fix access to public reports [fixes SCI-2340]

app/controllers/reports_controller.rb

@@ -478,11 +478,9 @@ class ReportsController < ApplicationController
 
   def load_visible_projects
     render_404 unless current_team
-    projects = current_team.projects.visible_by(current_user)
-                                    .where('projects.name ILIKE ?',
-                                           "%#{search_params[:q]}%")
-                                    .limit(Constants::SEARCH_LIMIT)
-                                    .select(:id, :name)
+    projects = current_team.projects.visible_from_user_by_name(
+      current_user, current_team, search_params[:q]
+    ).limit(Constants::SEARCH_LIMIT).select(:id, :name)
     @visible_projects = projects.collect do |project|
       VisibleProject.new(new_project_reports_path(project),
                          ellipsize(project.name, 75, 50))

app/models/project.rb

@@ -42,11 +42,17 @@ class Project < ApplicationRecord
     Views::Datatables::DatatablesReport.refresh_materialized_view
   end
 
-  scope :visible_by, -> (user) {
-    joins(:user_projects).where(
-      'user_projects.user_id = ? AND projects.archived = false', user.id
-    )
-  }
+  def self.visible_from_user_by_name(user, team, name)
+    if user.is_admin_of_team? team
+      return where('projects.archived IS FALSE AND projects.name ILIKE ?',
+                   "%#{name}%")
+    elsif user.is_normal_user_of_team? team
+      return joins(:user_projects)
+        .where('user_projects.user_id = ? OR projects.visibility = 1', user.id)
+        .where('projects.archived IS FALSE AND projects.name ILIKE ?',
+               "%#{name}%")
+    end
+  end
 
   def self.search(
     user,

app/models/views/datatables/datatables_report.rb

@@ -33,20 +33,20 @@ module Views
 
         private
 
-        PermissionItem = Struct.new(:report_id, :users_ids)
+        PermissionItem = Struct.new(:report_id, :users_ids, :visibility)
 
         def tokenize(items)
           items.collect do |item|
-            PermissionItem.new(item[0], item[1])
+            PermissionItem.new(item[0], item[1], item[2])
           end
         end
 
         def get_permitted_by_team_tokenized
-          tokenize(pluck(:id, :users_with_team_read_permissions))
+          tokenize(pluck(:id, :users_with_team_read_permissions, :project_visibility))
         end
 
         def get_permitted_by_project_tokenized
-          tokenize(pluck(:id, :users_with_project_read_permissions))
+          tokenize(pluck(:id, :users_with_project_read_permissions, :project_visibility))
         end
 
         def get_by_project_item(permitted_by_project, item)
@@ -68,11 +68,15 @@ module Views
           permitted_by_team.each do |item|
             next unless user.id.in? item.users_ids
             by_project = get_by_project_item(permitted_by_project, item)
-            next unless user.id.in? by_project.users_ids
+            next unless user_can_view?(user, by_project)
             allowed_ids << item.report_id
           end
           allowed_ids
         end
+
+        def user_can_view?(user, by_project)
+          user.id.in?(by_project.users_ids) || by_project.visibility == 1
+        end
       end
     end
   end

spec/models/views/datatables/datatables_report_spec.rb

@@ -71,7 +71,7 @@ RSpec.describe Views::Datatables::DatatablesReport, type: :model do
                       name: 'report two'
     end
 
-    it 'returns the reports ' do
+    it 'returns the reports' do
       reports = team.datatables_reports.visible_by(user, team)
       expect(reports.length).to eq 1
       expect(reports.first.id).to eq report_one.id