fixed user without permissions bug [fixes SCI-922]

2024-09-21 07:26:15 +08:00 · 2017-01-23 10:53:42 +01:00 · 2017-01-23 10:53:42 +01:00 · 20cde2654b
parent 2d073c8c04
commit 20cde2654b
2 changed files with 9 additions and 1 deletions
--- a/app/helpers/application_helper.rb
+++ b/app/helpers/application_helper.rb
@ -118,7 +118,10 @@ module ApplicationHelper
      match = el.match(sa_user)
      user = User.find_by_id(match[2].base62_decode)
      organization ||= current_organization
-      if user && organization
+
+      if user &&
+         organization &&
+         UserOrganization.user_in_organization(user, organization).any?
        user_org = user
                   .user_organizations
                   .where('user_organizations.organization_id = ?',
--- a/app/models/user_organization.rb
+++ b/app/models/user_organization.rb
@ -30,6 +30,11 @@ class UserOrganization < ActiveRecord::Base
    end
  end

+  # returns user_organizations where the user is in org
+  def self.user_in_organization(user, organization)
+    where(user: user, organization: organization)
+  end
+
  def destroy(new_owner)
    # If any project of the organization has the sole owner and that
    # owner is the user to be removed from the organization, then we must