diff --git a/app/controllers/api/v2/inventory_item_child_relationships_controller.rb b/app/controllers/api/v2/inventory_item_child_relationships_controller.rb index 8d6043753..47571b883 100644 --- a/app/controllers/api/v2/inventory_item_child_relationships_controller.rb +++ b/app/controllers/api/v2/inventory_item_child_relationships_controller.rb @@ -18,7 +18,7 @@ module Api end def create - inventory_item_to_link = RepositoryRow.where(repository: Repository.accessible_by_teams(@team)) + inventory_item_to_link = RepositoryRow.where(repository: Repository.viewable_by_user(current_user, @team)) .find(connection_params[:child_id]) child_connection = @inventory_item.child_connections.create!( child: inventory_item_to_link, diff --git a/app/controllers/api/v2/inventory_item_parent_relationships_controller.rb b/app/controllers/api/v2/inventory_item_parent_relationships_controller.rb index dec716a7d..bf0c663d5 100644 --- a/app/controllers/api/v2/inventory_item_parent_relationships_controller.rb +++ b/app/controllers/api/v2/inventory_item_parent_relationships_controller.rb @@ -20,7 +20,7 @@ module Api end def create - inventory_item_to_link = RepositoryRow.where(repository: Repository.accessible_by_teams(@team)) + inventory_item_to_link = RepositoryRow.where(repository: Repository.viewable_by_user(current_user, @team)) .find(connection_params[:parent_id]) parent_connection = @inventory_item.parent_connections.create!( parent: inventory_item_to_link, diff --git a/app/controllers/at_who_controller.rb b/app/controllers/at_who_controller.rb index f6a801d11..f48645f81 100644 --- a/app/controllers/at_who_controller.rb +++ b/app/controllers/at_who_controller.rb @@ -27,7 +27,7 @@ class AtWhoController < ApplicationController if params[:repository_id].present? Repository.find_by(id: params[:repository_id]) else - Repository.active.accessible_by_teams(@team).first + Repository.active.viewable_by_user(current_user, @team).first end items = [] @@ -54,8 +54,8 @@ class AtWhoController < ApplicationController end def menu - repositories = Repository.active.accessible_by_teams(@team) - render json: { + repositories = Repository.active.viewable_by_user(current_user, @team) + render json: { html: render_to_string(partial: 'shared/smart_annotation/menu', locals: { repositories: repositories }, formats: :html) diff --git a/app/controllers/hidden_repository_cell_reminders_controller.rb b/app/controllers/hidden_repository_cell_reminders_controller.rb index 5ed53b5f1..ad7472d8c 100644 --- a/app/controllers/hidden_repository_cell_reminders_controller.rb +++ b/app/controllers/hidden_repository_cell_reminders_controller.rb @@ -15,7 +15,7 @@ class HiddenRepositoryCellRemindersController < ApplicationController private def load_repository - @repository = Repository.accessible_by_teams(current_team).find_by(id: params[:repository_id]) + @repository = Repository.viewable_by_user(current_user).find_by(id: params[:repository_id]) render_404 unless @repository end diff --git a/app/controllers/my_module_repositories_controller.rb b/app/controllers/my_module_repositories_controller.rb index 1cb81a6c0..56da98afd 100644 --- a/app/controllers/my_module_repositories_controller.rb +++ b/app/controllers/my_module_repositories_controller.rb @@ -145,7 +145,7 @@ class MyModuleRepositoriesController < ApplicationController end def repositories_list_html - @assigned_repositories = @my_module.live_and_snapshot_repositories_list + @assigned_repositories = @my_module.readable_live_and_snapshot_repositories_list(current_user) render json: { html: render_to_string(partial: 'my_modules/repositories/repositories_list'), assigned_rows_count: @assigned_repositories.map(&:assigned_rows_count).sum @@ -162,7 +162,7 @@ class MyModuleRepositoriesController < ApplicationController end def repositories_dropdown_list - @repositories = Repository.accessible_by_teams(current_team).joins(" + @repositories = Repository.viewable_by_user(current_user).joins(" LEFT OUTER JOIN repository_rows ON repository_rows.repository_id = repositories.id LEFT OUTER JOIN my_module_repository_rows ON diff --git a/app/controllers/my_module_shareable_links_controller.rb