From 8e838fe09fe1fdd9656f726fc98d894996e626ce Mon Sep 17 00:00:00 2001
From: Oleksii Kriuchykhin <okriuchykhin@biosistemika.com>
Date: Fri, 14 Oct 2022 13:57:13 +0200
Subject: [PATCH] Fix permission checking in reports controller
 [SCI-7330][SCI-7331]

---
 app/controllers/reports_controller.rb         | 21 ++++++++++++++-----
 .../elements/_step_asset_element.html.erb     |  2 +-
 2 files changed, 17 insertions(+), 6 deletions(-)

diff --git a/app/controllers/reports_controller.rb b/app/controllers/reports_controller.rb
index b804c8e60..04c738e77 100644
--- a/app/controllers/reports_controller.rb
+++ b/app/controllers/reports_controller.rb
@@ -10,11 +10,13 @@ class ReportsController < ApplicationController
                                             generate_docx new_template_values project_contents)
   before_action :load_wizard_vars, only: %i(new edit)
   before_action :load_available_repositories, only: %i(index save_pdf_to_inventory_modal available_repositories)
+  before_action :check_project_read_permissions, only: %i(create edit update generate_pdf
+                                                          generate_docx new_template_values project_contents)
   before_action :check_read_permissions, except: %i(index datatable new create edit update destroy generate_pdf
-                                                    generate_docx new_template_values project_contents)
+                                                    generate_docx new_template_values project_contents
+                                                    available_repositories)
   before_action :check_create_permissions, only: %i(new create)
-  before_action :check_manage_permissions, only: %i(edit update generate_pdf
-                                                    generate_docx new_template_values project_contents)
+  before_action :check_manage_permissions, only: %i(edit update generate_pdf generate_docx)
   before_action :switch_team_with_param, only: :index
   after_action :generate_pdf_report, only: %i(create update generate_pdf)
 
@@ -47,7 +49,13 @@ class ReportsController < ApplicationController
     end
 
     report = current_team.reports.where(project: @project).find_by(id: params[:report_id])
-    report ||= current_team.reports.new(project: @project)
+    if report.present?
+      return render_403 unless can_manage_report?(report)
+    else
+      return render_403 unless can_create_reports?(current_team)
+
+      report = current_team.reports.new(project: @project)
+    end
 
     respond_to do |format|
       format.json do
@@ -335,7 +343,6 @@ class ReportsController < ApplicationController
   def load_vars_nested
     @project = current_team.projects.find_by(id: params[:project_id])
     render_404 unless @project
-    render_403 unless can_read_project?(@project)
   end
 
   def load_wizard_vars
@@ -356,6 +363,10 @@ class ReportsController < ApplicationController
                                     .select(:id, :name)
   end
 
+  def check_project_read_permissions
+    render_403 unless can_read_project?(@project)
+  end
+
   def check_read_permissions
     render_403 unless can_read_report?(@report)
   end
diff --git a/app/views/reports/elements/_step_asset_element.html.erb b/app/views/reports/elements/_step_asset_element.html.erb
index 6640b0ba1..215895dd5 100644
--- a/app/views/reports/elements/_step_asset_element.html.erb
+++ b/app/views/reports/elements/_step_asset_element.html.erb
@@ -17,7 +17,7 @@
         </a>
       <% else %>
         <em>
-          <% if asset.file.metadata[:asset_type] == 'bio_eddie' %>
+          <% if asset.file.metadata && asset.file.metadata[:asset_type] == 'bio_eddie' %>
             <%= truncate("#{asset.file.metadata[:name]}.helm", length: Constants::FILENAME_TRUNCATION_LENGTH) %>
             <a class="btn btn-light file-download-link" href="data:text/plain;charset=utf-8,<%= asset.file.metadata[:description] %>" download="<%= asset.file.metadata[:name] %>.helm" data-turbolinks="false">
               <span class="fas fa-download"></span> <%= t('Download')%>