From 6b5a5cddf8560b2c49a3bc5c7c97de1274b4b36b Mon Sep 17 00:00:00 2001 From: Martin Artnik Date: Mon, 26 Aug 2024 09:48:10 +0200 Subject: [PATCH] Fix task activity permission checks [SCI-11000] --- app/services/activities_service.rb | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/app/services/activities_service.rb b/app/services/activities_service.rb index 516b0040f..a95f30bf5 100644 --- a/app/services/activities_service.rb +++ b/app/services/activities_service.rb @@ -5,6 +5,10 @@ class ActivitiesService # Create condition for view permissions checking first visible_teams = user.teams.where(id: teams) visible_projects = Project.viewable_by_user(user, visible_teams) + visible_my_modules = MyModule.joins(:experiment) + .where(experiments: { project_id: visible_projects.select(:id) }) + .viewable_by_user(user, teams) + # Temporary solution until handling of deleted subjects is fully implemented visible_repository_teams = visible_teams.with_user_permission(user, RepositoryPermissions::READ) visible_by_teams = Activity.where(project: nil, team_id: visible_teams.select(:id)) @@ -13,11 +17,21 @@ class ActivitiesService visible_by_repositories = Activity.where(subject_type: %w(RepositoryBase RepositoryRow), team_id: visible_repository_teams.select(:id)) .order(created_at: :desc) visible_by_projects = Activity.where(project_id: visible_projects.select(:id)) + .where.not(subject_type: %w(MyModule Result Protocol)) .order(created_at: :desc) + visible_by_my_modules = Activity.where("subject_id IN (?) AND subject_type = 'MyModule' OR " \ + "subject_id IN (?) AND subject_type = 'Result' OR " \ + "subject_id IN (?) AND subject_type = 'Protocol'", + visible_my_modules.select(:id), + Result.where(my_module: visible_my_modules).select(:id), + Protocol.where(my_module: visible_my_modules).select(:id)) + .order(created_at: :asc) + query = Activity.from( "((#{visible_by_teams.to_sql}) UNION ALL " \ "(#{visible_by_repositories.to_sql}) UNION ALL " \ + "(#{visible_by_my_modules.to_sql}) UNION ALL " \ "(#{visible_by_projects.to_sql})) AS activities" )