b/app/controllers/my_module_shareable_links_controller.rb index 225825ab0..a94200217 100644 --- a/app/controllers/my_module_shareable_links_controller.rb +++ b/app/controllers/my_module_shareable_links_controller.rb @@ -153,7 +153,7 @@ class MyModuleShareableLinksController < ApplicationController end def load_repository - @repository = @my_module.assigned_repositories.find_by(id: params[:id]) + @repository = @my_module.assigned_repositories.viewable_by_user(current_user).find_by(id: params[:id]) render_404 unless @repository end diff --git a/app/controllers/my_modules_controller.rb b/app/controllers/my_modules_controller.rb index 807c5261d..01a4f86c2 100644 --- a/app/controllers/my_modules_controller.rb +++ b/app/controllers/my_modules_controller.rb @@ -304,7 +304,7 @@ class MyModulesController < ApplicationController def protocols @protocol = @my_module.protocol - @assigned_repositories = @my_module.live_and_snapshot_repositories_list + @assigned_repositories = @my_module.readable_live_and_snapshot_repositories_list(current_user) end def protocol diff --git a/app/controllers/reports_controller.rb b/app/controllers/reports_controller.rb index c148511f3..8e779bb0c 100644 --- a/app/controllers/reports_controller.rb +++ b/app/controllers/reports_controller.rb @@ -312,7 +312,7 @@ class ReportsController < ApplicationController def load_wizard_vars @templates = Extends::REPORT_TEMPLATES - live_repositories = Repository.accessible_by_teams(current_team).sort_by { |r| r.name.downcase } + live_repositories = Repository.viewable_by_user(current_user).sort_by { |r| r.name.downcase } snapshots_of_deleted = RepositorySnapshot.left_outer_joins(:original_repository) .where(team: current_team) .where.not(original_repository: live_repositories) @@ -348,7 +348,7 @@ class ReportsController < ApplicationController def load_available_repositories @available_repositories = [] repositories = Repository.active - .accessible_by_teams(current_team) + .viewable_by_user(current_user) .name_like(search_params[:query]) .limit(Constants::SEARCH_LIMIT) repositories.each do |repository| diff --git a/app/controllers/repositories_controller.rb b/app/controllers/repositories_controller.rb index 8e5ead106..cdfe1d2e3 100644 --- a/app/controllers/repositories_controller.rb +++ b/app/controllers/repositories_controller.rb @@ -298,14 +298,14 @@ class RepositoriesController < ApplicationController end def import_records - render_403 unless can_create_repository_rows?(Repository.accessible_by_teams(current_team) + render_403 unless can_create_repository_rows?(Repository.viewable_by_user(current_user) .find_by(id: import_params[:id])) # Check if there exist mapping for repository record (it's mandatory) if import_params[:mappings].present? && import_params[:mappings].value?('-1') status = ImportRepository::ImportRecords .new( temp_file: TempFile.find_by(id: import_params[:file_id]), - repository: Repository.accessible_by_teams(current_team).find_by(id: import_params[:id]), + repository: Repository.viewable_by_user(current_user).find_by(id: import_params[:id]), mappings: import_params[:mappings], session: session, user: current_user, @@ -452,12 +452,12 @@ class RepositoriesController < ApplicationController def load_repository repository_id = params[:id] || params[:repository_id] - @repository = Repository.accessible_by_teams(current_user.teams).find_by(id: repository_id) + @repository = Repository.viewable_by_user(current_user).find_by(id: repository_id) render_404 unless @repository end def load_repositories - @repositories = Repository.accessible_by_teams(current_team) + @repositories = Repository.viewable_by_user(current_user) end def load_repositories_for_archiving diff --git a/app/controllers/repository_columns_controller.rb b/app/controllers/repository_columns_controller.rb index 7b6e640dc..707a6beb8 100644 --- a/app/controllers/repository_columns_controller.rb +++ b/app/controllers/repository_columns_controller.rb @@ -107,7 +107,7 @@ class RepositoryColumnsController < ApplicationController AvailableRepositoryColumn = Struct.new(:id, :name) def load_repository - @repository = Repository.accessible_by_teams(current_team).find_by(id: params[:repository_id]) + @repository = Repository.viewable_by_user(current_user).find_by(id: params[:repository_id]) render_404 unless @repository end diff --git a/app/controllers/repository_row_connections_controller.rb b/app/controllers/repository_row_connections_controller.rb index 61e1c79b3..f3b3d998d 100644 --- a/app/controllers/repository_row_connections_controller.rb +++ b/app/controllers/repository_row_connections_controller.rb @@ -56,7 +56,7 @@ class RepositoryRowConnectionsController < ApplicationController end def repositories - repositories = Repository.accessible_by_teams(current_team) + repositories = Repository.viewable_by_user(current_user) .search_by_name_and_id(current_user, current_user.teams, params[:query]) .order(name: :asc) .page(params[:page] || 1) @@ -69,7 +69,7 @@ class RepositoryRowConnectionsController < ApplicationController end def repository_rows - selected_repository = Repository.accessible_by_teams(current_team).find(params[:selected_repository_id]) + selected_repository = Repository.viewable_by_user(current_user).find(params[:selected_repository_id]) repository_rows = selected_repository.repository_rows .where.not(id: @repository_row.id) @@ -93,14 +93,14 @@ class RepositoryRowConnectionsController < ApplicationController return render_422(t('.invalid_params')) unless @relation_type - @connection_repository = Repository.accessible_by_teams(current_team) + @connection_repository = Repository.viewable_by_user(current_user) .find_by(id: connection_params[:connection_repository_id]) return render_404 unless @connection_repository return render_403 unless can_connect_repository_rows?(@connection_repository) end def load_repository - @repository = Repository.accessible_by_teams(current_team).find_by(id: params[:repository_id]) + @repository = Repository.viewable_by_user(current_user).find_by(id: params[:repository_id]) render_404 unless @repository end diff --git a/app/controllers/repository_rows_controller.rb b/app/controllers/repository_rows_controller.rb index a9c8b11e1..8bcf51962 100644 --- a/app/controllers/repository_rows_controller.rb +++ b/app/controllers/repository_rows_controller.rb @@ -358,14 +358,14 @@ class RepositoryRowsController < ApplicationController AvailableRepositoryRow = Struct.new(:id, :name, :has_file_attached) def load_repository - @repository = Repository.accessible_by_teams(current_team) + @repository = Repository.viewable_by_user(current_user) .eager_load(:repository_columns) .find_by(id: params[:repository_id]) render_404 unless @repository end def load_repository_or_snapshot - @repository = Repository.accessible_by_teams(current_team).find_by(id: params[:repository_id]) || + @repository = Repository.viewable_by_user(current_user).find_by(id: params[:repository_id]) || RepositorySnapshot.find_by(id: params[:repository_id]) return render_404 unless @repository end diff --git a/app/controllers/repository_table_filters_controller.rb b/app/controllers/repository_table_filters_controller.rb index 8ad3123c5..a5009529a 100644 --- a/app/controllers/repository_table_filters_controller.rb +++ b/app/controllers/repository_table_filters_controller.rb @@ -70,7 +70,7 @@ class RepositoryTableFiltersController < ApplicationController private def load_repository - @repository = Repository.accessible_by_teams(current_team).find_by(id: params[:repository_id]) + @repository = Repository.viewable_by_user(current_user).find_by(id: params[:repository_id]) render_403 unless can_read_repository?