Merge pull request #2748 from aignatov-bio/ai-sci-4886-add-permission-checks-to-docx

Add scopes and permission checks for docx report [SCI-4886]

app/services/reports/docx.rb

@@ -9,6 +9,7 @@ class Reports::Docx
   include InputSanitizeHelper
   include TeamsHelper
   include GlobalActivitiesHelper
+  include Canaid::Helpers::PermissionsHelper
 
   Dir[File.join(File.dirname(__FILE__), 'docx') + '**/*.rb'].each do |file|
     include_module = File.basename(file).gsub('.rb', '').split('_').map(&:capitalize).join

app/services/reports/docx/draw_experiment.rb

@@ -5,8 +5,8 @@ module Reports::Docx::DrawExperiment
     color = @color
     link_style = @link_style
     scinote_url = @scinote_url
-    experiment = Experiment.find_by_id(subject['id']['experiment_id'])
-    return unless experiment
+    experiment = Experiment.find_by(id: subject['id']['experiment_id'])
+    return unless experiment && can_read_experiment?(@user, experiment)
 
     @docx.h2 experiment.name, size: Constants::REPORT_DOCX_EXPERIMENT_TITLE_SIZE
     @docx.p do
@@ -25,7 +25,7 @@ module Reports::Docx::DrawExperiment
     html_to_word_converter(html)
     @docx.p
     subject['children'].each do |child|
-      public_send("draw_#{child['type_of']}", child)
+      public_send("draw_#{child['type_of']}", child, experiment)
     end
   end
 end

app/services/reports/docx/draw_my_module.rb

@@ -1,11 +1,11 @@
 # frozen_string_literal: true
 
 module Reports::Docx::DrawMyModule
-  def draw_my_module(subject)
+  def draw_my_module(subject, experiment)
     color = @color
     link_style = @link_style
     scinote_url = @scinote_url
-    my_module = MyModule.find_by_id(subject['id']['my_module_id'])
+    my_module = experiment.my_modules.find_by(id: subject['id']['my_module_id'])
     tags = my_module.tags
     return unless my_module
 
@@ -55,7 +55,7 @@ module Reports::Docx::DrawMyModule
 
     @docx.p
     subject['children'].each do |child|
-      public_send("draw_#{child['type_of']}", child)
+      public_send("draw_#{child['type_of']}", child, my_module)
     end
   end
 end

app/services/reports/docx/draw_my_module_activity.rb

@@ -1,8 +1,7 @@
 # frozen_string_literal: true
 
 module Reports::Docx::DrawMyModuleActivity
-  def draw_my_module_activity(subject)
-    my_module = MyModule.find_by_id(subject['id']['my_module_id'])
+  def draw_my_module_activity(subject, my_module)
     return unless my_module
 
     activities = ActivitiesService.my_module_activities(my_module).order(created_at: subject['sort_order'])

app/services/reports/docx/draw_my_module_protocol.rb

@@ -1,12 +1,11 @@
 # frozen_string_literal: true
 
 module Reports::Docx::DrawMyModuleProtocol
-  def draw_my_module_protocol(subject)
-    my_module = MyModule.find_by_id(subject['id']['my_module_id'])
+  def draw_my_module_protocol(_subject, my_module)
     return unless my_module
 
     protocol = my_module.protocol
-    return false unless protocol.description.present?
+    return false if protocol.description.blank?
 
     @docx.p I18n.t 'projects.reports.elements.module.protocol.user_time',
                    timestamp: I18n.l(protocol.created_at, format: :full)

app/services/reports/docx/draw_my_module_repository.rb

@@ -1,15 +1,14 @@
 # frozen_string_literal: true
 
 module Reports::Docx::DrawMyModuleRepository
-  def draw_my_module_repository(subject)
-    my_module = MyModule.find_by(id: subject['id']['my_module_id'])
+  def draw_my_module_repository(subject, my_module)
     return unless my_module
 
     repository_id = subject['id']['repository_id']
     repository = ::RepositoryBase.find(repository_id)
     repository_data = my_module.repository_docx_json(repository)
 
-    return false unless repository_data[:rows].any?
+    return false unless repository_data[:rows].any? && can_read_repository?(@user, repository)
 
     table = prepare_row_columns(repository_data)
 

app/services/reports/docx/draw_project_header.rb

@@ -2,8 +2,8 @@
 
 module Reports::Docx::DrawProjectHeader
   def draw_project_header(subject)
-    project = Project.find_by_id(subject['id']['project_id'])
-    return unless project
+    project = Project.find_by(id: subject['id']['project_id'])
+    return unless project && can_read_project?(@user, project)
 
     @docx.p I18n.t('projects.reports.elements.project_header.user_time',
                    timestamp: I18n.l(project.created_at, format: :full))

app/services/reports/docx/draw_result_asset.rb

@@ -1,8 +1,8 @@
 # frozen_string_literal: true
 
 module Reports::Docx::DrawResultAsset
-  def draw_result_asset(subject)
-    result = Result.find_by_id(subject['id']['result_id'])
+  def draw_result_asset(subject, my_module)
+    result = my_module.results.find_by(id: subject['id']['result_id'])
     return unless result
 
     asset = result.asset
@@ -20,7 +20,7 @@ module Reports::Docx::DrawResultAsset
     asset_image_preparing(asset) if asset.image?
 
