Add current team to smar annotations permission check

2025-03-04 19:53:19 +08:00 · 2020-10-23 13:32:19 +02:00 · 2020-10-23 13:32:19 +02:00 · 25d050cec4
commit 25d050cec4
parent c8083f730c
2 changed files with 14 additions and 5 deletions
--- a/app/services/smart_annotations/permission_eval.rb
+++ b/app/services/smart_annotations/permission_eval.rb
@ -30,16 +30,15 @@ module SmartAnnotations
      end

      def validate_rep_item_permissions(user, team, object)
-        return can_read_repository?(user, object.repository) if object.repository
+        if object.repository
+          return Repository.accessible_by_teams(team).find_by(id: object.repository_id).present? &&
+                 can_read_repository?(user, object.repository)
+        end

        # handles discarded repositories
        repository = Repository.with_discarded.find_by(id: object.repository_id)
        # evaluate to false if repository not found
        return false unless repository
-
-        (repository.team.id == team.id ||
-          repository.team_repositories.where(team_id: team.id).any?) &&
-          can_read_repository?(user, repository)
      end
    end
  end
--- a/spec/services/smart_annotations/permission_eval_spec.rb
+++ b/spec/services/smart_annotations/permission_eval_spec.rb
@ -87,5 +87,15 @@ describe SmartAnnotations::PermissionEval do
      value = subject.__send__(:validate_rep_item_permissions, user, team, repository_item)
      expect(value).to be true
    end
+
+    context 'when user can access repository from another team, but not with the current' do
+      it do
+        # Add anoteher user also as a member of team whos owes repository with this item
+        create :user_team, team: team, user: another_user, role: :admin
+
+        value = subject.__send__(:validate_rep_item_permissions, another_user, another_team, repository_item)
+        expect(value).to be false
+      end
+    end
  end
 end