Merge pull request #2912 from urbanrotnik/ur-sci-5091

Add current team to smart annotations permission check [SCI-5091]
2025-10-31 00:19:20 +08:00 · 2020-10-29 13:32:29 +01:00 · 2020-10-29 13:32:29 +01:00 · c6a891bcea
commit c6a891bcea
parent 235f87e0d9 25d050cec4
2 changed files with 14 additions and 5 deletions
--- a/app/services/smart_annotations/permission_eval.rb
+++ b/app/services/smart_annotations/permission_eval.rb
@ -30,16 +30,15 @@ module SmartAnnotations
      end

      def validate_rep_item_permissions(user, team, object)
-        return can_read_repository?(user, object.repository) if object.repository
+        if object.repository
+          return Repository.accessible_by_teams(team).find_by(id: object.repository_id).present? &&
+                 can_read_repository?(user, object.repository)
+        end

        # handles discarded repositories
        repository = Repository.with_discarded.find_by(id: object.repository_id)
        # evaluate to false if repository not found
        return false unless repository
-
-        (repository.team.id == team.id ||
-          repository.team_repositories.where(team_id: team.id).any?) &&
-          can_read_repository?(user, repository)
      end
    end
  end
--- a/spec/services/smart_annotations/permission_eval_spec.rb
+++ b/spec/services/smart_annotations/permission_eval_spec.rb
@ -87,5 +87,15 @@ describe SmartAnnotations::PermissionEval do
      value = subject.__send__(:validate_rep_item_permissions, user, team, repository_item)
      expect(value).to be true
    end
+
+    context 'when user can access repository from another team, but not with the current' do
+      it do
+        # Add anoteher user also as a member of team whos owes repository with this item
+        create :user_team, team: team, user: another_user, role: :admin
+
+        value = subject.__send__(:validate_rep_item_permissions, another_user, another_team, repository_item)
+        expect(value).to be false
+      end
+    end
  end
 end