Fix notification recipients [SCI-12273]

2025-09-04 20:25:22 +08:00 · 2025-08-18 14:04:16 +02:00 · 2025-08-18 14:04:16 +02:00 · 7c8fe34db5
commit 7c8fe34db5
parent 4f5fe29d9f
3 changed files with 27 additions and 6 deletions
--- a/app/models/concerns/assignable.rb
+++ b/app/models/concerns/assignable.rb
@ -41,6 +41,30 @@ module Assignable
      User.where(id: direct_user_ids).or(User.where(id: group_user_ids)).or(User.where(id: team_user_ids))
    end

+    def users_with_permission(permission, teams = Team.all)
+      permitted_individual_assignments = user_assignments.joins(:user_role).where(team: teams).where(
+        'user_roles.permissions @> ARRAY[?]::varchar[]', [permission]
+      )
+
+      disallowed_assignments = user_assignments.joins(:user_role).where(team: teams).where(
+        'NOT(user_roles.permissions @> ARRAY[?]::varchar[])', [permission]
+      )
+
+      permitted_user_group_assignments = user_group_assignments.joins(:user_role, user_group: { user_group_memberships: :user }).where(team: teams).where(
+        'user_roles.permissions @> ARRAY[?]::varchar[]', [permission]
+      )
+
+      permitted_team_assignments = team_assignments.joins(:user_role, team: { user_assignments: :user }).where(team: teams).where(
+        'user_roles.permissions @> ARRAY[?]::varchar[]', [permission]
+      )
+
+      User.where(id: permitted_individual_assignments.select(:user_id)).or(
+        User.where(id: permitted_user_group_assignments.select('user_group_memberships.user_id')).or(
+          User.where(id: permitted_team_assignments.select('user_assignments.user_id'))
+        )
+      ).where.not(id: disallowed_assignments.select(:user_id))
+    end
+
    def default_public_user_role_id(current_team = nil)
      if team_assignments.loaded?
        team_assignments.find { |ta| ta.team_id == (current_team || team).id }&.user_role_id
--- a/app/notifications/recipients/due_date_recipients.rb
+++ b/app/notifications/recipients/due_date_recipients.rb
@ -14,10 +14,7 @@ module Recipients
                           end
      return User.none unless record

-      User.where(id: record.user_assignments
-                           .joins(:user_role)
-                           .where('? = ANY(user_roles.permissions)', permission)
-                           .select(:user_id))
+      record.users_with_permission(permission)
    end
  end
 end
--- a/app/notifications/recipients/repository_item_recipients.rb
+++ b/app/notifications/recipients/repository_item_recipients.rb
@ -6,7 +6,7 @@ class Recipients::RepositoryItemRecipients
  end

  def recipients
-    repository_row = RepositoryRow.find(@repository_row_id)
-    repository_row.repository.team.users
+    repository = RepositoryRow.find(@repository_row_id).repository
+    repository.users_with_permission(RepositoryPermissions::READ, repository.team)
  end
 end