(@repository) end diff --git a/app/helpers/reports_helper.rb b/app/helpers/reports_helper.rb index 07e3eec42..7dcc85929 100644 --- a/app/helpers/reports_helper.rb +++ b/app/helpers/reports_helper.rb @@ -106,14 +106,4 @@ module ReportsHelper experiment_element.experiment.description end end - - def assigned_to_report_repository_items(report, repository_name) - repository = Repository.accessible_by_teams(report.team).where(name: repository_name).take - return RepositoryRow.none if repository.blank? - - my_modules = MyModule.joins(:experiment) - .where(experiment: { project: report.project }) - .where(id: report.report_elements.my_module.select(:my_module_id)) - repository.repository_rows.joins(:my_modules).where(my_modules: my_modules) - end end diff --git a/app/jobs/team_zip_export_job.rb b/app/jobs/team_zip_export_job.rb index c8339bf4d..f9f6fa8f3 100644 --- a/app/jobs/team_zip_export_job.rb +++ b/app/jobs/team_zip_export_job.rb @@ -39,7 +39,7 @@ class TeamZipExportJob < ZipExportJob inventories = "#{project_path}/Inventories" FileUtils.mkdir_p(inventories) - repositories = project.assigned_repositories_and_snapshots + repositories = project.assigned_readable_repositories_and_snapshots(@user) # Iterate through every inventory repo and save it to CSV repositories.each_with_index do |repo, repo_idx| diff --git a/app/models/asset.rb b/app/models/asset.rb index a1c55770e..8c11a7494 100644 --- a/app/models/asset.rb +++ b/app/models/asset.rb @@ -74,7 +74,10 @@ class Asset < ApplicationRecord .pluck(:id) assets_in_inventories = Asset.joins(repository_cell: { repository_column: :repository }) - .where(repositories: { team: teams }) + .where(repositories: { + id: Repository.with_granted_permissions(user, RepositoryPermissions::READ).select(:id), + team_id: teams + }) .where.not(repositories: { type: 'RepositorySnapshot' }) .pluck(:id) diff --git a/app/models/concerns/assignable.rb b/app/models/concerns/assignable.rb index afcea0ae8..d09db4d95 100644 --- a/app/models/concerns/assignable.rb +++ b/app/models/concerns/assignable.rb @@ -15,21 +15,33 @@ module Assignable inverse_of: :assignable scope :readable_by_user, lambda { |user| - joins(user_assignments: :user_role) - .where(user_assignments: { user: user }) - .where('? = ANY(user_roles.permissions)', "::#{self.class.to_s.split('::').first}Permissions".constantize::READ) + joins("INNER JOIN user_assignments reading_user_assignments " \ + "ON reading_user_assignments.assignable_type = '#{base_class.name}' " \ + "AND reading_user_assignments.assignable_id = #{table_name}.id " \ + "INNER JOIN user_roles reading_user_roles " \ + "ON reading_user_assignments.user_role_id = reading_user_roles.id") + .where(reading_user_assignments: { user_id: user.id }) + .where('? = ANY(reading_user_roles.permissions)', "::#{self.class.to_s.split('::').first}Permissions".constantize::READ) } scope :managable_by_user, lambda { |user| - joins(user_assignments: :user_role) - .where(user_assignments: { user: user }) - .where('? = ANY(user_roles.permissions)', "::#{self.class.to_s.split('::').first}Permissions".constantize::MANAGE) + joins("INNER JOIN user_assignments managing_user_assignments " \ + "ON managing_user_assignments.assignable_type = '#{base_class.name}' " \ + "AND managing_user_assignments.assignable_id = #{table_name}.id " \ + "INNER JOIN user_roles managing_user_roles " \ + "ON managing_user_assignments.user_role_id = managing_user_roles.id") + .where(managing_user_assignments: { user_id: user.id }) + .where('? = ANY(managing_user_roles.permissions)', "::#{self.class.to_s.split('::').first}Permissions".constantize::MANAGE) } scope :with_user_permission, lambda { |user, permission| - joins(user_assignments: :user_role) - .where(user_assignments: { user: user }) - .where('? = ANY(user_roles.permissions)', permission) + joins("INNER JOIN user_assignments permission_checking_user_assignments " \ + "ON permission_checking_user_assignments.assignable_type = '#{base_class.name}' " \ + "AND permission_checking_user_assignments.assignable_id = #{table_name}.id " \ + "INNER JOIN user_roles permission_checking_user_roles " \ + "ON permission_checking_user_assignments.user_role_id = permission_checking_user_roles.id") + .where(permission_checking_user_assignments: { user_id: user.id }) + .where('? = ANY(permission_checking_user_roles.permissions)', permission) } after_create :create_users_assignments diff --git a/app/models/experiment.rb b/app/models/experiment.rb index 464de0f9e..57a1a820c 100644 --- a/app/models/experiment.rb +++ b/app/models/experiment.rb @@ -84,6 +84,8 @@ class Experiment < ApplicationRecord end def self.with_children_viewable_by_user(user) + # the NONE permission at the end also allows for experiments with hidden tasks (virtually