Fix permission checking in reports controller [SCI-7330][SCI-7331]

2025-02-01 20:48:23 +08:00 · 2022-10-14 13:57:13 +02:00 · 2022-10-14 13:57:13 +02:00 · 8e838fe09f
commit 8e838fe09f
parent c725e1f100
2 changed files with 17 additions and 6 deletions
--- a/app/controllers/reports_controller.rb
+++ b/app/controllers/reports_controller.rb
@ -10,11 +10,13 @@ class ReportsController < ApplicationController
                                            generate_docx new_template_values project_contents)
  before_action :load_wizard_vars, only: %i(new edit)
  before_action :load_available_repositories, only: %i(index save_pdf_to_inventory_modal available_repositories)
+  before_action :check_project_read_permissions, only: %i(create edit update generate_pdf
+                                                          generate_docx new_template_values project_contents)
  before_action :check_read_permissions, except: %i(index datatable new create edit update destroy generate_pdf
-                                                    generate_docx new_template_values project_contents)
+                                                    generate_docx new_template_values project_contents
+                                                    available_repositories)
  before_action :check_create_permissions, only: %i(new create)
-  before_action :check_manage_permissions, only: %i(edit update generate_pdf
-                                                    generate_docx new_template_values project_contents)
+  before_action :check_manage_permissions, only: %i(edit update generate_pdf generate_docx)
  before_action :switch_team_with_param, only: :index
  after_action :generate_pdf_report, only: %i(create update generate_pdf)

@ -47,7 +49,13 @@ class ReportsController < ApplicationController
    end

    report = current_team.reports.where(project: @project).find_by(id: params[:report_id])
-    report ||= current_team.reports.new(project: @project)
+    if report.present?
+      return render_403 unless can_manage_report?(report)
+    else
+      return render_403 unless can_create_reports?(current_team)
+
+      report = current_team.reports.new(project: @project)
+    end

    respond_to do |format|
      format.json do
@ -335,7 +343,6 @@ class ReportsController < ApplicationController
  def load_vars_nested
    @project = current_team.projects.find_by(id: params[:project_id])
    render_404 unless @project
-    render_403 unless can_read_project?(@project)
  end

  def load_wizard_vars
@ -356,6 +363,10 @@ class ReportsController < ApplicationController
                                    .select(:id, :name)
  end

+  def check_project_read_permissions
+    render_403 unless can_read_project?(@project)
+  end
+
  def check_read_permissions
    render_403 unless can_read_report?(@report)
  end
--- a/app/views/reports/elements/_step_asset_element.html.erb
+++ b/app/views/reports/elements/_step_asset_element.html.erb
@ -17,7 +17,7 @@
        </a>
      <% else %>
        <em>
-          <% if asset.file.metadata[:asset_type] == 'bio_eddie' %>
+          <% if asset.file.metadata && asset.file.metadata[:asset_type] == 'bio_eddie' %>
            <%= truncate("#{asset.file.metadata[:name]}.helm", length: Constants::FILENAME_TRUNCATION_LENGTH) %>
            <a class="btn btn-light file-download-link" href="data:text/plain;charset=utf-8,<%= asset.file.metadata[:description] %>" download="<%= asset.file.metadata[:name] %>.helm" data-turbolinks="false">
              <span class="fas fa-download"></span> <%= t('Download')%>