From ac32b5b04ad57c00b330faa0f8281f9b16ae448e Mon Sep 17 00:00:00 2001 From: Oleksii Kriuchykhin Date: Fri, 9 Aug 2024 15:56:59 +0200 Subject: [PATCH] Prevent repository access to users without repository READ permission on team level [SCI-10972] --- ...ory_item_child_relationships_controller.rb | 2 +- ...ry_item_parent_relationships_controller.rb | 2 +- app/controllers/at_who_controller.rb | 6 +-- ...en_repository_cell_reminders_controller.rb | 2 +- .../my_module_repositories_controller.rb | 4 +- .../my_module_shareable_links_controller.rb | 2 +- app/controllers/my_modules_controller.rb | 2 +- app/controllers/reports_controller.rb | 4 +- app/controllers/repositories_controller.rb | 8 ++-- .../repository_columns_controller.rb | 2 +- .../repository_row_connections_controller.rb | 8 ++-- app/controllers/repository_rows_controller.rb | 4 +- .../repository_table_filters_controller.rb | 2 +- app/helpers/reports_helper.rb | 12 +----- app/jobs/team_zip_export_job.rb | 2 +- app/models/asset.rb | 5 ++- app/models/my_module.rb | 7 ++- app/models/project.rb | 6 +-- app/models/protocol.rb | 7 +-- app/models/report.rb | 2 +- app/models/repository.rb | 24 +++++------ app/models/repository_row.rb | 13 +++--- app/models/result.rb | 6 +-- app/models/user.rb | 2 +- app/permissions/repository.rb | 2 +- app/services/activities_service.rb | 43 ++++++++++++------- app/services/report_actions/report_content.rb | 2 +- .../save_pdf_to_inventory_item.rb | 2 +- .../smart_annotations/permission_eval.rb | 2 +- .../my_module_protocol_show.html.erb | 2 +- 30 files changed, 92 insertions(+), 95 deletions(-) diff --git a/app/controllers/api/v2/inventory_item_child_relationships_controller.rb b/app/controllers/api/v2/inventory_item_child_relationships_controller.rb index 8d6043753..47571b883 100644 --- a/app/controllers/api/v2/inventory_item_child_relationships_controller.rb +++ b/app/controllers/api/v2/inventory_item_child_relationships_controller.rb @@ -18,7 +18,7 @@ module Api end def create - inventory_item_to_link = RepositoryRow.where(repository: Repository.accessible_by_teams(@team)) + inventory_item_to_link = RepositoryRow.where(repository: Repository.viewable_by_user(current_user, @team)) .find(connection_params[:child_id]) child_connection = @inventory_item.child_connections.create!( child: inventory_item_to_link, diff --git a/app/controllers/api/v2/inventory_item_parent_relationships_controller.rb b/app/controllers/api/v2/inventory_item_parent_relationships_controller.rb index dec716a7d..bf0c663d5 100644 --- a/app/controllers/api/v2/inventory_item_parent_relationships_controller.rb +++ b/app/controllers/api/v2/inventory_item_parent_relationships_controller.rb @@ -20,7 +20,7 @@ module Api end def create - inventory_item_to_link = RepositoryRow.where(repository: Repository.accessible_by_teams(@team)) + inventory_item_to_link = RepositoryRow.where(repository: Repository.viewable_by_user(current_user, @team)) .find(connection_params[:parent_id]) parent_connection = @inventory_item.parent_connections.create!( parent: inventory_item_to_link, diff --git a/app/controllers/at_who_controller.rb b/app/controllers/at_who_controller.rb index f6a801d11..f48645f81 100644 --- a/app/controllers/at_who_controller.rb +++ b/app/controllers/at_who_controller.rb @@ -27,7 +27,7 @@ class AtWhoController < ApplicationController if params[:repository_id].present? Repository.find_by(id: params[:repository_id]) else - Repository.active.accessible_by_teams(@team).first + Repository.active.viewable_by_user(current_user, @team).first end items = [] @@ -54,8 +54,8 @@ class AtWhoController < ApplicationController end def menu - repositories = Repository.active.accessible_by_teams(@team) - render json: { + repositories = Repository.active.viewable_by_user(current_user, @team) + render json: { html: render_to_string(partial: 'shared/smart_annotation/menu', locals: { repositories: repositories }, formats: :html) diff --git a/app/controllers/hidden_repository_cell_reminders_controller.rb b/app/controllers/hidden_repository_cell_reminders_controller.rb index 5ed53b5f1..ad7472d8c 100644 --- a/app/controllers/hidden_repository_cell_reminders_controller.rb +++ b/app/controllers/hidden_repository_cell_reminders_controller.rb @@ -15,7 +15,7 @@ class HiddenRepositoryCellRemindersController < ApplicationController private def load_repository - @repository = Repository.accessible_by_teams(current_team).find_by(id: params[:repository_id]) + @repository = Repository.viewable_by_user(current_user).find_by(id: params[:repository_id]) render_404 unless @repository end diff --git a/app/controllers/my_module_repositories_controller.rb b/app/controllers/my_module_repositories_controller.rb index 1cb81a6c0..56da98afd 100644 --- a/app/controllers/my_module_repositories_controller.rb +++ b/app/controllers/my_module_repositories_controller.rb @@ -145,7 +145,7 @@ class MyModuleRepositoriesController < ApplicationController end def repositories_list_html - @assigned_repositories = @my_module.live_and_snapshot_repositories_list + @assigned_repositories = @my_module.readable_live_and_snapshot_repositories_list(current_user) render json: { html: render_to_string(partial: 'my_modules/repositories/repositories_list'), assigned_rows_count: @assigned_repositories.map(&:assigned_rows_count).sum @@ -162,7 +162,7 @@ class MyModuleRepositoriesController < ApplicationController end def repositories_dropdown_list - @repositories = Repository.accessible_by_teams(current_team).joins(" + @repositories = Repository.viewable_by_user(current_user).joins(" LEFT OUTER JOIN repository_rows ON repository_rows.repository_id = repositories.id LEFT OUTER JOIN my_module_repository_rows ON diff --git a/app/controllers/my_module_shareable_links_controller.rb b/app/controllers/my_module_shareable_links_controller.rb index 225825ab0..a94200217 100644 --- a/app/controllers/my_module_shareable_links_controller.rb +++ b/app/controllers/my_module_shareable_links_controller.rb @@ -153,7 +153,7 @@ class MyModuleShareableLinksController < ApplicationController end def load_repository - @repository = @my_module.assigned_repositories.find_by(id: params[:id]) + @repository = @my_module.assigned_repositories.viewable_by_user(current_user).find_by(id: params[:id]) render_404 unless @repository end diff --git a/app/controllers/my_modules_controller.rb b/app/controllers/my_modules_controller.rb index 807c5261d..01a4f86c2 100644 --- a/app/controllers/my_modules_controller.rb +++ b/app/controllers/my_modules_controller.rb @@ -304,7 +304,7 @@ class MyModulesController < ApplicationController def protocols @protocol = @my_module.protocol - @assigned_repositories = @my_module.live_and_snapshot_repositories_list + @assigned_repositories = @my_module.readable_live_and_snapshot_repositories_list(current_user) end def protocol diff --git a/app/controllers/reports_controller.rb b/app/controllers/reports_controller.rb index c148511f3..8e779bb0c 100644 --- a/app/controllers/reports_controller.rb +++ b/app/controllers/reports_controller.rb @@ -312,7 +312,7 @@ class ReportsController < ApplicationController def load_wizard_vars @templates = Extends::REPORT_TEMPLATES - live_repositories = Repository.accessible_by_teams(current_team).sort_by { |r| r.name.downcase } + live_repositories = Repository.viewable_by_user(current_user).sort_by { |r| r.name.downcase } snapshots_of_deleted = RepositorySnapshot.left_outer_joins(:original_repository) .where(team: current_team) .where.not(original_repository: live_repositories) @@ -348,7 +348,7 @@ class ReportsController < ApplicationController def load_available_repositories @available_repositories = [] repositories = Repository.active - .accessible_by_teams(current_team) + .viewable_by_user(current_user) .name_like(search_params[:query]) .limit(Constants::SEARCH_LIMIT) repositories.each do |repository| diff --git a/app/controllers/repositories_controller.rb b/app/controllers/repositories_controller.rb index 8e5ead106..cdfe1d2e3 100644 --- a/app/controllers/repositories_controller.rb +++ b/app/controllers/repositories_controller.rb @@ -298,14 +298,14 @@ class RepositoriesController < ApplicationController end def import_records - render_403 unless can_create_repository_rows?(Repository.accessible_by_teams(current_team) + render_403 unless can_create_repository_rows?