Repository access permission fixes [SCI-12145]

2025-09-13 08:34:49 +08:00 · 2025-07-21 15:03:55 +02:00 · 2025-07-21 15:03:55 +02:00 · 69c6fef2eb
commit 69c6fef2eb
parent 0dc5c60b47
6 changed files with 12 additions and 6 deletions
--- a/app/controllers/access_permissions/base_controller.rb
+++ b/app/controllers/access_permissions/base_controller.rb
@ -139,7 +139,7 @@ module AccessPermissions
    end
    def load_available_users
-      @available_users = current_team.users.where.not(id: @model.user_assignments.select(:user_id)).order(users: { full_name: :asc })
+      @available_users = current_team.users.where.not(id: @model.user_assignments.where(team: current_team).select(:user_id)).order(users: { full_name: :asc })
    end
    def propagate_job(destroy: false)
--- a/app/models/concerns/shareable.rb
+++ b/app/models/concerns/shareable.rb
@ -29,6 +29,8 @@ module Shareable
    scope :viewable_by_user, lambda { |user, teams = user.current_team|
      readable_ids = if permission_class == StorageLocation
                       readable_by_user(user).where(team: teams).pluck(:id)
                     elsif teams.permission_granted?(user, TeamPermissions::MANAGE)
                       where(team: teams).pluck(:id)
                     else
                       with_granted_permissions(user, "#{permission_class.name}Permissions::READ".constantize, teams).pluck(:id)
                     end
--- a/app/permissions/repository.rb
+++ b/app/permissions/repository.rb
@ -8,7 +8,8 @@ Canaid::Permissions.register_for(RepositoryBase) do
      # If original repository is deleted, snapshot ownership should be transferred to task
      (!original_repository || original_repository.permission_granted?(user, RepositoryPermissions::READ)) && can_read_my_module?(user, repository.my_module)
    else
-      repository.can_manage_shared?(user) ||
+      repository.team.permission_granted?(user, TeamPermissions::MANAGE) ||
        repository.can_manage_shared?(user) ||
        repository.permission_granted?(user, RepositoryPermissions::READ)
    end
  end
@ -132,7 +133,8 @@ Canaid::Permissions.register_for(Repository) do
  end
  can :manage_repository_users do |user, repository|
-    repository.can_manage_shared?(user) ||
+    repository.team.permission_granted?(user, TeamPermissions::MANAGE) ||
      repository.can_manage_shared?(user) ||
      repository.permission_granted?(user, RepositoryPermissions::USERS_MANAGE)
  end
 end
--- a/app/serializers/lists/repository_serializer.rb
+++ b/app/serializers/lists/repository_serializer.rb
@ -18,7 +18,7 @@ module Lists
    end
    def team
-      current_user.current_team.name
+      object.team.name
    end
    def created_at
@ -38,7 +38,7 @@ module Lists
    end
    def assigned_users
-      users = object.user_assignments.map do |ua|
+      users = object.user_assignments.where(team: current_user.current_team).map do |ua|
        {
          avatar: avatar_path(ua.user, :icon_small),
          full_name: ua.user_name_with_role
--- a/app/services/toolbars/repositories_service.rb
+++ b/app/services/toolbars/repositories_service.rb
@ -10,7 +10,7 @@ module Toolbars
    def initialize(current_user, current_team, repository_ids: [])
      @current_user = current_user
      @current_team = current_team
-      @repositories = Repository.readable_by_user(current_user)
+      @repositories = Repository.viewable_by_user(current_user)
                                .where(id: repository_ids)
                                .distinct
      @repository = @repositories.first
--- a/config/locales/en.yml
+++ b/config/locales/en.yml
@ -2342,6 +2342,8 @@ en:
        notification:
          error:
            title: "Your Inventories export failed. Please contact support."
      table:
        access: "Access"
    show:
      name: "Name"
      archived_inventory_items: "%{repository_name} archived items"