Merge pull request #1349 from okriuchykhin/ok_SCI_2818

Fix project index endpoint permission bug [SCI-2818]
2025-01-31 12:09:17 +08:00 · 2018-10-29 14:59:22 +01:00 · 2018-10-29 14:59:22 +01:00 · 126fa03305
commit 126fa03305
parent 1083ce61fb 9ad2718f32
2 changed files with 11 additions and 0 deletions
--- a/app/controllers/api/v1/projects_controller.rb
+++ b/app/controllers/api/v1/projects_controller.rb
@ -9,6 +9,7 @@ module Api

      def index
        projects = @team.projects
+                        .visible_to(current_user, @team)
                        .page(params.dig(:page, :number))
                        .per(params.dig(:page, :size))

--- a/app/models/project.rb
+++ b/app/models/project.rb
@ -39,6 +39,16 @@ class Project < ApplicationRecord
  has_many :reports, inverse_of: :project, dependent: :destroy
  has_many :report_elements, inverse_of: :project, dependent: :destroy

+  scope :visible_to, (lambda do |user, team|
+                        unless user.is_admin_of_team?(team)
+                          left_outer_joins(:user_projects)
+                          .where(
+                            'visibility = 1 OR user_projects.user_id = :id',
+                            id: user.id
+                          )
+                        end
+                      end)
+
  after_commit do
    Views::Datatables::DatatablesReport.refresh_materialized_view
  end