empty) + # to show up on the list joins(" LEFT OUTER JOIN my_modules ON my_modules.experiment_id = experiments.id LEFT OUTER JOIN user_assignments my_module_user_assignments @@ -94,8 +96,8 @@ class Experiment < ApplicationRecord ") .where(' (my_module_user_assignments.user_id = ? AND my_module_user_roles.permissions @> ARRAY[?]::varchar[] - OR my_modules.id IS NULL) - ', user.id, MyModulePermissions::READ) + OR my_modules.id IS NULL OR my_module_user_roles.permissions @> ARRAY[?]::varchar[]) + ', user.id, MyModulePermissions::READ, MyModulePermissions::NONE) end def self.filter_by_teams(teams = []) diff --git a/app/models/my_module.rb b/app/models/my_module.rb index e1eea3c3a..6f6b3724a 100644 --- a/app/models/my_module.rb +++ b/app/models/my_module.rb @@ -177,14 +177,12 @@ class MyModule < ApplicationRecord end def assigned_repositories - team = experiment.project.team - Repository.accessible_by_teams(team) - .joins(repository_rows: :my_module_repository_rows) + Repository.joins(repository_rows: :my_module_repository_rows) .where(my_module_repository_rows: { my_module_id: id }) .group(:id) end - def live_and_snapshot_repositories_list + def readable_live_and_snapshot_repositories_list(user, team = user.current_team) snapshots = repository_snapshots.left_outer_joins(:original_repository) selected_snapshots = snapshots.where(selected: true) @@ -197,6 +195,7 @@ class MyModule < ApplicationRecord .order(:parent_id, updated_at: :desc) live_repositories = assigned_repositories + .viewable_by_user(user, team) .select('repositories.*, COUNT(DISTINCT repository_rows.id) AS assigned_rows_count') .where.not(id: repository_snapshots.where(selected: true).select(:parent_id)) diff --git a/app/models/project.rb b/app/models/project.rb index 0d04cb56b..6b6c5a027 100644 --- a/app/models/project.rb +++ b/app/models/project.rb @@ -201,9 +201,9 @@ class Project < ApplicationRecord st end - def assigned_repositories_and_snapshots - live_repositories = Repository.assigned_to_project(self) - snapshots = RepositorySnapshot.assigned_to_project(self) + def assigned_readable_repositories_and_snapshots(user) + live_repositories = Repository.assigned_to_project(self).readable_by_user(user) + snapshots = RepositorySnapshot.assigned_to_project(self).readable_by_user(user) (live_repositories + snapshots).sort_by { |r| r.name.downcase } end diff --git a/app/models/protocol.rb b/app/models/protocol.rb index a1a69b3d8..46156dc67 100644 --- a/app/models/protocol.rb +++ b/app/models/protocol.rb @@ -255,11 +255,8 @@ class Protocol < ApplicationRecord def self.viewable_by_user_my_module_protocols(user, teams) distinct.joins(:my_module) - .joins("INNER JOIN user_assignments my_module_user_assignments " \ - "ON my_module_user_assignments.assignable_type = 'MyModule' " \ - "AND my_module_user_assignments.assignable_id = my_modules.id") - .where(my_module_user_assignments: { user_id: user }) - .where(team: teams) + .where(my_modules: MyModule.with_granted_permissions(user, MyModulePermissions::READ) + .where(user_assignments: { team: teams })) end def self.filter_by_teams(teams = []) diff --git a/app/models/report.rb b/app/models/report.rb index 35ddf5729..0d1fbc97d 100644 --- a/app/models/report.rb +++ b/app/models/report.rb @@ -103,7 +103,7 @@ class Report < ApplicationRecord def self.generate_whole_project_report(project, current_user, current_team) content = { 'experiments' => [], - 'repositories' => project.assigned_repositories_and_snapshots.pluck(:id) + 'repositories' => project.assigned_readable_repositories_and_snapshots(current_user).pluck(:id) } project.experiments.includes(:my_modules).find_each do |experiment| content['experiments'].push( diff --git a/app/models/repository.rb b/app/models/repository.rb index 8cca5c0f3..052b4c346 100644 --- a/app/models/repository.rb +++ b/app/models/repository.rb @@ -48,21 +48,19 @@ class Repository < RepositoryBase scope :archived, -> { where(archived: true) } scope :globally_shared, -> { where(permission_level: %i(shared_read shared_write)) } - scope :accessible_by_teams, lambda { |teams| - accessible_repositories = left_outer_joins(:team_shared_objects) - accessible_repositories = - accessible_repositories + scope :viewable_by_user, lambda { |user, teams = user.current_team| + readable_repositories = readable_by_user(user).left_outer_joins(:team_shared_objects) + readable_repositories .where(team: teams) - .or(accessible_repositories.where(team_shared_objects: { team: teams })) - .or(accessible_repositories - .where(permission_level: [Extends::SHARED_OBJECTS_PERMISSION_LEVELS[:shared_read], - Extends::SHARED_OBJECTS_PERMISSION_LEVELS[:shared_write]])) - accessible_repositories.distinct + .or(readable_repositories.where(team_shared_objects: { team: teams })) + .or(readable_repositories + .where(permission_level: [Extends::SHARED_OBJECTS_PERMISSION_LEVELS[:shared_read], Extends::SHARED_OBJECTS_PERMISSION_LEVELS[:shared_write]]) + .where.not(team: teams)) + .distinct } scope :assigned_to_project, lambda { |project| - accessible_by_teams(project.team) - .joins(repository_rows: { my_module_repository_rows: { my_module: { experiment: :project } } }) + joins(repository_rows: { my_module_repository_rows: { my_module: { experiment: :project } } }) .where(repository_rows: { my_module_repository_rows: { my_module: { experiments: { project: project } } } }) } @@ -151,10 +149,6 @@ class Repository < RepositoryBase team_shared_objects.where(team: team, permission_level: :shared_write).any? end - def self.viewable_by_user(_user, teams) - accessible_by_teams(teams) - end - def self.name_like(query) where('repositories.name ILIKE ?', "%#{query}%") end diff --git a/app/models/repository_row.rb b/app/models/repository_row.rb index 923164d0f..9cbf93f32 100644 --- a/app/models/repository_row.rb +++ b/app/models/repository_row.rb @@ -125,18 +125,17 @@ class RepositoryRow < ApplicationRecord def self.search(user, include_archived, query = nil, - _current_team = nil, + current_team = nil, options = {}) teams = options[:teams] || current_team || user.teams.select(:id) searchable_row_fields = [RepositoryRow::PREFIXED_ID_SQL, 'repository_rows.name', 'users.full_name'] - readable_rows = distinct.joins(:repository, :created_by) - .joins("INNER JOIN user_assignments repository_user_assignments " \ - "ON repository_user_assignments.assignable_type = 'RepositoryBase' " \ - "AND repository_user_assignments.assignable_id = repositories.id") - .where(repository_user_assignments: { user_id: user, team_id: teams }) - + readable_rows = + distinct + .joins(:repository, :created_by) + .where(repositories: { id: Repository.with_granted_permissions(user, RepositoryPermissions::READ).select(:id), + team_id: teams }) readable_rows = readable_rows.active unless include_archived repository_rows = readable_rows.where_attributes_like_boolean(searchable_row_fields, query, options) diff --git a/app/models/result.rb b/app/models/result.rb index 95e3a9150..5df4fa375 100644 --- a/app/models/result.rb +++ b/app/models/result.rb @@ -47,10 +47,8 @@ class Result < ApplicationRecord new_query = left_joins(:result_comments, :result_texts, result_tables: :table) .joins(:my_module) - .joins("INNER JOIN user_assignments my_module_user_assignments " \ - "ON my_module_user_assignments.assignable_type = 'MyModule' " \ - "AND my_module_user_assignments.assignable_id = my_modules.id") - .where(my_module_user_assignments: { user_id: user, team_id: teams }) + .where(my_modules: MyModule.with_granted_permissions(user, MyModulePermissions::READ) + .where(user_assignments: { team: teams })) unless include_archived new_query = new_query.joins(my_module: { experiment: :project }) diff --git a/app/models/user.rb b/app/models/user.rb index 27470c04d..271797bee 100644 --- a/app/models/user.rb +++ b/app/models/user.rb @@ -374,7 +374,7 @@ class User < ApplicationRecord end def current_team - Team.find_by_id(self.current_team_id) + @current_team ||= teams.find_by(id: current_team_id) end def permission_team=(team) diff --git a/app/permissions/repository.rb b/app/permissions/repository.rb index f65997154..338376c8a 100644 --- a/app/permissions/repository.rb +++ b/app/permissions/repository.rb @@ -6,7 +6,7 @@ Canaid::Permissions.register_for(RepositoryBase) do if repository.is_a?(RepositorySnapshot) can_read_my_module?