From 9ad2718f32522b0325700e307b046262603b0c48 Mon Sep 17 00:00:00 2001
From: Oleksii Kriuchykhin <okriuchykhin@biosistemika.com>
Date: Fri, 26 Oct 2018 16:46:01 +0200
Subject: [PATCH] Fix project index endpoint permission bug [SCI-2818]

---
 app/controllers/api/v1/projects_controller.rb |  1 +
 app/models/project.rb                         | 10 ++++++++++
 2 files changed, 11 insertions(+)

diff --git a/app/controllers/api/v1/projects_controller.rb b/app/controllers/api/v1/projects_controller.rb
index 989cc9cb3..1b3858dda 100644
--- a/app/controllers/api/v1/projects_controller.rb
+++ b/app/controllers/api/v1/projects_controller.rb
@@ -9,6 +9,7 @@ module Api
 
       def index
         projects = @team.projects
+                        .visible_to(current_user, @team)
                         .page(params.dig(:page, :number))
                         .per(params.dig(:page, :size))
 
diff --git a/app/models/project.rb b/app/models/project.rb
index 2d5c9aafa..021a2792a 100644
--- a/app/models/project.rb
+++ b/app/models/project.rb
@@ -39,6 +39,16 @@ class Project < ApplicationRecord
   has_many :reports, inverse_of: :project, dependent: :destroy
   has_many :report_elements, inverse_of: :project, dependent: :destroy
 
+  scope :visible_to, (lambda do |user, team|
+                        unless user.is_admin_of_team?(team)
+                          left_outer_joins(:user_projects)
+                          .where(
+                            'visibility = 1 OR user_projects.user_id = :id',
+                            id: user.id
+                          )
+                        end
+                      end)
+
   after_commit do
     Views::Datatables::DatatablesReport.refresh_materialized_view
   end