Merge pull request #7813 from artoscinote/ma_SCI_11000

Fix activity permission checks [SCI-11000]
2025-09-14 00:54:32 +08:00 · 2024-08-26 10:57:52 +02:00 · 2024-08-26 10:57:52 +02:00 · 8ba8e3b2c8
commit 8ba8e3b2c8
parent a0d74b629c a957e2e442
1 changed files with 20 additions and 1 deletions
--- a/app/services/activities_service.rb
+++ b/app/services/activities_service.rb
@ -5,19 +5,38 @@ class ActivitiesService
    # Create condition for view permissions checking first
    visible_teams = user.teams.where(id: teams)
    visible_projects = Project.viewable_by_user(user, visible_teams)
+    visible_my_modules = MyModule.viewable_by_user(user, teams)
+
    # Temporary solution until handling of deleted subjects is fully implemented
    visible_repository_teams = visible_teams.with_user_permission(user, RepositoryPermissions::READ)
    visible_by_teams = Activity.where(project: nil, team_id: visible_teams.select(:id))
-                               .where.not(subject_type: %w(RepositoryBase RepositoryRow))
+                               .where.not(subject_type: %w(RepositoryBase RepositoryRow Protocol))
                               .order(created_at: :desc)
    visible_by_repositories = Activity.where(subject_type: %w(RepositoryBase RepositoryRow), team_id: visible_repository_teams.select(:id))
                                      .order(created_at: :desc)
    visible_by_projects = Activity.where(project_id: visible_projects.select(:id))
+                                  .where.not(subject_type: %w(MyModule Result Protocol))
                                  .order(created_at: :desc)

+    visible_by_my_modules = Activity.where("subject_id IN (?) AND subject_type = 'MyModule' OR " \
+                                           "subject_id IN (?) AND subject_type = 'Result' OR " \
+                                           "subject_id IN (?) AND subject_type = 'Protocol'",
+                                           visible_my_modules.select(:id),
+                                           Result.where(my_module: visible_my_modules).select(:id),
+                                           Protocol.where(my_module: visible_my_modules).select(:id))
+                                    .order(created_at: :asc)
+
+    visible_by_protocol_templates =
+      Activity.where(
+        subject_type: Protocol,
+        subject_id: Protocol.viewable_by_user(user, teams).select(:id)
+      ).order(created_at: :desc)
+
    query = Activity.from(
      "((#{visible_by_teams.to_sql}) UNION ALL " \
      "(#{visible_by_repositories.to_sql}) UNION ALL " \
+      "(#{visible_by_protocol_templates.to_sql}) UNION ALL " \
+      "(#{visible_by_my_modules.to_sql}) UNION ALL " \
      "(#{visible_by_projects.to_sql})) AS activities"
    )