(user, repository.my_module) else - user.teams.include?(repository.team) || repository.shared_with?(user.current_team) + repository.permission_granted?(user, RepositoryPermissions::READ) end end diff --git a/app/serializers/result_serializer.rb b/app/serializers/result_serializer.rb index 156cc8b7f..f7acef68e 100644 --- a/app/serializers/result_serializer.rb +++ b/app/serializers/result_serializer.rb @@ -10,7 +10,11 @@ class ResultSerializer < ActiveModel::Serializer attributes :name, :id, :urls, :updated_at, :created_at_formatted, :updated_at_formatted, :user, :my_module_id, :attachments_manageble, :marvinjs_enabled, :marvinjs_context, :type, :wopi_enabled, :wopi_context, :created_at, :created_by, :archived, :assets_order, - :open_vector_editor_context, :comments_count, :assets_view_mode, :storage_limit + :open_vector_editor_context, :comments_count, :assets_view_mode, :storage_limit, :collapsed + + def collapsed + false + end def marvinjs_enabled MarvinJsService.enabled? diff --git a/app/services/activities_service.rb b/app/services/activities_service.rb index 26d4af806..516b0040f 100644 --- a/app/services/activities_service.rb +++ b/app/services/activities_service.rb @@ -5,19 +5,28 @@ class ActivitiesService # Create condition for view permissions checking first visible_teams = user.teams.where(id: teams) visible_projects = Project.viewable_by_user(user, visible_teams) + # Temporary solution until handling of deleted subjects is fully implemented + visible_repository_teams = visible_teams.with_user_permission(user, RepositoryPermissions::READ) visible_by_teams = Activity.where(project: nil, team_id: visible_teams.select(:id)) + .where.not(subject_type: %w(RepositoryBase RepositoryRow)) .order(created_at: :desc) + visible_by_repositories = Activity.where(subject_type: %w(RepositoryBase RepositoryRow), team_id: visible_repository_teams.select(:id)) + .order(created_at: :desc) visible_by_projects = Activity.where(project_id: visible_projects.select(:id)) .order(created_at: :desc) - query = Activity.from("((#{visible_by_teams.to_sql}) UNION ALL (#{visible_by_projects.to_sql})) AS activities") + query = Activity.from( + "((#{visible_by_teams.to_sql}) UNION ALL " \ + "(#{visible_by_repositories.to_sql}) UNION ALL " \ + "(#{visible_by_projects.to_sql})) AS activities" + ) if filters[:subjects].present? - subjects_with_children = load_subjects_children(filters[:subjects]) + subjects_with_children = load_subjects_children(filters[:subjects], user, teams) where_condition = subjects_with_children.to_h.map { '(subject_type = ? AND subject_id IN(?))' }.join(' OR ') where_arguments = subjects_with_children.to_h.flatten if subjects_with_children[:my_module] - where_condition = where_condition.concat(' OR (my_module_id IN(?))') + where_condition.concat(' OR (my_module_id IN(?))') where_arguments << subjects_with_children[:my_module] end query = query.where(where_condition, *where_arguments) @@ -45,7 +54,7 @@ class ActivitiesService .without_count end - def self.load_subjects_children(subjects = {}) + def self.load_subjects_children(subjects = {}, user = nil, teams = nil) Extends::ACTIVITY_SUBJECT_CHILDREN.each do |subject_name, children| subject_name = subject_name.to_s.camelize next unless children && subjects[subject_name] @@ -55,19 +64,23 @@ class ActivitiesService child_model = parent_model.reflect_on_association(child).class_name.to_sym next if subjects[child_model] - if subject_name == 'Result' - parent_model = parent_model.with_discarded - end + parent_model = parent_model.with_discarded if subject_name == 'Result' - if child == :results - subjects[child_model] = parent_model.where(id: subjects[subject_name]) - .joins(:results_include_discarded) - .pluck('results.id') - else - subjects[child_model] = parent_model.where(id: subjects[subject_name]) - .joins(child) - .pluck("#{child.to_s.pluralize}.id") - end + subjects[child_model] = + case child + when :results + parent_model.where(id: subjects[subject_name]) + .joins(:results_include_discarded) + .pluck('results.id') + when :repositories + parent_model.viewable_by_user(user, teams) + .where(id: subjects[subject_name]) + .pluck('repositories.id') + else + parent_model.where(id: subjects[subject_name]) + .joins(child) + .pluck("#{child.to_s.pluralize}.id") + end end end diff --git a/app/services/lists/repositories_service.rb b/app/services/lists/repositories_service.rb index c97bfc7d0..20062cb1c 100644 --- a/app/services/lists/repositories_service.rb +++ b/app/services/lists/repositories_service.rb @@ -13,7 +13,7 @@ module Lists .joins(:team) .select('repositories.