scinote-eln/scinote-web
1
1
Fork 0
mirror of https://github.com/scinote-eln/scinote-web.git synced 2025-03-05 20:23:16 +08:00
Code Issues Projects Releases Packages Wiki Activity

Merge pull request #1154 from ZmagoD/zd_SCI_2340

Browse source 
fix access to public reports [fixes SCI-2340]
This commit is contained in:
Zmago Devetak 2018-05-24 16:01:23 +02:00 committed by GitHub
commit efaefb3dfc
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
4 changed files with 23 additions and 16 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

8
app/controllers/reports_controller.rb
View file

@ -478,11 +478,9 @@ class ReportsController < ApplicationController
def load_visible_projects
render_404 unless current_team
projects = current_team.projects.visible_by(current_user)
.where('projects.name ILIKE ?',
"%#{search_params[:q]}%")
.limit(Constants::SEARCH_LIMIT)
.select(:id, :name)
projects = current_team.projects.visible_from_user_by_name(
current_user, current_team, search_params[:q]
).limit(Constants::SEARCH_LIMIT).select(:id, :name)
@visible_projects = projects.collect do |project|
VisibleProject.new(new_project_reports_path(project),
ellipsize(project.name, 50, 40))

15
app/models/project.rb
View file

@ -42,11 +42,16 @@ class Project < ApplicationRecord
Views::Datatables::DatatablesReport.refresh_materialized_view
end
scope :visible_by, -> (user) {
joins(:user_projects).where(
'user_projects.user_id = ? AND projects.archived = false', user.id
)
}
def self.visible_from_user_by_name(user, team, name)
if user.is_admin_of_team? team
return where('projects.archived IS FALSE AND projects.name ILIKE ?',
"%#{name}%")
end
joins(:user_projects)
.where('user_projects.user_id = ? OR projects.visibility = 1', user.id)
.where('projects.archived IS FALSE AND projects.name ILIKE ?',
"%#{name}%")
end
def self.search(
user,

14
app/models/views/datatables/datatables_report.rb
View file

@ -33,20 +33,20 @@ module Views
private
PermissionItem = Struct.new(:report_id, :users_ids)
PermissionItem = Struct.new(:report_id, :users_ids, :visibility)
def tokenize(items)
items.collect do |item|
PermissionItem.new(item[0], item[1])
PermissionItem.new(item[0], item[1], item[2])
end
end
def get_permitted_by_team_tokenized
tokenize(pluck(:id, :users_with_team_read_permissions))
tokenize(pluck(:id, :users_with_team_read_permissions, :project_visibility))
end
def get_permitted_by_project_tokenized
tokenize(pluck(:id, :users_with_project_read_permissions))
tokenize(pluck(:id, :users_with_project_read_permissions, :project_visibility))
end
def get_by_project_item(permitted_by_project, item)
@ -68,11 +68,15 @@ module Views
permitted_by_team.each do |item|
next unless user.id.in? item.users_ids
by_project = get_by_project_item(permitted_by_project, item)
next unless user.id.in? by_project.users_ids
next unless user_can_view?(user, by_project)
allowed_ids << item.report_id
end
allowed_ids
end
def user_can_view?(user, by_project)
user.id.in?(by_project.users_ids) || by_project.visibility == 1
end
end
end
end

2
spec/models/views/datatables/datatables_report_spec.rb
View file

@ -71,7 +71,7 @@ RSpec.describe Views::Datatables::DatatablesReport, type: :model do
name: 'report two'
end
it 'returns the reports ' do
it 'returns the reports' do
reports = team.datatables_reports.visible_by(user, team)
expect(reports.length).to eq 1
expect(reports.first.id).to eq report_one.id