_tables_pdf
 
+  # Add permission helper
+  helper :custom_tables_permission
+
   before_action :find_custom_table, only: [:edit, :update, :show, :destroy, :setting_tabs]
   before_action :authorize_global
   before_action :find_custom_tables, only: [:context_menu]
   before_action :setting_tabs, only: :edit
   before_action :export_custom_entities, only: :show
 
+  # ADD: Check permissions for table operations
+  before_action :check_manage_permission, only: [:new, :create, :edit, :update, :destroy, :context_menu]
+
   accept_api_auth :show, :index, :create, :update, :destroy
 
   def index
@@ -140,16 +148,45 @@ def context_menu
     end
     @custom_tables_ids = @custom_tables.map(&:id).sort
 
-    can_edit = @custom_tables.detect{|c| !c.editable?}.nil?
-    can_delete = @custom_tables.detect{|c| !c.deletable?}.nil?
-    @can = {:edit => can_edit, :delete => can_delete}
+    # Use permission helper
+    has_full_access = custom_tables_user_has_full_access?
+    @can = { edit: has_full_access, delete: has_full_access }
     @back = back_url
 
     @safe_attributes = @custom_tables.map(&:safe_attribute_names).reduce(:&)
 
     render layout: false
   end
 
+  private
+
+  def check_manage_permission
+    unless custom_tables_user_has_full_access?
+      Rails.logger.warn "🚫 MANAGE PERMISSION REQUIRED: #{User.current.login} attempted #{action_name}"
+      render_403
+      return false
+    end
+  end
+
+  def custom_tables_user_has_full_access?(user = User.current)
+    settings = Setting.plugin_custom_tables || {}
+
+    # If custom permissions are disabled, use your existing role-based logic
+    unless settings['enable_custom_permissions']
+      allowed_roles = ['Administrator', 'Manager']
+      user_roles = user.roles.map(&:name)
+      return user.admin? || user_roles.any? { |r| allowed_roles.include?(r) }
+    end
+
+    # Custom permission logic
+    return true if user.admin?
+
+    allowed_group_ids = settings['allowed_groups'] || []
+    return false if allowed_group_ids.empty?
+
+    user.groups.any? { |group| allowed_group_ids.include?(group.id.to_s) }
+  end
+
   def setting_tabs
     @setting_tabs = [
       {name: 'general', partial: 'custom_tables/edit', label: :label_general},