(Repository.viewable_by_user(current_user) .find_by(id: import_params[:id])) # Check if there exist mapping for repository record (it's mandatory) if import_params[:mappings].present? && import_params[:mappings].value?('-1') status = ImportRepository::ImportRecords .new( temp_file: TempFile.find_by(id: import_params[:file_id]), - repository: Repository.accessible_by_teams(current_team).find_by(id: import_params[:id]), + repository: Repository.viewable_by_user(current_user).find_by(id: import_params[:id]), mappings: import_params[:mappings], session: session, user: current_user, @@ -452,12 +452,12 @@ class RepositoriesController < ApplicationController def load_repository repository_id = params[:id] || params[:repository_id] - @repository = Repository.accessible_by_teams(current_user.teams).find_by(id: repository_id) + @repository = Repository.viewable_by_user(current_user).find_by(id: repository_id) render_404 unless @repository end def load_repositories - @repositories = Repository.accessible_by_teams(current_team) + @repositories = Repository.viewable_by_user(current_user) end def load_repositories_for_archiving diff --git a/app/controllers/repository_columns_controller.rb b/app/controllers/repository_columns_controller.rb index 7b6e640dc..707a6beb8 100644 --- a/app/controllers/repository_columns_controller.rb +++ b/app/controllers/repository_columns_controller.rb @@ -107,7 +107,7 @@ class RepositoryColumnsController < ApplicationController AvailableRepositoryColumn = Struct.new(:id, :name) def load_repository - @repository = Repository.accessible_by_teams(current_team).find_by(id: params[:repository_id]) + @repository = Repository.viewable_by_user(current_user).find_by(id: params[:repository_id]) render_404 unless @repository end diff --git a/app/controllers/repository_row_connections_controller.rb b/app/controllers/repository_row_connections_controller.rb index 61e1c79b3..f3b3d998d 100644 --- a/app/controllers/repository_row_connections_controller.rb +++ b/app/controllers/repository_row_connections_controller.rb @@ -56,7 +56,7 @@ class RepositoryRowConnectionsController < ApplicationController end def repositories - repositories = Repository.accessible_by_teams(current_team) + repositories = Repository.viewable_by_user(current_user) .search_by_name_and_id(current_user, current_user.teams, params[:query]) .order(name: :asc) .page(params[:page] || 1) @@ -69,7 +69,7 @@ class RepositoryRowConnectionsController < ApplicationController end def repository_rows - selected_repository = Repository.accessible_by_teams(current_team).find(params[:selected_repository_id]) + selected_repository = Repository.viewable_by_user(current_user).find(params[:selected_repository_id]) repository_rows = selected_repository.repository_rows .where.not(id: @repository_row.id) @@ -93,14 +93,14 @@ class RepositoryRowConnectionsController < ApplicationController return render_422(t('.invalid_params')) unless @relation_type - @connection_repository = Repository.accessible_by_teams(current_team) + @connection_repository = Repository.viewable_by_user(current_user) .find_by(id: connection_params[:connection_repository_id]) return render_404 unless @connection_repository return render_403 unless can_connect_repository_rows?(@connection_repository) end def load_repository - @repository = Repository.accessible_by_teams(current_team).find_by(id: params[:repository_id]) + @repository = Repository.viewable_by_user(current_user).find_by(id: params[:repository_id]) render_404 unless @repository end diff --git a/app/controllers/repository_rows_controller.rb b/app/controllers/repository_rows_controller.rb index a9c8b11e1..8bcf51962 100644 --- a/app/controllers/repository_rows_controller.rb +++ b/app/controllers/repository_rows_controller.rb @@ -358,14 +358,14 @@ class RepositoryRowsController < ApplicationController AvailableRepositoryRow = Struct.new(:id, :name, :has_file_attached) def load_repository - @repository = Repository.accessible_by_teams(current_team) + @repository = Repository.viewable_by_user(current_user) .eager_load(:repository_columns) .find_by(id: params[:repository_id]) render_404 unless @repository end