*') .select('MAX(teams.name) AS team_name') - .select('COUNT(repository_rows.*) AS row_count') + .select('COUNT(DISTINCT(repository_rows.*)) AS row_count') .select('MAX(creators.full_name) AS created_by_user') .select('MAX(archivers.full_name) AS archived_by_user') .select(shared_sql_select) diff --git a/app/services/report_actions/report_content.rb b/app/services/report_actions/report_content.rb index 8ca49db4f..5dee86ff0 100644 --- a/app/services/report_actions/report_content.rb +++ b/app/services/report_actions/report_content.rb @@ -81,7 +81,7 @@ module ReportActions my_module_element = save_element!({ 'my_module_id' => my_module.id }, :my_module, experiment_element) - my_module.live_and_snapshot_repositories_list.each do |repository| + my_module.readable_live_and_snapshot_repositories_list(@user, @report.team).each do |repository| next unless @repositories.include?(repository.parent_id || repository.id) save_element!( diff --git a/app/services/report_actions/save_pdf_to_inventory_item.rb b/app/services/report_actions/save_pdf_to_inventory_item.rb index 0343f0230..88b1e1a90 100644 --- a/app/services/report_actions/save_pdf_to_inventory_item.rb +++ b/app/services/report_actions/save_pdf_to_inventory_item.rb @@ -33,7 +33,7 @@ module ReportActions include Canaid::Helpers::PermissionsHelper def load_repository_collaborators - @repository = Repository.active.accessible_by_teams(@team).find_by(id: @params[:repository_id]) + @repository = Repository.active.viewable_by_user(@user, @team).find_by(id: @params[:repository_id]) unless can_create_repository_rows?(@user, @repository) raise ReportActions::RepositoryPermissionError, I18n.t('projects.reports.new.no_permissions') end diff --git a/app/services/smart_annotations/permission_eval.rb b/app/services/smart_annotations/permission_eval.rb index f9110d9e5..5f4eb209d 100644 --- a/app/services/smart_annotations/permission_eval.rb +++ b/app/services/smart_annotations/permission_eval.rb @@ -25,7 +25,7 @@ module SmartAnnotations def validate_rep_item_permissions(user, team, object) if object.repository - return Repository.accessible_by_teams(team).find_by(id: object.repository_id).present? && + return Repository.viewable_by_user(user, team).find_by(id: object.repository_id).present? && can_read_repository?(user, object.repository) end diff --git a/app/views/global_activities/references/_repository_row.html.erb b/app/views/global_activities/references/_repository_row.html.erb index d0e12c272..a8076ad73 100644 --- a/app/views/global_activities/references/_repository_row.html.erb +++ b/app/views/global_activities/references/_repository_row.html.erb @@ -7,8 +7,7 @@ team, subject.repository.name&.truncate(Constants::NAME_TRUNCATION_LENGTH), title: subject.repository.name) %> - <% elsif type_of == 'delete_item_inventory' && values.dig('message_items', 'repository', 'id') %> - <% repository = Repository.find(values.dig('message_items', 'repository', 'id')) %> + <% elsif repository = Repository.find_by(id: values.dig('message_items', 'repository', 'id')) %> <%= route_to_other_team(repository_path(repository.id, team: repository.team.id), team, repository.name&.truncate(Constants::NAME_TRUNCATION_LENGTH), diff --git a/app/views/shareable_links/my_module_protocol_show.html.erb b/app/views/shareable_links/my_module_protocol_show.html.erb index 6e1d46ec6..3c9caf7a3 100644 --- a/app/views/shareable_links/my_module_protocol_show.html.erb +++ b/app/views/shareable_links/my_module_protocol_show.html.erb @@ -57,7 +57,7 @@ - <% assigned_repositories = @my_module.live_and_snapshot_repositories_list %> + <% assigned_repositories = @my_module.readable_live_and_snapshot_repositories_list(current_user) %>