Update permissions for team owner to see all protocols and can manage users [SCI-8380] (#5371)

2025-04-02 02:10:34 +08:00 · 2023-05-09 16:23:29 +02:00 · 2023-05-09 16:23:29 +02:00 · ab318df1af
commit ab318df1af
parent 783d5d03ab
4 changed files with 16 additions and 5 deletions
--- a/app/controllers/api/v1/protocol_templates_controller.rb
+++ b/app/controllers/api/v1/protocol_templates_controller.rb
@ -12,7 +12,7 @@ module Api

      def index
        protocol_templates = Protocol.latest_available_versions(@team)
-                                     .with_granted_permissions(current_user, ProtocolPermissions::READ)
+                                     .viewable_by_user(current_user, @team)
                                     .page(params.dig(:page, :number))
                                     .per(params.dig(:page, :size))

--- a/app/datatables/protocols_datatable.rb
+++ b/app/datatables/protocols_datatable.rb
@ -149,7 +149,7 @@ class ProtocolsDatatable < CustomDatatable

    records = @type == :archived ? records.archived : records.active

-    records.with_granted_permissions(@user, ProtocolPermissions::READ)
+    records.viewable_by_user(@user, @team)
  end

  # Query database for records (this will be later paginated and filtered)
--- a/app/models/protocol.rb
+++ b/app/models/protocol.rb
@ -209,8 +209,18 @@ class Protocol < ApplicationRecord
  end

  def self.viewable_by_user(user, teams)
-    where(team: teams, protocol_type: REPOSITORY_TYPES).with_granted_permissions(user, ProtocolPermissions::READ)
-                                                       .or(where(my_module: MyModule.viewable_by_user(user, teams)))
+    # Team owners see all protocol templates in the team
+    owner_role = UserRole.find_predefined_owner_role
+    protocols = Protocol.left_outer_joins(:team, user_assignments: :user_role)
+                        .joins("LEFT OUTER JOIN user_assignments team_user_assignments " \
+                               "ON team_user_assignments.assignable_type = 'Team' " \
+                               "AND team_user_assignments.assignable_id = team.id")
+                        .where(team: teams)
+    protocols
+      .where(
+        protocol_type: REPOSITORY_TYPES, team: { team_user_assignments: { user_id: user, user_role_id: owner_role } }
+      )
+      .or(protocols.with_granted_permissions(user, ProtocolPermissions::READ)).distinct
  end

  def self.filter_by_teams(teams = [])
--- a/app/permissions/team.rb
+++ b/app/permissions/team.rb
@ -101,7 +101,8 @@ Canaid::Permissions.register_for(Protocol) do
  end

  can :manage_protocol_users do |user, protocol|
-    protocol.permission_granted?(user, ProtocolPermissions::USERS_MANAGE)
+    protocol.permission_granted?(user, ProtocolPermissions::USERS_MANAGE) ||
+      protocol.team.permission_granted?(user, TeamPermissions::MANAGE)
  end

  # protocol in repository: restore