Commit ad4168270e404f539af297b5f6c68c50b00784bd
1 parent
d3d8d79a
Exists in
master
and in
21 other branches
api: consider admin role when querying visible organizations for person
Showing
2 changed files
with
62 additions
and
11 deletions
Show diff stats
app/models/organization.rb
| ... | ... | @@ -8,11 +8,28 @@ class Organization < Profile |
| 8 | 8 | :display => %w[compact] |
| 9 | 9 | } |
| 10 | 10 | |
| 11 | + # An Organization is considered visible to a given person if one of the | |
| 12 | + # following conditions are met: | |
| 13 | + # 1) The user is an environment administrator. | |
| 14 | + # 2) The user is an administrator of the organization. | |
| 15 | + # 3) The user is a member of the organization and the organization is | |
| 16 | + # visible. | |
| 17 | + # 4) The user is not a member of the organization but the organization is | |
| 18 | + # visible, public and enabled. | |
| 11 | 19 | scope :visible_for_person, lambda { |person| |
| 12 | - joins('LEFT JOIN "role_assignments" ON "role_assignments"."resource_id" = "profiles"."id" AND "role_assignments"."resource_type" = \'Profile\'') | |
| 20 | + joins('LEFT JOIN "role_assignments" ON ("role_assignments"."resource_id" = "profiles"."id" | |
| 21 | + AND "role_assignments"."resource_type" = \'Profile\') OR ( | |
| 22 | + "role_assignments"."resource_id" = "profiles"."environment_id" AND | |
| 23 | + "role_assignments"."resource_type" = \'Environment\' )') | |
| 24 | + .joins('LEFT JOIN "roles" ON "role_assignments"."role_id" = "roles"."id"') | |
| 13 | 25 | .where( |
| 14 | - ['( ( role_assignments.accessor_type = ? AND role_assignments.accessor_id = ? ) OR | |
| 15 | - (profiles.public_profile = ?)) AND (profiles.visible = ?)', Profile.name, person.id, true, true] | |
| 26 | + ['( (roles.key = ? OR roles.key = ?) AND role_assignments.accessor_type = ? AND role_assignments.accessor_id = ? ) | |
| 27 | + OR | |
| 28 | + ( ( ( role_assignments.accessor_type = ? AND role_assignments.accessor_id = ? ) OR | |
| 29 | + ( profiles.public_profile = ? AND profiles.enabled = ? ) ) AND | |
| 30 | + ( profiles.visible = ? ) )', | |
| 31 | + 'profile_admin', 'environment_administrator', Profile.name, person.id, | |
| 32 | + Profile.name, person.id, true, true, true] | |
| 16 | 33 | ).uniq |
| 17 | 34 | } |
| 18 | 35 | ... | ... |
test/unit/organization_test.rb
| ... | ... | @@ -479,23 +479,57 @@ class OrganizationTest < ActiveSupport::TestCase |
| 479 | 479 | |
| 480 | 480 | should 'fetch organizations there are visible for a user' do |
| 481 | 481 | person = create_user('some-person').person |
| 482 | + admin = create_user('some-admin').person | |
| 483 | + env_admin = create_user('env-admin').person | |
| 484 | + | |
| 482 | 485 | o1 = fast_create(Organization, :public_profile => true , :visible => true ) |
| 486 | + o1.add_admin(admin) | |
| 483 | 487 | o1.add_member(person) |
| 488 | + | |
| 484 | 489 | o2 = fast_create(Organization, :public_profile => true , :visible => true ) |
| 485 | 490 | o3 = fast_create(Organization, :public_profile => false, :visible => true ) |
| 491 | + | |
| 486 | 492 | o4 = fast_create(Organization, :public_profile => false, :visible => true) |
| 493 | + o4.add_admin(admin) | |
| 487 | 494 | o4.add_member(person) |
| 495 | + | |
| 488 | 496 | o5 = fast_create(Organization, :public_profile => true , :visible => false) |
| 489 | - o6 = fast_create(Organization, :public_profile => false, :visible => false) | |
| 497 | + o5.add_admin(admin) | |
| 498 | + o5.add_member(person) | |
| 499 | + | |
| 500 | + o6 = fast_create(Enterprise, :enabled => false, :visible => true) | |
| 501 | + o6.add_admin(admin) | |
| 502 | + | |
| 503 | + o7 = fast_create(Organization, :public_profile => false, :visible => false) | |
| 504 | + | |
| 505 | + Environment.default.add_admin(env_admin) | |
| 506 | + | |
| 507 | + person_orgs = Organization.visible_for_person(person) | |
| 508 | + admin_orgs = Organization.visible_for_person(admin) | |
| 509 | + env_admin_orgs = Organization.visible_for_person(env_admin) | |
| 510 | + | |
| 511 | + assert_includes person_orgs, o1 | |
| 512 | + assert_includes admin_orgs, o1 | |
| 513 | + assert_includes env_admin_orgs, o1 | |
| 514 | + | |
| 515 | + assert_includes person_orgs, o2 | |
| 516 | + assert_includes env_admin_orgs, o2 | |
| 517 | + assert_not_includes person_orgs, o3 | |
| 518 | + assert_includes env_admin_orgs, o3 | |
| 519 | + | |
| 520 | + assert_includes person_orgs, o4 | |
| 521 | + assert_includes admin_orgs, o4 | |
| 522 | + assert_includes env_admin_orgs, o4 | |
| 523 | + | |
| 524 | + assert_not_includes person_orgs, o5 | |
| 525 | + assert_includes admin_orgs, o5 | |
| 526 | + assert_includes env_admin_orgs, o5 | |
| 490 | 527 | |
| 491 | - organizations = Organization.visible_for_person(person) | |
| 528 | + assert_not_includes person_orgs, o6 | |
| 529 | + assert_includes admin_orgs, o6 | |
| 492 | 530 | |
| 493 | - assert_includes organizations, o1 | |
| 494 | - assert_includes organizations, o2 | |
| 495 | - assert_not_includes organizations, o3 | |
| 496 | - assert_includes organizations, o4 | |
| 497 | - assert_not_includes organizations, o5 | |
| 498 | - assert_not_includes organizations, o6 | |
| 531 | + assert_not_includes person_orgs, o7 | |
| 532 | + assert_includes env_admin_orgs, o7 | |
| 499 | 533 | end |
| 500 | 534 | |
| 501 | 535 | end | ... | ... |