     subject['children'].each do |child|
-      public_send("draw_#{child['type_of']}", child)
+      public_send("draw_#{child['type_of']}", child, result)
     end
   end
 end

app/services/reports/docx/draw_result_comments.rb

@@ -1,8 +1,7 @@
 # frozen_string_literal: true
 
 module Reports::Docx::DrawResultComments
-  def draw_result_comments(subject)
-    result = Result.find_by_id(subject['id']['result_id'])
+  def draw_result_comments(subject, result)
     return unless result
 
     comments = result.result_comments.order(created_at: subject['sort_order'])

app/services/reports/docx/draw_result_table.rb

@@ -1,8 +1,8 @@
 # frozen_string_literal: true
 
 module Reports::Docx::DrawResultTable
-  def draw_result_table(subject)
-    result = Result.find_by_id(subject['id']['result_id'])
+  def draw_result_table(subject, my_module)
+    result = my_module.results.find_by(id: subject['id']['result_id'])
     return unless result
 
     table = result.table
@@ -20,7 +20,7 @@ module Reports::Docx::DrawResultTable
     end
     @docx.table JSON.parse(table.contents_utf_8)['data'], border_size: Constants::REPORT_DOCX_TABLE_BORDER_SIZE
     subject['children'].each do |child|
-      public_send("draw_#{child['type_of']}", child)
+      public_send("draw_#{child['type_of']}", child, result)
     end
   end
 end

app/services/reports/docx/draw_result_text.rb

@@ -1,8 +1,8 @@
 # frozen_string_literal: true
 
 module Reports::Docx::DrawResultText
-  def draw_result_text(subject)
-    result = Result.find_by_id(subject['id']['result_id'])
+  def draw_result_text(subject, my_module)
+    result = my_module.results.find_by(id: subject['id']['result_id'])
     return unless result
 
     result_text = result.result_text
@@ -20,7 +20,7 @@ module Reports::Docx::DrawResultText
     html_to_word_converter(html)
 
     subject['children'].each do |child|
-      public_send("draw_#{child['type_of']}", child)
+      public_send("draw_#{child['type_of']}", child, result)
     end
   end
 end

app/services/reports/docx/draw_step.rb

@@ -1,9 +1,9 @@
 # frozen_string_literal: true
 
 module Reports::Docx::DrawStep
-  def draw_step(subject)
+  def draw_step(subject, my_module)
     color = @color
-    step = Step.find_by_id(subject['id']['step_id'])
+    step = my_module.protocols.first.steps.find_by(id: subject['id']['step_id'])
     return unless step
 
     step_type_str = step.completed ? 'completed' : 'uncompleted'
@@ -33,7 +33,7 @@ module Reports::Docx::DrawStep
     end
 
     subject['children'].each do |child|
-      public_send("draw_#{child['type_of']}", child)
+      public_send("draw_#{child['type_of']}", child, step)
     end
     @docx.p
     @docx.p

app/services/reports/docx/draw_step_asset.rb

@@ -1,8 +1,8 @@
 # frozen_string_literal: true
 
 module Reports::Docx::DrawStepAsset
-  def draw_step_asset(subject)
-    asset = Asset.find_by_id(subject['id']['asset_id'])
+  def draw_step_asset(subject, step)
+    asset = step.assets.find_by(id: subject['id']['asset_id'])
     return unless asset
 
     timestamp = asset.created_at

app/services/reports/docx/draw_step_checklist.rb

@@ -1,10 +1,10 @@
 # frozen_string_literal: true
 
 module Reports::Docx::DrawStepChecklist
-  def draw_step_checklist(subject)
+  def draw_step_checklist(subject, step)
     team = @report_team
     user = @user
-    checklist = Checklist.find_by_id(subject['id']['checklist_id'])
+    checklist = step.checklists.find_by(id: subject['id']['checklist_id'])
     return unless checklist
 
     items = checklist.checklist_items

app/services/reports/docx/draw_step_comments.rb

@@ -1,8 +1,7 @@
 # frozen_string_literal: true
 
 module Reports::Docx::DrawStepComments
-  def draw_step_comments(subject)
-    step = Step.find_by_id(subject['id']['step_id'])
+  def draw_step_comments(_subject, step)
     return unless step
 
     comments = step.step_comments

app/services/reports/docx/draw_step_table.rb

@@ -1,8 +1,8 @@
 # frozen_string_literal: true
 
 module Reports::Docx::DrawStepTable
-  def draw_step_table(subject)
-    table = Table.find_by_id(subject['id']['table_id'])
+  def draw_step_table(subject, step)
+    table = step.tables.find_by(id: subject['id']['table_id'])
     return unless table
 
     color = @color