fix access to public reports [fixes SCI-2340]

2025-02-27 09:13:46 +08:00 · 2018-05-21 14:45:18 +02:00 · 2018-05-21 14:45:18 +02:00 · ba2aafae39
commit ba2aafae39
parent 43d19b1d8f
4 changed files with 24 additions and 16 deletions
--- a/app/controllers/reports_controller.rb
+++ b/app/controllers/reports_controller.rb
@ -478,11 +478,9 @@ class ReportsController < ApplicationController

  def load_visible_projects
    render_404 unless current_team
-    projects = current_team.projects.visible_by(current_user)
-                                    .where('projects.name ILIKE ?',
-                                           "%#{search_params[:q]}%")
-                                    .limit(Constants::SEARCH_LIMIT)
-                                    .select(:id, :name)
+    projects = current_team.projects.visible_from_user_by_name(
+      current_user, current_team, search_params[:q]
+    ).limit(Constants::SEARCH_LIMIT).select(:id, :name)
    @visible_projects = projects.collect do |project|
      VisibleProject.new(new_project_reports_path(project),
                         ellipsize(project.name, 75, 50))
--- a/app/models/project.rb
+++ b/app/models/project.rb
@ -42,11 +42,17 @@ class Project < ApplicationRecord
    Views::Datatables::DatatablesReport.refresh_materialized_view
  end

-  scope :visible_by, -> (user) {
-    joins(:user_projects).where(
-      'user_projects.user_id = ? AND projects.archived = false', user.id
-    )
-  }
+  def self.visible_from_user_by_name(user, team, name)
+    if user.is_admin_of_team? team
+      return where('projects.archived IS FALSE AND projects.name ILIKE ?',
+                   "%#{name}%")
+    elsif user.is_normal_user_of_team? team
+      return joins(:user_projects)
+        .where('user_projects.user_id = ? OR projects.visibility = 1', user.id)
+        .where('projects.archived IS FALSE AND projects.name ILIKE ?',
+               "%#{name}%")
+    end
+  end

  def self.search(
    user,
--- a/app/models/views/datatables/datatables_report.rb
+++ b/app/models/views/datatables/datatables_report.rb
@ -33,20 +33,20 @@ module Views

        private

-        PermissionItem = Struct.new(:report_id, :users_ids)
+        PermissionItem = Struct.new(:report_id, :users_ids, :visibility)

        def tokenize(items)
          items.collect do |item|
-            PermissionItem.new(item[0], item[1])
+            PermissionItem.new(item[0], item[1], item[2])
          end
        end

        def get_permitted_by_team_tokenized
-          tokenize(pluck(:id, :users_with_team_read_permissions))
+          tokenize(pluck(:id, :users_with_team_read_permissions, :project_visibility))
        end

        def get_permitted_by_project_tokenized
-          tokenize(pluck(:id, :users_with_project_read_permissions))
+          tokenize(pluck(:id, :users_with_project_read_permissions, :project_visibility))
        end

        def get_by_project_item(permitted_by_project, item)
@ -68,11 +68,15 @@ module Views
          permitted_by_team.each do |item|
            next unless user.id.in? item.users_ids
            by_project = get_by_project_item(permitted_by_project, item)
-            next unless user.id.in? by_project.users_ids
+            next unless user_can_view?(user, by_project)
            allowed_ids << item.report_id
          end
          allowed_ids
        end
+
+        def user_can_view?(user, by_project)
+          user.id.in?(by_project.users_ids) || by_project.visibility == 1
+        end
      end
    end
  end
--- a/spec/models/views/datatables/datatables_report_spec.rb
+++ b/spec/models/views/datatables/datatables_report_spec.rb
@ -71,7 +71,7 @@ RSpec.describe Views::Datatables::DatatablesReport, type: :model do
                      name: 'report two'
    end

-    it 'returns the reports ' do
+    it 'returns the reports' do
      reports = team.datatables_reports.visible_by(user, team)
      expect(reports.length).to eq 1
      expect(reports.first.id).to eq report_one.id