def load_repository_or_snapshot - @repository = Repository.accessible_by_teams(current_team).find_by(id: params[:repository_id]) || + @repository = Repository.viewable_by_user(current_user).find_by(id: params[:repository_id]) || RepositorySnapshot.find_by(id: params[:repository_id]) return render_404 unless @repository end diff --git a/app/controllers/repository_table_filters_controller.rb b/app/controllers/repository_table_filters_controller.rb index 8ad3123c5..a5009529a 100644 --- a/app/controllers/repository_table_filters_controller.rb +++ b/app/controllers/repository_table_filters_controller.rb @@ -70,7 +70,7 @@ class RepositoryTableFiltersController < ApplicationController private def load_repository - @repository = Repository.accessible_by_teams(current_team).find_by(id: params[:repository_id]) + @repository = Repository.viewable_by_user(current_user).find_by(id: params[:repository_id]) render_403 unless can_read_repository?(@repository) end diff --git a/app/helpers/reports_helper.rb b/app/helpers/reports_helper.rb index 07e3eec42..4c340f320 100644 --- a/app/helpers/reports_helper.rb +++ b/app/helpers/reports_helper.rb @@ -47,7 +47,7 @@ module ReportsHelper return my_module.repository_snapshots.find_by(parent_id: repository.parent_id, selected: true) end - return nil unless my_module.assigned_repositories.exists?(id: repository.id) + return nil unless my_module.assigned_repositories.viewable_by_user(current_user).exists?(id: repository.id) selected_snapshot = repository.repository_snapshots.find_by(my_module: my_module, selected: true) selected_snapshot || repository @@ -106,14 +106,4 @@ module ReportsHelper experiment_element.experiment.description end end - - def assigned_to_report_repository_items(report, repository_name) - repository = Repository.accessible_by_teams(report.team).where(name: repository_name).take - return RepositoryRow.none if repository.blank? - - my_modules = MyModule.joins(:experiment) - .where(experiment: { project: report.project }) - .where(id: report.report_elements.my_module.select(:my_module_id)) - repository.repository_rows.joins(:my_modules).where(my_modules: my_modules) - end end diff --git a/app/jobs/team_zip_export_job.rb b/app/jobs/team_zip_export_job.rb index c8339bf4d..f9f6fa8f3 100644 --- a/app/jobs/team_zip_export_job.rb +++ b/app/jobs/team_zip_export_job.rb @@ -39,7 +39,7 @@ class TeamZipExportJob < ZipExportJob inventories = "#{project_path}/Inventories" FileUtils.mkdir_p(inventories) - repositories = project.assigned_repositories_and_snapshots + repositories = project.assigned_readable_repositories_and_snapshots(@user) # Iterate through every inventory repo and save it to CSV repositories.each_with_index do |repo, repo_idx| diff --git a/app/models/asset.rb b/app/models/asset.rb index a1c55770e..8c11a7494 100644 --- a/app/models/asset.rb +++ b/app/models/asset.rb @@ -74,7 +74,10 @@ class Asset < ApplicationRecord .pluck(:id) assets_in_inventories = Asset.joins(repository_cell: { repository_column: :repository }) - .where(repositories: { team: teams }) + .where(repositories: { + id: Repository.with_granted_permissions(user, RepositoryPermissions::READ).select(:id), + team_id: teams + }) .where.not(repositories: { type: 'RepositorySnapshot' }) .pluck(:id) diff --git a/app/models/my_module.rb b/app/models/my_module.rb index e1eea3c3a..6f6b3724a 100644 --- a/app/models/my_module.rb +++ b/app/models/my_module.rb @@ -177,14 +177,12 @@ class MyModule < ApplicationRecord end def assigned_repositories - team = experiment.project.team - Repository.accessible_by_teams(team) - .joins(repository_rows: :my_module_repository_rows) + Repository.joins(repository_rows: :my_module_repository_rows) .where(my_module_repository_rows: { my_module_id: id }) .group(:id) end - def live_and_snapshot_repositories_list + def readable_live_and_snapshot_repositories_list(user, team = user.current_team) snapshots = repository_snapshots.left_outer_joins(:original_repository) selected_snapshots = snapshots.where(selected: true) @@ -197,6 +195,7 @@ class MyModule < ApplicationRecord .order(:parent_id, updated_at: :desc) live_repositories = assigned_repositories + .viewable_by_user(user, team) .select('repositories.