From 7d3f48199ada3d7de87006d44df2ea5b58dca033 Mon Sep 17 00:00:00 2001
From: Oleksii Kriuchykhin <okriuchykhin@biosistemika.com>
Date: Fri, 21 Oct 2022 11:00:52 +0200
Subject: [PATCH] Fix shared repositories migration, update sharing logic and
 permissions [SCI-7360]

---
 app/models/team_shared_object.rb              | 11 ++---
 app/permissions/repository.rb                 | 17 ++++---
 .../create_team_user_assignments_service.rb   | 11 +++--
 ...shared_repositories_to_user_assignments.rb | 46 ++++++-------------
 4 files changed, 35 insertions(+), 50 deletions(-)

diff --git a/app/models/team_shared_object.rb b/app/models/team_shared_object.rb
index c2dd8a973..ecbbd5766 100644
--- a/app/models/team_shared_object.rb
+++ b/app/models/team_shared_object.rb
@@ -32,15 +32,12 @@ class TeamSharedObject < ApplicationRecord
   def not_globally_shared
     errors.add(:shared_object_id, :is_globally_shared) if shared_object.globally_shared?
   end
-  
-  def assign_shared_inventories
-    viewer_role = UserRole.find_by(name: UserRole.public_send('viewer_role').name)
-    normal_user_role = UserRole.find_by(name: UserRole.public_send('normal_user_role').name)
 
-    team.users.find_each do |user|
+  def assign_shared_inventories
+    team.user_assignments.find_each do |user_assignment|
       shared_object.user_assignments.create!(
-        user: user,
-        user_role: shared_write? ? normal_user_role : viewer_role,
+        user: user_assignment.user,
+        user_role: user_assignment.user_role,
         team: team
       )
     end
diff --git a/app/permissions/repository.rb b/app/permissions/repository.rb
index 7746dd154..356ba5f7a 100644
--- a/app/permissions/repository.rb
+++ b/app/permissions/repository.rb
@@ -24,6 +24,16 @@ Canaid::Permissions.register_for(Repository) do
     end
   end
 
+  %i(create_repository_rows
+     manage_repository_rows
+     manage_repository_assets
+     delete_repository_rows)
+    .each do |perm|
+    can perm do |user, repository|
+      next false if repository.shared_with?(user.current_team) && !repository.shared_with_write?(user.current_team)
+    end
+  end
+
   # repository: update, delete
   can :manage_repository do |user, repository|
     !repository.shared_with?(user.current_team) && repository.permission_granted?(user, RepositoryPermissions::MANAGE)
@@ -61,12 +71,7 @@ Canaid::Permissions.register_for(Repository) do
     next false if repository.is_a?(BmtRepository)
     next false if repository.archived?
 
-    if repository.shared_with?(user.current_team)
-      repository.shared_with_write?(user.current_team) &&
-        repository.permission_granted?(user, RepositoryPermissions::ROWS_CREATE)
-    else
-      repository.permission_granted?(user, RepositoryPermissions::ROWS_CREATE)
-    end
+    repository.permission_granted?(user, RepositoryPermissions::ROWS_CREATE)
   end
 
   can :manage_repository_assets do |user, repository|
diff --git a/app/services/user_assignments/create_team_user_assignments_service.rb b/app/services/user_assignments/create_team_user_assignments_service.rb
index 96e70fb18..005686082 100644
--- a/app/services/user_assignments/create_team_user_assignments_service.rb
+++ b/app/services/user_assignments/create_team_user_assignments_service.rb
@@ -8,7 +8,6 @@ module UserAssignments
       @user_role = team_user_assignment.user_role
       @assigned_by = team_user_assignment.assigned_by
       @viewer_role = UserRole.find_predefined_viewer_role
-      @normal_user_role = UserRole.find_predefined_normal_user_role
     end
 
     def call
@@ -38,16 +37,18 @@ module UserAssignments
       @team.team_shared_repositories.find_each do |team_shared_repository|
         @team.repository_sharing_user_assignments.create!(
           user: @user,
-          user_role: team_shared_repository.shared_write? ? @normal_user_role : @viewer_role,
-          assignable: team_shared_repository.shared_object
+          user_role: @user_role,
+          assignable: team_shared_repository.shared_object,
+          assigned: :automatically
         )
       end
 
       Repository.globally_shared.where.not(team: @team).find_each do |repository|
         @team.repository_sharing_user_assignments.create!(
           user: @user,
-          user_role: repository.shared_write? ? @normal_user_role : @viewer_role,
-          assignable: repository
+          user_role: @user_role,
+          assignable: repository,
+          assigned: :automatically
         )
       end
     end
diff --git a/db/migrate/20220624091046_migrate_shared_repositories_to_user_assignments.rb b/db/migrate/20220624091046_migrate_shared_repositories_to_user_assignments.rb
index 010ca73bb..4ed946f7d 100644
--- a/db/migrate/20220624091046_migrate_shared_repositories_to_user_assignments.rb
+++ b/db/migrate/20220624091046_migrate_shared_repositories_to_user_assignments.rb
@@ -9,43 +9,25 @@ class MigrateSharedRepositoriesToUserAssignments < ActiveRecord::Migration[6.1]
   end
 
   def up
-    viewer_role = UserRole.find_by(name: UserRole.public_send('viewer_role').name)
-    normal_user_role = UserRole.find_by(name: UserRole.public_send('normal_user_role').name)
-
     TeamRepository.where(permission_level: %i(shared_read shared_write))
                   .preload(:team, :repository)
                   .find_each do |team_repository|
-      user_role = if team_repository.shared_read?
-                    viewer_role
-                  elsif team_repository.shared_write?
-                    normal_user_role
-                  end
-
-      team_repository.team.users.find_in_batches(batch_size: 100) do |users_batch|
-        user_assignments = []
-        users_batch.each do |user|
-          user_assignments << UserAssignment.new(user: user, assignable: team_repository.repository,
-                                                 user_role: user_role, team: team_repository.team)
-        end
-        UserAssignment.import(user_assignments)
+      team_repository.team
+                     .user_assignments
+                     .preload(:user, :user_role)
+                     .find_each do |user_assignment|
+        UserAssignment.create!(user: user_assignment.user, assignable: team_repository.repository,
+                               user_role: user_assignment.user_role, team: team_repository.team)
       end
+    end
 
-      Repository.globally_shared.find_each do |repository|
-        user_role = if repository.shared_read?
-                      viewer_role
-                    elsif repository.shared_write?
-                      normal_user_role
-                    end
-
-        Team.where.not(id: repository.team.id).find_each do |team|
-          team.users.find_in_batches(batch_size: 100) do |users_batch|
-            user_assignments = []
-            users_batch.each do |user|
-              user_assignments << UserAssignment.new(user: user, assignable: repository,
-                                                     user_role: user_role, team: team)
-            end
-            UserAssignment.import(user_assignments)
-          end
+    Repository.globally_shared.find_each do |repository|
+      Team.where.not(id: repository.team.id).find_each do |team|
+        team.user_assignments
+            .preload(:user, :user_role)
+            .find_each do |user_assignment|
+          UserAssignment.create!(user: user_assignment.user, assignable: repository,
+                                 user_role: user_assignment.user_role, team: team)
         end
       end
     end