Fix task activity permission checks [SCI-11000]

This commit is contained in:
Martin Artnik 2024-08-26 09:48:10 +02:00
parent a0d74b629c
commit 6b5a5cddf8

View file

@ -5,6 +5,10 @@ class ActivitiesService
# Create condition for view permissions checking first
visible_teams = user.teams.where(id: teams)
visible_projects = Project.viewable_by_user(user, visible_teams)
visible_my_modules = MyModule.joins(:experiment)
.where(experiments: { project_id: visible_projects.select(:id) })
.viewable_by_user(user, teams)
# Temporary solution until handling of deleted subjects is fully implemented
visible_repository_teams = visible_teams.with_user_permission(user, RepositoryPermissions::READ)
visible_by_teams = Activity.where(project: nil, team_id: visible_teams.select(:id))
@ -13,11 +17,21 @@ class ActivitiesService
visible_by_repositories = Activity.where(subject_type: %w(RepositoryBase RepositoryRow), team_id: visible_repository_teams.select(:id))
.order(created_at: :desc)
visible_by_projects = Activity.where(project_id: visible_projects.select(:id))
.where.not(subject_type: %w(MyModule Result Protocol))
.order(created_at: :desc)
visible_by_my_modules = Activity.where("subject_id IN (?) AND subject_type = 'MyModule' OR " \
"subject_id IN (?) AND subject_type = 'Result' OR " \
"subject_id IN (?) AND subject_type = 'Protocol'",
visible_my_modules.select(:id),
Result.where(my_module: visible_my_modules).select(:id),
Protocol.where(my_module: visible_my_modules).select(:id))
.order(created_at: :asc)
query = Activity.from(
"((#{visible_by_teams.to_sql}) UNION ALL " \
"(#{visible_by_repositories.to_sql}) UNION ALL " \
"(#{visible_by_my_modules.to_sql}) UNION ALL " \
"(#{visible_by_projects.to_sql})) AS activities"
)