fixes #1646, #3103 - enable cloning for templates, and add read-only options

[stbenjam]

No description provided.

[dLobatog]

Could you use deep_cloneable to clone the relationships with operating systems at least? https://github.com/theforeman/foreman/blob/develop/app/models/host/managed.rb#L645 is an example

[jlsherrill]

Shouldn't clone require the 'create' permission (even though i realize its not doing much but redirecting to new)?

[stbenjam]

Host and Host group both use 'view' for clone. I assume because the permission is evaluated on the original object, and you only need to view that one.

Although it is confusing to show a clone link if the user ultimately doesn't have create rights.

[jlsherrill]

ah, then i'm okay with that if the foreman-ers are okay with it :)

[domcleal]

It's correct, though the link should only be visible if the user has the create_templates permission (due to access_permissions.rb).

[jlsherrill]

When i go to clone a template, the org and location list is empty. I would expect it to have whatever org and location I'm in similar to when i create a new template.

[stbenjam]

@jlsherrill What should the behavior be? At the moment, I clone the org and locs from the previous template. I guess I should take only the current taxonomies, if set?

[jlsherrill]

@stbenjam i could see an argument for either/both.

a) Since its a clone you'd expect everything I don't change to be the same (the way you've implemented it).
b) As a non-admin user, I might not even have permissions to access those other orgs and locations though (I assume an error would be thrown on the save?).
c) As a user I might expect it to behave the same as new.
d) As a katello user, I would want it to select my current selected org/location as that is more our workflow (user clones to their org to make edits).

For the katello usecase, katello can override the ConfigTemplate#clone method if need be. After thinking about it, i'd probably lean towards a) However I'm not sure about situation b).

[domcleal]

Use hash syntax when multiple variables are interpolated: http://projects.theforeman.org/projects/foreman/wiki/Translating#Translating-for-developers

Two nitpicks, "read only" should be hyphenated, one space after a period for consistency.

[domcleal]

Integration tests are failing, I'd guess you have a SQL query error occurring which is invalidating the txn. Could you also add a functional test for the clone route?

[dLobatog]

@clone seems unnecessary here, @config_template = @config_template.clone would work too.

[stbenjam]

I took this verbatim from the existing clone methods in other models. I assumed they did this for a reason, but you're right that should work.

[GregSutcliffe]

Overall +1, I think marking our default templates as read-only is fine (we can disable editing, but still perhaps allow complete deletion if the user really doesn't care?)

I'd suggest a boolean flag for distributor templates vs user templates, and then the distributor ones could be shown differently in the index, perhaps a separate tab or graying out of lines? Clicking on 5 templates trying to find one you can edit isn't helpful...

[stbenjam]

@GregSutcliffe A tab looks like it won't be too simple to implement, maybe a column?

A user can also search "editable = True" if we enable the field for search.

[ohadlevy]

how about a generic lock option? (make the unlock a separate process?)

[stbenjam]

@ohadlevy I hadn't planned to make them user-unlockable, the reasoning is to support default templates that can be added to multiple orgs. We don't want a user in Org A to be able to edit "Kickstart default RHEL" and affect a user in Org B. They'll have to clone to customize. But we want both Org A and Org B to see all the default templates. Then when a user creates Org C, Katello will assign all the templates that have this 'distributor' flag that @GregSutcliffe mentioned to that org too.

I also didn't plan to change Foreman's way of doing things, because locking the default templates breaks users who have edited them already, and people who use the community-templates plug-in.

Do you still want the ability to lock/unlock them in the UI by an admin? I think we'd end up having to remove that in Katello, we want to be able to always control the default templates.

[ohadlevy]

Hmm.. what is the reason why need this ? AFAIR we dont have any ajax in the template editor?

[stbenjam]

When we load the new form, the associations aren't saved in the database so we have to store them in variables like @OperatingSystems, @oraganizations, @Locations. It's not ajax here, but it's how it's named for the similar feature in other models.

[ohadlevy]

just out of curiosity, why?

[stbenjam]

Because of #1564 ,which is fixed now. I'll remove this here.

[GregSutcliffe]

@stbenjam i'm concerned about minimizing where katello diverges from core, where possible. I don't think we consume templates that differently, so I'd rather design a good workflow now, than end up in another mess later.

I think templates need to be unlockable, but with a big disclaimer about how that means the user won't get updates to that template in future releases. Give power to the user, don't lock them in. At upgrade time, you can then update Templates.where(matching name && locked). Would that be sufficient for Katello too?

re: my earlier point, I'm less concerned about how it looks, whatever works for you, so long as we can visually tell on the index whats editable and what isn't.

[stbenjam]

Ok just pushed the latest iteration, taking @ohadlevy's locked suggestion. I like the usage workflow better.

@GregSutcliffe , I added an icon to indicate locked -- what do you think? We need different icons but just an example. Maybe one for unlocked too?

By default, only an admin can lock/unlock templates. I like this because then a company can provide all the organizations a set of "standard" templates for them to use, not just the ones provided by us.

[ohadlevy]

use the lock icon we already have --> http://getbootstrap.com/components/

[GregSutcliffe]

@stbenjam Looks good, will have to do a proper code reviwe soonish. I agree with your reasons for admin only, but there's no reason not to have a permission admins can grant if they wish - just don't enable it on any roles by default ;)

No need for an unlocked icon, that will clutter and make it hard to differentiate at speed.

[stbenjam]

@GregSutcliffe @ohadlevy @elobato Cool, thanks for all the feedback so far. I think this is better than the first iteration.

Demo of what it looks like:

[stbenjam]

Last change for now. Templates which are seeded (by a plug-in for example) may set the 'default' field and lock their templates. These may not be unlocked, and we're able to let the user know why because the seeder may opt to say who the vendor is for the templates.

[dLobatog]

validate :changes, :if => lambda { |template| template.locked? || template.locked_changed? }

And remove the early return on changes_when_template_is_locked.

[dLobatog]

Merged as 4a28771 , thank you @stbenjam !