Merge pull request #2912 from urbanrotnik/ur-sci-5091

Add current team to smart annotations permission check [SCI-5091]

app/services/smart_annotations/permission_eval.rb

@@ -30,16 +30,15 @@ module SmartAnnotations
       end
 
       def validate_rep_item_permissions(user, team, object)
-        return can_read_repository?(user, object.repository) if object.repository
+        if object.repository
+          return Repository.accessible_by_teams(team).find_by(id: object.repository_id).present? &&
+                 can_read_repository?(user, object.repository)
+        end
 
         # handles discarded repositories
         repository = Repository.with_discarded.find_by(id: object.repository_id)
         # evaluate to false if repository not found
         return false unless repository
-
-        (repository.team.id == team.id ||
-          repository.team_repositories.where(team_id: team.id).any?) &&
-          can_read_repository?(user, repository)
       end
     end
   end

spec/services/smart_annotations/permission_eval_spec.rb

@@ -87,5 +87,15 @@ describe SmartAnnotations::PermissionEval do
       value = subject.__send__(:validate_rep_item_permissions, user, team, repository_item)
       expect(value).to be true
     end
+
+    context 'when user can access repository from another team, but not with the current' do
+      it do
+        # Add anoteher user also as a member of team whos owes repository with this item
+        create :user_team, team: team, user: another_user, role: :admin
+
+        value = subject.__send__(:validate_rep_item_permissions, another_user, another_team, repository_item)
+        expect(value).to be false
+      end
+    end
   end
 end