diff --git a/app/controllers/reports_controller.rb b/app/controllers/reports_controller.rb index de1624f4c..182746ab0 100644 --- a/app/controllers/reports_controller.rb +++ b/app/controllers/reports_controller.rb @@ -478,11 +478,9 @@ class ReportsController < ApplicationController def load_visible_projects render_404 unless current_team - projects = current_team.projects.visible_by(current_user) - .where('projects.name ILIKE ?', - "%#{search_params[:q]}%") - .limit(Constants::SEARCH_LIMIT) - .select(:id, :name) + projects = current_team.projects.visible_from_user_by_name( + current_user, current_team, search_params[:q] + ).limit(Constants::SEARCH_LIMIT).select(:id, :name) @visible_projects = projects.collect do |project| VisibleProject.new(new_project_reports_path(project), ellipsize(project.name, 75, 50)) diff --git a/app/models/project.rb b/app/models/project.rb index 2c0d7eb16..79125e7d8 100644 --- a/app/models/project.rb +++ b/app/models/project.rb @@ -42,11 +42,17 @@ class Project < ApplicationRecord Views::Datatables::DatatablesReport.refresh_materialized_view end - scope :visible_by, -> (user) { - joins(:user_projects).where( - 'user_projects.user_id = ? AND projects.archived = false', user.id - ) - } + def self.visible_from_user_by_name(user, team, name) + if user.is_admin_of_team? team + return where('projects.archived IS FALSE AND projects.name ILIKE ?', + "%#{name}%") + elsif user.is_normal_user_of_team? team + return joins(:user_projects) + .where('user_projects.user_id = ? OR projects.visibility = 1', user.id) + .where('projects.archived IS FALSE AND projects.name ILIKE ?', + "%#{name}%") + end + end def self.search( user, diff --git a/app/models/views/datatables/datatables_report.rb b/app/models/views/datatables/datatables_report.rb index caecb5bc7..db27050e8 100644 --- a/app/models/views/datatables/datatables_report.rb +++ b/app/models/views/datatables/datatables_report.rb @@ -33,20 +33,20 @@ module Views private - PermissionItem = Struct.new(:report_id, :users_ids) + PermissionItem = Struct.new(:report_id, :users_ids, :visibility) def tokenize(items) items.collect do |item| - PermissionItem.new(item[0], item[1]) + PermissionItem.new(item[0], item[1], item[2]) end end def get_permitted_by_team_tokenized - tokenize(pluck(:id, :users_with_team_read_permissions)) + tokenize(pluck(:id, :users_with_team_read_permissions, :project_visibility)) end def get_permitted_by_project_tokenized - tokenize(pluck(:id, :users_with_project_read_permissions)) + tokenize(pluck(:id, :users_with_project_read_permissions, :project_visibility)) end def get_by_project_item(permitted_by_project, item) @@ -68,11 +68,15 @@ module Views permitted_by_team.each do |item| next unless user.id.in? item.users_ids by_project = get_by_project_item(permitted_by_project, item) - next unless user.id.in? by_project.users_ids + next unless user_can_view?(user, by_project) allowed_ids << item.report_id end allowed_ids end + + def user_can_view?(user, by_project) + user.id.in?(by_project.users_ids) || by_project.visibility == 1 + end end end end diff --git a/spec/models/views/datatables/datatables_report_spec.rb b/spec/models/views/datatables/datatables_report_spec.rb index d1b9e3990..711420f24 100644 --- a/spec/models/views/datatables/datatables_report_spec.rb +++ b/spec/models/views/datatables/datatables_report_spec.rb @@ -71,7 +71,7 @@ RSpec.describe Views::Datatables::DatatablesReport, type: :model do name: 'report two' end - it 'returns the reports ' do + it 'returns the reports' do reports = team.datatables_reports.visible_by(user, team) expect(reports.length).to eq 1 expect(reports.first.id).to eq report_one.id