*, COUNT(DISTINCT repository_rows.id) AS assigned_rows_count') .where.not(id: repository_snapshots.where(selected: true).select(:parent_id)) diff --git a/app/models/project.rb b/app/models/project.rb index 0d04cb56b..6b6c5a027 100644 --- a/app/models/project.rb +++ b/app/models/project.rb @@ -201,9 +201,9 @@ class Project < ApplicationRecord st end - def assigned_repositories_and_snapshots - live_repositories = Repository.assigned_to_project(self) - snapshots = RepositorySnapshot.assigned_to_project(self) + def assigned_readable_repositories_and_snapshots(user) + live_repositories = Repository.assigned_to_project(self).readable_by_user(user) + snapshots = RepositorySnapshot.assigned_to_project(self).readable_by_user(user) (live_repositories + snapshots).sort_by { |r| r.name.downcase } end diff --git a/app/models/protocol.rb b/app/models/protocol.rb index a1a69b3d8..46156dc67 100644 --- a/app/models/protocol.rb +++ b/app/models/protocol.rb @@ -255,11 +255,8 @@ class Protocol < ApplicationRecord def self.viewable_by_user_my_module_protocols(user, teams) distinct.joins(:my_module) - .joins("INNER JOIN user_assignments my_module_user_assignments " \ - "ON my_module_user_assignments.assignable_type = 'MyModule' " \ - "AND my_module_user_assignments.assignable_id = my_modules.id") - .where(my_module_user_assignments: { user_id: user }) - .where(team: teams) + .where(my_modules: MyModule.with_granted_permissions(user, MyModulePermissions::READ) + .where(user_assignments: { team: teams })) end def self.filter_by_teams(teams = []) diff --git a/app/models/report.rb b/app/models/report.rb index 35ddf5729..0d1fbc97d 100644 --- a/app/models/report.rb +++ b/app/models/report.rb @@ -103,7 +103,7 @@ class Report < ApplicationRecord def self.generate_whole_project_report(project, current_user, current_team) content = { 'experiments' => [], - 'repositories' => project.assigned_repositories_and_snapshots.pluck(:id) + 'repositories' => project.assigned_readable_repositories_and_snapshots(current_user).pluck(:id) } project.experiments.includes(:my_modules).find_each do |experiment| content['experiments'].push( diff --git a/app/models/repository.rb b/app/models/repository.rb index 8cca5c0f3..2b9e58be3 100644 --- a/app/models/repository.rb +++ b/app/models/repository.rb @@ -48,21 +48,23 @@ class Repository < RepositoryBase scope :archived, -> { where(archived: true) } scope :globally_shared, -> { where(permission_level: %i(shared_read shared_write)) } - scope :accessible_by_teams, lambda { |teams| - accessible_repositories = left_outer_joins(:team_shared_objects) - accessible_repositories = - accessible_repositories + scope :viewable_by_user, lambda { |user, teams = user.current_team| + readable_repositories = joins(user_assignments: :user_role) + .left_outer_joins(:team_shared_objects) + readable_repositories = + readable_repositories + .where(user_assignments: { user: user }) + .where('? = ANY(user_roles.permissions)', RepositoryPermissions::READ) .where(team: teams) - .or(accessible_repositories.where(team_shared_objects: { team: teams })) - .or(accessible_repositories + .or(readable_repositories.where(team_shared_objects: { team: teams })) + .or(readable_repositories .where(permission_level: [Extends::SHARED_OBJECTS_PERMISSION_LEVELS[:shared_read], Extends::SHARED_OBJECTS_PERMISSION_LEVELS[:shared_write]])) - accessible_repositories.distinct + readable_repositories.distinct } scope :assigned_to_project, lambda { |project| - accessible_by_teams(project.team) - .joins(repository_rows: { my_module_repository_rows: { my_module: { experiment: :project } } }) + joins(repository_rows: { my_module_repository_rows: { my_module: { experiment: :project } } }) .where(repository_rows: { my_module_repository_rows: { my_module: { experiments: { project: project } } } }) } @@ -151,10 +153,6 @@ class Repository < RepositoryBase team_shared_objects.where(team: team, permission_level: :shared_write).any? end - def self.viewable_by_user(_user, teams) - accessible_by_teams(teams) - end - def self.name_like(query) where('repositories.name ILIKE ?', "%#{query}%") end diff --git