Merge pull request #1574 from jbargu/jg_sci_3149_3163

Valid smart annotation links of smart annotation imported within protocol [SCI-3149, 3163]
2025-10-04 10:54:30 +08:00 · 2019-04-01 14:32:54 +02:00 · 2019-04-01 14:32:54 +02:00 · e165459ef5
commit e165459ef5
parent b24a07f1c8 f3e6a35121
7 changed files with 85 additions and 33 deletions
--- a/app/controllers/repository_rows_controller.rb
+++ b/app/controllers/repository_rows_controller.rb
@ -416,7 +416,7 @@ class RepositoryRowsController < ApplicationController
               user: current_user.full_name,
               column: cell.repository_column.name,
               record: record.name,
-               repository: record.repository),
+               repository: record.repository.name),
      message: t('notifications.repository_annotation_message_html',
                 record: link_to(record.name, table_url),
                 column: link_to(cell.repository_column.name, table_url))
--- a/app/helpers/application_helper.rb
+++ b/app/helpers/application_helper.rb
@ -114,15 +114,15 @@ module ApplicationHelper
    # sometimes happens that the "team" param gets wrong data: "{nil, []}"
    # so we have to check if the "team" param is kind of Team object
    team = nil unless team.is_a? Team
-    new_text = smart_annotation_filter_resources(text)
+    new_text = smart_annotation_filter_resources(text, team)
    new_text = smart_annotation_filter_users(new_text, team)
    new_text
  end

  # Check if text have smart annotations of resources
  # and outputs a link to resource
-  def smart_annotation_filter_resources(text)
-    SmartAnnotations::TagToHtml.new(current_user, text).html
+  def smart_annotation_filter_resources(text, team)
+    SmartAnnotations::TagToHtml.new(current_user, team, text).html
  end

  # Check if text have smart annotations of users
--- a/app/services/smart_annotations/permision_eval.rb
+++ b/app/services/smart_annotations/permision_eval.rb
@ -5,31 +5,37 @@ module SmartAnnotations
    class << self
      include Canaid::Helpers::PermissionsHelper

-      def check(user, type, object)
-        send("validate_#{type}_permissions", user, object)
+      def check(user, team, type, object)
+        send("validate_#{type}_permissions", user, team, object)
      end

      private

-      def validate_prj_permissions(user, object)
-        can_read_project?(user, object)
+      def validate_prj_permissions(user, team, object)
+        object.team.id == team.id && can_read_project?(user, object)
      end

-      def validate_exp_permissions(user, object)
-        can_read_experiment?(user, object)
+      def validate_exp_permissions(user, team, object)
+        object.project.team.id == team.id && can_read_experiment?(user, object)
      end

-      def validate_tsk_permissions(user, object)
-        can_read_experiment?(user, object.experiment)
+      def validate_tsk_permissions(user, team, object)
+        object.experiment.project.team.id == team.id &&
+          can_read_experiment?(user, object.experiment)
      end

-      def validate_rep_item_permissions(user, object)
-        return can_read_team?(user, object.repository.team) if object.repository
+      def validate_rep_item_permissions(user, team, object)
+        if object.repository
+          return object.repository.team.id == team.id &&
+                 can_read_team?(user, object.repository.team)
+        end
+
        # handles discarded repositories
        repository = Repository.with_discarded.find_by_id(object.repository_id)
        # evaluate to false if repository not found
        return false unless repository
-        can_read_team?(user, repository.team)
+
+        repository.team.id == team && can_read_team?(user, repository.team)
      end
    end
  end
--- a/app/services/smart_annotations/tag_to_html.rb
+++ b/app/services/smart_annotations/tag_to_html.rb
@ -7,8 +7,8 @@ module SmartAnnotations
  class TagToHtml
    attr_reader :html

-    def initialize(user, text)
-      parse(user, text)
+    def initialize(user, team, text)
+      parse(user, team, text)
    end

    private
@ -19,7 +19,7 @@ module SmartAnnotations
                        tsk: MyModule,
                        rep_item: RepositoryRow }.freeze

-    def parse(user, text)
+    def parse(user, team, text)
      @html = text.gsub(REGEX) do |el|
        value = extract_values(el)
        type = value[:object_type]
@ -27,9 +27,10 @@ module SmartAnnotations
          object = fetch_object(type, value[:object_id])
          # handle repository_items edge case
          if type == 'rep_item'
-            repository_item(value[:name], user, type, object)
+            repository_item(value[:name], user, team, type, object)
          else
            next unless object && SmartAnnotations::PermissionEval.check(user,
+                                                                         team,
                                                                         type,
                                                                         object)
            SmartAnnotations::HtmlPreview.html(nil, type, object)
@ -40,9 +41,10 @@ module SmartAnnotations
      end
    end

-    def repository_item(name, user, type, object)
+    def repository_item(name, user, team, type, object)
      if object
-        return unless SmartAnnotations::PermissionEval.check(user, type, object)
+        return unless SmartAnnotations::PermissionEval.check(user, team, type, object)
+
        return SmartAnnotations::HtmlPreview.html(nil, type, object)
      end
      SmartAnnotations::HtmlPreview.html(name, type, object)
--- a/app/services/smart_annotations/tag_to_text.rb
+++ b/app/services/smart_annotations/tag_to_text.rb
@ -8,7 +8,7 @@ module SmartAnnotations
    attr_reader :text

    def initialize(user, team, text)
-      parse_items_annotations(user, text)
+      parse_items_annotations(user, team, text)
      parse_users_annotations(user, team, @text)
    end

