diff --git a/app/controllers/access_permissions/base_controller.rb b/app/controllers/access_permissions/base_controller.rb index 4ec24c8dc..c5f4471f5 100644 --- a/app/controllers/access_permissions/base_controller.rb +++ b/app/controllers/access_permissions/base_controller.rb @@ -117,11 +117,11 @@ module AccessPermissions private def model_parameter - @model.class.name.parameterize.to_sym + @model.class.permission_class.name.parameterize.to_sym end def manage_permission_constant - "#{@model.class.name}Permissions::USERS_MANAGE".constantize + "#{@model.class.permission_class.name}Permissions::USERS_MANAGE".constantize end def permitted_default_public_user_role_params @@ -181,7 +181,7 @@ module AccessPermissions when :team @assignment = @model.team_assignments - .find_or_initialize_by(team: current_team, assignable_id: @model.id, assignable_type: @model.class.name) + .find_or_initialize_by(team: current_team, assignable: @model) end end diff --git a/app/models/concerns/permission_checkable_model.rb b/app/models/concerns/permission_checkable_model.rb index a6e5bad33..e6787bb38 100644 --- a/app/models/concerns/permission_checkable_model.rb +++ b/app/models/concerns/permission_checkable_model.rb @@ -6,9 +6,9 @@ module PermissionCheckableModel included do include PermissionExtends - scope :with_granted_permissions, lambda { |user, permissions| + scope :with_granted_permissions, lambda { |user, permissions, teams = user.permission_team| with_user_assignments = joins(user_assignments: :user_role) - .where(user_assignments: { user: user, team: user.permission_team }) + .where(user_assignments: { user: user, team: teams }) # direct user assignments take precedence over group assignments, thus skipping objects that already have user assignments. with_group_assignments = left_outer_joins(user_group_assignments: [:user_role, { user_group: :users }], team_assignments: :user_role) .where.not(id: with_user_assignments) @@ -19,15 +19,20 @@ module PermissionCheckableModel .where('user_roles.permissions @> ARRAY[?]::varchar[]', permissions) .or( with_group_assignments - .where(team_assignments: { assignable: self, team: user.permission_team }) + .where(team_assignments: { assignable: self, team: teams }) .where('user_roles_team_assignments.permissions @> ARRAY[?]::varchar[]', permissions) ) .distinct + where(id: with_granted_user_permissions.select(:id)) .or(where(id: with_granted_group_permissions.select(:id))) } end + def self.permission_class + self + end + def permission_granted?(user, permission) return true if user_assignments.joins(:user_role) .where(user: user, team: user.permission_team) diff --git a/app/models/concerns/shareable.rb b/app/models/concerns/shareable.rb index 197e2d173..85aeea6fe 100644 --- a/app/models/concerns/shareable.rb +++ b/app/models/concerns/shareable.rb @@ -27,7 +27,7 @@ module Shareable end scope :viewable_by_user, lambda { |user, teams = user.current_team| - readable_ids = readable_by_user(user).where(team: teams).pluck(:id) + readable_ids = with_granted_permissions(user, "#{permission_class.name}Permissions::READ".constantize, teams).pluck(:id) shared_with_team_ids = joins(:team_shared_objects, :team).where(team_shared_objects: { team: teams }).pluck(:id) globally_shared_ids = if column_names.include?('permission_level') diff --git a/app/models/experiment.rb b/app/models/experiment.rb index f2c7081ab..6afc0c092 100644 --- a/app/models/experiment.rb +++ b/app/models/experiment.rb @@ -82,8 +82,7 @@ class Experiment < ApplicationRecord end def self.viewable_by_user(user, teams) - joins(:user_assignments).with_granted_permissions(user, ExperimentPermissions::READ) - .where(user_assignments: { team: teams }) + with_granted_permissions(user, ExperimentPermissions::READ, teams) end def self.with_children_viewable_by_user(user) diff --git a/app/models/my_module.rb b/app/models/my_module.rb index 738e50e06..47cffeca6 100644 --- a/app/models/my_module.rb +++ b/app/models/my_module.rb @@ -130,8 +130,7 @@ class MyModule < ApplicationRecord end def self.viewable_by_user(user, teams) - with_granted_permissions(user, MyModulePermissions::READ) - .where(user_assignments: { team: teams }) + with_granted_permissions(user, MyModulePermissions::READ, teams) end def self.filter_by_teams(teams = []) diff --git a/app/models/project.rb b/app/models/project.rb index 804284441..2d166de44 100644 --- a/app/models/project.rb +++ b/app/models/project.rb @@ -77,10 +77,7 @@ class Project < ApplicationRecord if team.permission_granted?(user, TeamPermissions::MANAGE) where(team: team) else - where(team: team) - .left_outer_joins(user_assignments: :user_role) - .where(user_assignments: { user: user }) - .where('? = ANY(user_roles.permissions)', ProjectPermissions::READ) + viewable_by_user(user, team) end end) @@ -104,9 +101,7 @@ class Project < ApplicationRecord end def self.viewable_by_user(user, teams) - joins(user_assignments: :user_role) - .where(team: teams) - .with_granted_permissions(user, ProjectPermissions::READ) + with_granted_permissions(user, ProjectPermissions::READ, teams) .distinct end diff --git a/app/models/repository_base.rb b/app/models/repository_base.rb index 95190312e..3f61ec831 100644 --- a/app/models/repository_base.rb +++ b/app/models/repository_base.rb @@ -27,6 +27,10 @@ class RepositoryBase < ApplicationRecord # Not discarded default_scope -> { kept } + def self.permission_class + Repository + end + def self.stock_management_enabled? ApplicationSettings.instance.values['stock_management_enabled'] end diff --git a/app/serializers/lists/repository_serializer.rb b/app/serializers/lists/repository_serializer.rb index aeef234b4..ddf652775 100644 --- a/app/serializers/lists/repository_serializer.rb +++ b/app/serializers/lists/repository_serializer.rb @@ -7,7 +7,7 @@ module Lists include ShareableSerializer attributes :name, :code, :nr_of_rows, :team, :created_at, :created_by, :archived_on, :archived_by, - :urls, :top_level_assignable, :assigned_users, :permissions + :urls, :top_level_assignable, :default_public_user_role_id, :assigned_users, :permissions def nr_of_rows object[:repository_rows_count]