diff --git a/app/helpers/permission_helper.rb b/app/helpers/permission_helper.rb index 6936d81b9..ccf5ea4e3 100644 --- a/app/helpers/permission_helper.rb +++ b/app/helpers/permission_helper.rb @@ -264,7 +264,8 @@ module PermissionHelper # User can view project if he's assigned onto it, or if # a project is public/visible, and user is a member of that team def can_view_project(project) - is_member_of_project(project) or + is_admin_of_team(project.team) || + is_member_of_project(project) || (project.visible? and is_member_of_team(project.team)) end diff --git a/app/models/user.rb b/app/models/user.rb index 10d340c7e..a3a857240 100644 --- a/app/models/user.rb +++ b/app/models/user.rb @@ -253,31 +253,35 @@ class User < ActiveRecord::Base archived = archived ? true : false query = Project.all.joins(:user_projects) sql = 'projects.team_id IN (SELECT DISTINCT team_id ' \ - 'FROM user_teams WHERE user_teams.user_id = ?) ' \ - 'AND (projects.visibility=1 OR user_projects.user_id=?) ' \ - 'AND projects.archived = ? ' - - case sort_by - when "old" - sort = {created_at: :asc} - when "atoz" - sort = {name: :asc} - when "ztoa" - sort = {name: :desc} - else - sort = {created_at: :desc} + 'FROM user_teams WHERE user_teams.user_id = :user_id)' + if team_id == 0 || !user_teams.find_by(team_id: team_id).try(:admin?) + # Admins see all projects of team + sql += ' AND (projects.visibility=1 OR user_projects.user_id=:user_id)' end + sql += ' AND projects.archived = :archived ' + + sort = + case sort_by + when 'old' + { created_at: :asc } + when 'atoz' + { name: :asc } + when 'ztoa' + { name: :desc } + else + { created_at: :desc } + end if team_id > 0 result = query .where('projects.team_id = ?', team_id) - .where(sql, id, id, archived) + .where(sql,user_id: id, archived: archived) .order(sort) .distinct .group_by(&:team) else result = query - .where(sql, id, id, archived) + .where(sql,user_id: id, archived: archived) .order(sort) .distinct .group_by(&:team)