a/app/models/repository_row.rb b/app/models/repository_row.rb index 923164d0f..9cbf93f32 100644 --- a/app/models/repository_row.rb +++ b/app/models/repository_row.rb @@ -125,18 +125,17 @@ class RepositoryRow < ApplicationRecord def self.search(user, include_archived, query = nil, - _current_team = nil, + current_team = nil, options = {}) teams = options[:teams] || current_team || user.teams.select(:id) searchable_row_fields = [RepositoryRow::PREFIXED_ID_SQL, 'repository_rows.name', 'users.full_name'] - readable_rows = distinct.joins(:repository, :created_by) - .joins("INNER JOIN user_assignments repository_user_assignments " \ - "ON repository_user_assignments.assignable_type = 'RepositoryBase' " \ - "AND repository_user_assignments.assignable_id = repositories.id") - .where(repository_user_assignments: { user_id: user, team_id: teams }) - + readable_rows = + distinct + .joins(:repository, :created_by) + .where(repositories: { id: Repository.with_granted_permissions(user, RepositoryPermissions::READ).select(:id), + team_id: teams }) readable_rows = readable_rows.active unless include_archived repository_rows = readable_rows.where_attributes_like_boolean(searchable_row_fields, query, options) diff --git a/app/models/result.rb b/app/models/result.rb index 95e3a9150..5df4fa375 100644 --- a/app/models/result.rb +++ b/app/models/result.rb @@ -47,10 +47,8 @@ class Result < ApplicationRecord new_query = left_joins(:result_comments, :result_texts, result_tables: :table) .joins(:my_module) - .joins("INNER JOIN user_assignments my_module_user_assignments " \ - "ON my_module_user_assignments.assignable_type = 'MyModule' " \ - "AND my_module_user_assignments.assignable_id = my_modules.id") - .where(my_module_user_assignments: { user_id: user, team_id: teams }) + .where(my_modules: MyModule.with_granted_permissions(user, MyModulePermissions::READ) + .where(user_assignments: { team: teams })) unless include_archived new_query = new_query.joins(my_module: { experiment: :project }) diff --git a/app/models/user.rb b/app/models/user.rb index 27470c04d..271797bee 100644 --- a/app/models/user.rb +++ b/app/models/user.rb @@ -374,7 +374,7 @@ class User < ApplicationRecord end def current_team - Team.find_by_id(self.current_team_id) + @current_team ||= teams.find_by(id: current_team_id) end def permission_team=(team) diff --git a/app/permissions/repository.rb b/app/permissions/repository.rb index f65997154..338376c8a 100644 --- a/app/permissions/repository.rb +++ b/app/permissions/repository.rb @@ -6,7 +6,7 @@ Canaid::Permissions.register_for(RepositoryBase) do if repository.is_a?(RepositorySnapshot) can_read_my_module?(user, repository.my_module) else - user.teams.include?(repository.team) || repository.shared_with?(user.current_team) + repository.permission_granted?(user, RepositoryPermissions::READ) end end diff --git a/app/services/activities_service.rb b/app/services/activities_service.rb index 26d4af806..d966ce43d 100644 --- a/app/services/activities_service.rb +++ b/app/services/activities_service.rb @@ -5,15 +5,24 @@ class ActivitiesService # Create condition for view permissions checking first visible_teams = user.teams.where(id: teams) visible_projects = Project.viewable_by_user(user, visible_teams) + visible_repositories = Repository.viewable_by_user(user, visible_teams) visible_by_teams = Activity.where(project: nil, team_id: visible_teams.select(:id)) + .where.not(subject_type: %w(RepositoryBase RepositoryRow)) .order(created_at: :desc) + visible_by_repositories = Activity.where(subject_type: %w(RepositoryBase RepositoryRow), + subject_id: visible_repositories.select(:id)) + .order(created_at: :desc) visible_by_projects = Activity.where(project_id: visible_projects.select(:id)) .order(created_at: :desc) - query = Activity.from("((#{visible_by_teams.to_sql}) UNION ALL (#{visible_by_projects.to_sql})) AS activities") + query = Activity.from( + "((#{visible_by_teams.to_sql}) UNION ALL " \ + "(#{visible_by_repositories.to_sql}) UNION ALL " \ + "(#{visible_by_projects.to_sql})) AS activities" + ) if filters[:subjects].present? - subjects_with_children = load_subjects_children(filters[:subjects]) + subjects_with_children = load_subjects_children(filters[:subjects], user, teams) where_condition = subjects_with_children.to_h.map { '(subject_type = ? AND subject_id IN(?))' }.join(' OR ') where_arguments = subjects_with_children.to_h.flatten if subjects_with_children[:my_module] @@ -45,7 +54,7 @@ class ActivitiesService .without_count end - def self.load_subjects_children(subjects = {}) + def self.load_subjects_children(subjects = {}, user = nil, teams = nil) Extends::ACTIVITY_SUBJECT_CHILDREN.each do |subject_name, children| subject_name = subject_name.to_s.camelize next unless children && subjects[subject_name] @@ -55,19 +64,23 @@ class ActivitiesService child_model = parent_model.reflect_on_association(child).class_name.to_sym next if subjects[child_model] - if subject_name == 'Result' - parent_model = parent_model.with_discarded - end + parent_model = parent_model.with_discarded if subject_name == 'Result' - if child == :results - subjects[child_model] = parent_model.where(id: subjects[subject_name]) - .joins(:results_include_discarded) - .pluck('results.id') - else - subjects[child_model] = parent_model.where(id: subjects[subject_name]) - .joins(child) - .pluck("#{child.to_s.pluralize}.id") - end + subjects[child_model] = + case child + when :results + parent_model.where(id: subjects[subject_name]) + .joins(:results_include_discarded) + .pluck('results.id') + when :repositories + parent_model.viewable_by_user(user, teams) + .where(id: subjects[subject_name]) + .pluck('repositories.id') + else + parent_model.where(id: subjects[subject_name]) + .joins(child) + .pluck("#{child.to_s.pluralize}.id") + end end end diff --git a/app/services/report_actions/report_content.rb b/app/services/report_actions/report_content.rb index 8ca49db4f..5dee86ff0 100644 --- a/app/services/report_actions/report_content.rb +++ b/app/services/report_actions/report_content.rb @@ -81,7 +81,7 @@ module ReportActions my_module_element = save_element!({ 'my_module_id' => my_module.id }, :my_module, experiment_element) - my_module.live_and_snapshot_repositories_list.each do |repository| + my_module.readable_live_and_snapshot_repositories_list(@user, @report.team).each do |repository| next unless @repositories.include?(repository.parent_id || repository.id) save_element!( diff --git a/app/services/report_actions/save_pdf_to_inventory_item.rb b/app/services/report_actions/save_pdf_to_inventory_item.rb index 0343f0230..88b1e1a90 100644 --- a/app/services/report_actions/save_pdf_to_inventory_item.rb +++ b/app/services/report_actions/save_pdf_to_inventory_item.rb @@ -33,7 +33,7 @@ module ReportActions include Canaid::Helpers::PermissionsHelper def load_repository_collaborators - @repository = Repository.active.accessible_by_teams(@team).find_by(id: @params[:repository_id]) + @repository = Repository.active.viewable_by_user(@user, @team).find_by(id: @params[:repository_id]) unless can_create_repository_rows?(@user, @repository) raise ReportActions::RepositoryPermissionError, I18n.t('projects.reports.new.no_permissions') end diff --git a/app/services/smart_annotations/permission_eval.rb b/app/services/smart_annotations/permission_eval.rb index f9110d9e5..5f4eb209d 100644 --- a/app/services/smart_annotations/permission_eval.rb +++ b/app/services/smart_annotations/permission_eval.rb @@ -25,7 +25,7 @@ module SmartAnnotations def validate_rep_item_permissions(user, team, object) if object.repository - return Repository.accessible_by_teams(team).find_by(id: object.repository_id).present? && + return Repository.viewable_by_user(user, team).find_by(id: object.repository_id).present? && can_read_repository?(user, object.repository) end diff --git a/app/views/shareable_links/my_module_protocol_show.html.erb b/app/views/shareable_links/my_module_protocol_show.html.erb index 6e1d46ec6..3c9caf7a3 100644 --- a/app/views/shareable_links/my_module_protocol_show.html.erb +++ b/app/views/shareable_links/my_module_protocol_show.html.erb @@ -57,7 +57,7 @@ - <% assigned_repositories = @my_module.live_and_snapshot_repositories_list %> + <% assigned_repositories = @my_module.readable_live_and_snapshot_repositories_list(current_user) %>