@ -21,7 +21,7 @@ module SmartAnnotations
                        tsk: MyModule,
                        rep_item: RepositoryRow }.freeze

-    def parse_items_annotations(user, text)
+    def parse_items_annotations(user, team, text)
      @text = text.gsub(ITEMS_REGEX) do |el|
        value = extract_values(el)
        type = value[:object_type]
@ -29,9 +29,10 @@ module SmartAnnotations
          object = fetch_object(type, value[:object_id])
          # handle repository_items edge case
          if type == 'rep_item'
-            repository_item(value[:name], user, type, object)
+            repository_item(value[:name], user, team, type, object)
          else
            next unless object && SmartAnnotations::PermissionEval.check(user,
+                                                                         team,
                                                                         type,
                                                                         object)
            SmartAnnotations::TextPreview.text(nil, type, object)
@ -52,9 +53,10 @@ module SmartAnnotations
      end
    end

-    def repository_item(name, user, type, object)
+    def repository_item(name, user, team, type, object)
      if object
-        return unless SmartAnnotations::PermissionEval.check(user, type, object)
+        return unless SmartAnnotations::PermissionEval.check(user, team, type, object)
+
        return SmartAnnotations::TextPreview.text(nil, type, object)
      end
      SmartAnnotations::TextPreview.text(name, type, object)
--- a/spec/services/smart_annotations/permission_eval_spec.rb
+++ b/spec/services/smart_annotations/permission_eval_spec.rb
@ -5,8 +5,10 @@ describe SmartAnnotations::PermissionEval do
  let(:subject) { described_class }
  let(:user) { create :user }
  let(:team) { create :team }
-  let(:user_team) { create :user_team, user: user, team: team, role: 2 }
-  let(:project) { create :project, name: 'my project' }
+  let(:another_team) { create :team }
+  let!(:user_team) { create :user_team, user: user, team: team, role: :admin }
+  let(:project) { create :project, name: 'my project', team: team }
+  let!(:user_project) { create :user_project, :owner, project: project, user: user }
  let(:experiment) do
    create :experiment, name: 'my experiment',
                        project: project,
@ -19,29 +21,69 @@ describe SmartAnnotations::PermissionEval do

  describe '#validate_prj_permissions/2' do
    it 'returns a boolean' do
-      value = subject.send(:validate_prj_permissions, user, project)
+      value = subject.__send__(:validate_prj_permissions, user, team, project)
      expect(value).to be_in([true, false])
    end
+
+    it 'returns false on wrong team' do
+      value = subject.__send__(:validate_prj_permissions, user, another_team, project)
+      expect(value).to be false
+    end
+
+    it 'returns true on the same team' do
+      value = subject.__send__(:validate_prj_permissions, user, team, project)
+      expect(value).to be true
+    end
  end

  describe '#validate_exp_permissions/2' do
    it 'returns a boolean' do
-      value = subject.send(:validate_exp_permissions, user, experiment)
+      value = subject.__send__(:validate_exp_permissions, user, team, experiment)
      expect(value).to be_in([true, false])
    end
+
+    it 'returns false on wrong team' do
+      value = subject.__send__(:validate_exp_permissions, user, another_team, experiment)
+      expect(value).to be false
+    end
+
+    it 'returns true on the same team' do
+      value = subject.__send__(:validate_exp_permissions, user, team, experiment)
+      expect(value).to be true
+    end
  end

  describe '#validate_tsk_permissions/2' do
    it 'returns a boolean' do
-      value = subject.send(:validate_tsk_permissions, user, task)
+      value = subject.__send__(:validate_tsk_permissions, user, team, task)
      expect(value).to be_in([true, false])
    end
+
+    it 'returns false on wrong team' do
+      value = subject.__send__(:validate_tsk_permissions, user, another_team, task)
+      expect(value).to be false
+    end
+
+    it 'returns true on the same team' do
+      value = subject.__send__(:validate_tsk_permissions, user, team, task)
+      expect(value).to be true
+    end
  end

  describe '#validate_rep_item_permissions/2' do
    it 'returns a boolean' do
-      value = subject.send(:validate_rep_item_permissions, user, repository_item)
+      value = subject.__send__(:validate_rep_item_permissions, user, team, repository_item)
      expect(value).to be_in([true, false])
    end
+
+    it 'returns false on wrong team' do
+      value = subject.__send__(:validate_rep_item_permissions, user, another_team, repository_item)
+      expect(value).to be false
+    end
+
+    it 'returns true on the same team' do
+      value = subject.__send__(:validate_rep_item_permissions, user, team, repository_item)
+      expect(value).to be true
+    end
  end
 end
--- a/spec/services/smart_annotations/tag_to_html_spec.rb
+++ b/spec/services/smart_annotations/tag_to_html_spec.rb
@ -11,7 +11,7 @@ describe SmartAnnotations::TagToHtml do
  let(:text) do
    "My annotation of [#my project~prj~#{project.id.base62_encode}]"
  end
-  let(:subject) { described_class.new(user, text) }
+  let(:subject) { described_class.new(user, team, text) }
  describe 'Parsed text' do
    it 'returns a existing string with smart annotation' do
      expect(subject.html).to eq(