From 25d050cec4020af880e95461746b3b637f24de45 Mon Sep 17 00:00:00 2001
From: Urban Rotnik <urban.rotnik@gmail.com>
Date: Fri, 23 Oct 2020 13:32:19 +0200
Subject: [PATCH] Add current team to smar annotations permission check

---
 app/services/smart_annotations/permission_eval.rb      |  9 ++++-----
 .../services/smart_annotations/permission_eval_spec.rb | 10 ++++++++++
 2 files changed, 14 insertions(+), 5 deletions(-)

diff --git a/app/services/smart_annotations/permission_eval.rb b/app/services/smart_annotations/permission_eval.rb
index 15eb9af60..69b60d9e3 100644
--- a/app/services/smart_annotations/permission_eval.rb
+++ b/app/services/smart_annotations/permission_eval.rb
@@ -30,16 +30,15 @@ module SmartAnnotations
       end
 
       def validate_rep_item_permissions(user, team, object)
-        return can_read_repository?(user, object.repository) if object.repository
+        if object.repository
+          return Repository.accessible_by_teams(team).find_by(id: object.repository_id).present? &&
+                 can_read_repository?(user, object.repository)
+        end
 
         # handles discarded repositories
         repository = Repository.with_discarded.find_by(id: object.repository_id)
         # evaluate to false if repository not found
         return false unless repository
-
-        (repository.team.id == team.id ||
-          repository.team_repositories.where(team_id: team.id).any?) &&
-          can_read_repository?(user, repository)
       end
     end
   end
diff --git a/spec/services/smart_annotations/permission_eval_spec.rb b/spec/services/smart_annotations/permission_eval_spec.rb
index deac79a04..58678e0a6 100644
--- a/spec/services/smart_annotations/permission_eval_spec.rb
+++ b/spec/services/smart_annotations/permission_eval_spec.rb
@@ -87,5 +87,15 @@ describe SmartAnnotations::PermissionEval do
       value = subject.__send__(:validate_rep_item_permissions, user, team, repository_item)
       expect(value).to be true
     end
+
+    context 'when user can access repository from another team, but not with the current' do
+      it do
+        # Add anoteher user also as a member of team whos owes repository with this item
+        create :user_team, team: team, user: another_user, role: :admin
+
+        value = subject.__send__(:validate_rep_item_permissions, another_user, another_team, repository_item)
+        expect(value).to be false
+      end
+    end
   end
 end