Don't revert to viewer role for roles with no read permission [SCI-12210]

app/controllers/team_shared_objects_controller.rb

@@ -25,13 +25,9 @@ class TeamSharedObjectsController < ApplicationController
 
           case global_permission_level
           when :shared_read
-            UserAssignment.where(assignable: @model).where.not(team: @model.team).update!(user_role: UserRole.find_predefined_viewer_role)
-            TeamAssignment.where(assignable: @model).where.not(team: @model.team).update!(user_role: UserRole.find_predefined_viewer_role)
-            UserGroupAssignment.where(assignable: @model).where.not(team: @model.team).update!(user_role: UserRole.find_predefined_viewer_role)
+            @model.demote_all_sharing_assignments_to_viewer!
           when :not_shared
-            UserAssignment.where(assignable: @model).where.not(team: @model.team).destroy_all
-            TeamAssignment.where(assignable: @model).where.not(team: @model.team).destroy_all
-            UserGroupAssignment.where(assignable: @model).where.not(team: @model.team).destroy_all
+            @model.destroy_all_sharing_assignments!
           end
 
           case @model

app/models/concerns/shareable.rb

@@ -99,4 +99,26 @@ module Shareable
 
     shared_read? || team_shared_objects.exists?(team: team, permission_level: :shared_read)
   end
+
+  def demote_all_sharing_assignments_to_viewer!(for_team: nil)
+    # take into account special roles with no read permission, and do not upgrade them to viewer
+    read_permission = "#{self.class.permission_class}Permissions".constantize::READ
+
+    teams = for_team ? Team.where(id: for_team.id).where.not(id: team.id) : Team.where.not(id: team.id)
+
+    [user_assignments, user_group_assignments, team_assignments].each do |assignments|
+      assignments.joins(:user_role)
+                 .where(team_id: teams.select(:id))
+                 .where(['user_roles.permissions @> ARRAY[?]::varchar[]', [read_permission]])
+                 .update!(user_role: UserRole.find_predefined_viewer_role)
+    end
+  end
+
+  def destroy_all_sharing_assignments!(for_team: nil)
+    teams = for_team ? Team.where(id: for_team.id).where.not(id: team.id) : Team.where.not(id: team.id)
+
+    user_assignments.where(team_id: teams.select(:id)).destroy_all
+    user_group_assignments.where.not(team_id: teams.select(:id)).destroy_all
+    team_assignments.where.not(team_id: teams.select(:id)).destroy_all
+  end
 end

app/models/team_shared_object.rb

@@ -26,15 +26,11 @@ class TeamSharedObject < ApplicationRecord
   def update_assignments
     return unless saved_change_to_permission_level? && permission_level == 'shared_read'
 
-    shared_object.user_assignments.where(team: team).update!(user_role: UserRole.find_predefined_viewer_role)
-    shared_object.user_group_assignments.where(team: team).update!(user_role: UserRole.find_predefined_viewer_role)
-    shared_object.team_assignments.where(team: team).update!(user_role: UserRole.find_predefined_viewer_role)
+    shared_object.demote_all_sharing_assignments_to_viewer!(for_team: team)
   end
 
   def destroy_assignments
-    shared_object.user_assignments.where(team: team).destroy_all
-    shared_object.user_group_assignments.where(team: team).destroy_all
-    shared_object.team_assignments.where(team: team).destroy_all
+    shared_object.destroy_all_sharing_assignments!(for_team: team)
   end
 
   def team_cannot_be_the_same