From 0c71493fdb333c6a22c5379050b9f7ce211540ef Mon Sep 17 00:00:00 2001
From: Oleksii Kriuchykhin <okriuchykhin@biosistemika.com>
Date: Mon, 18 Mar 2019 15:38:19 +0100
Subject: [PATCH] Add viewing permissions for global activities [SCI-2997]

---
 app/controllers/global_activities_controller.rb    |  6 ++++--
 app/models/user_team.rb                            | 11 -----------
 app/services/activities_service.rb                 | 12 +++++++-----
 app/views/global_activities/_side_filters.html.erb |  6 +++---
 4 files changed, 14 insertions(+), 21 deletions(-)

diff --git a/app/controllers/global_activities_controller.rb b/app/controllers/global_activities_controller.rb
index 9fab2fcaa..4c88f22b3 100644
--- a/app/controllers/global_activities_controller.rb
+++ b/app/controllers/global_activities_controller.rb
@@ -6,9 +6,11 @@ class GlobalActivitiesController < ApplicationController
     teams = current_user.teams if teams.blank?
     @teams = teams
     @activity_types = Activity.activity_types_list
-    @users = UserTeam.my_employees(current_user)
+    @user_list = User.where(id: UserTeam.where(team: current_user.teams).select(:user_id))
+                     .distinct
+                     .pluck(:full_name, :id)
     @grouped_activities, more_activities =
-      ActivitiesService.load_activities(teams, activity_filters)
+      ActivitiesService.load_activities(current_user, teams, activity_filters)
     respond_to do |format|
       format.json do
         render json: {
diff --git a/app/models/user_team.rb b/app/models/user_team.rb
index 8b31f278b..fdcd89453 100644
--- a/app/models/user_team.rb
+++ b/app/models/user_team.rb
@@ -1,8 +1,6 @@
 class UserTeam < ApplicationRecord
   enum role: { guest: 0, normal_user: 1, admin: 2 }
 
-  scope :my_teams, -> { where(role: 2) }
-
   validates :role, presence: true
   validates :user, presence: true
   validates :team, presence: true
@@ -21,15 +19,6 @@ class UserTeam < ApplicationRecord
     I18n.t("user_teams.enums.role.#{role}")
   end
 
-  def self.my_employees(user)
-    users = where(team_id: user.user_teams.my_teams.pluck(:team_id))
-            .joins(:user).select(:full_name, 'users.id as id').as_json.uniq
-    if users.empty?
-      users = [user.as_json.select { |k| %w(id full_name).include? k }]
-    end
-    users
-  end
-
   def create_samples_table_state
     SamplesTable.create_samples_table_state(self)
   end
diff --git a/app/services/activities_service.rb b/app/services/activities_service.rb
index 7aeeee1ae..ff9c55996 100644
--- a/app/services/activities_service.rb
+++ b/app/services/activities_service.rb
@@ -1,18 +1,20 @@
 # frozen_string_literal: true
 
 class ActivitiesService
-  def self.load_activities(team_ids, filters = {})
+  def self.load_activities(user, teams, filters = {})
+    # Create condition for view permissions checking first
+    visible_projects = Project.viewable_by_user(user, teams)
+    query = Activity.where('project_id IS NULL AND team_id IN (?)', teams.select(:id))
+                    .or(Activity.where(project: visible_projects))
+
     if filters[:subjects].present?
-      query = Activity.where(
+      query = query.where(
         filters[:subjects].map { '(subject_type = ? AND subject_id IN(?))' }
                           .join(' OR '),
         *filters[:subjects].flatten
       )
-    else
-      query = Activity
     end
 
-    query = query.where(team_id: team_ids)
     query = query.where(owner_id: filters[:users]) if filters[:users]
     query = query.where(type_of: filters[:types]) if filters[:types]
 
diff --git a/app/views/global_activities/_side_filters.html.erb b/app/views/global_activities/_side_filters.html.erb
index 38d1bd929..a8860b06e 100644
--- a/app/views/global_activities/_side_filters.html.erb
+++ b/app/views/global_activities/_side_filters.html.erb
@@ -37,7 +37,7 @@
   <h6 class="clear"><%= t('global_activities.index.clear') %></h6>
   <div class="select-container">
     <%= select_tag "activity", options_for_select(@activity_types.map{|i| [i[:name], i[:id]]}),{
-      'data-select-all-button': t('global_activities.index.all_activities'), 
+      'data-select-all-button': t('global_activities.index.all_activities'),
       'data-select-all': 'true',
       'data-select-multiple-name': t('global_activities.index.l_activities'),
       'data-select-multiple-all-selected': t('global_activities.index.all_activities')
@@ -49,8 +49,8 @@
   <h4 class="title"><strong><%= t('global_activities.index.user') %></strong></h4>
   <h6 class="clear"><%= t('global_activities.index.clear') %></h6>
   <div class="select-container">
-    <%= select_tag "user", options_for_select(@users.map{|i| [i['full_name'], i['id']]}),{
-      'data-select-all-button': t('global_activities.index.all_users'), 
+    <%= select_tag "user", options_for_select(@user_list),{
+      'data-select-all-button': t('global_activities.index.all_users'),
       'data-select-all': 'true',
       'data-select-multiple-name': t('global_activities.index.l_users'),
       'data-select-multiple-all-selected': t('global_activities.index.all_users')