From ad4168270e404f539af297b5f6c68c50b00784bd Mon Sep 17 00:00:00 2001
From: Larissa Reis <larissa@colivre.coop.br>
Date: Thu, 18 Jun 2015 22:14:32 -0300
Subject: [PATCH] api: consider admin role when querying visible organizations for person

---
 app/models/organization.rb     | 23 ++++++++++++++++++++---
 test/unit/organization_test.rb | 50 ++++++++++++++++++++++++++++++++++++++++++--------
 2 files changed, 62 insertions(+), 11 deletions(-)

diff --git a/app/models/organization.rb b/app/models/organization.rb
index 32badcb..18be960 100644
--- a/app/models/organization.rb
+++ b/app/models/organization.rb
@@ -8,11 +8,28 @@ class Organization < Profile
     :display => %w[compact]
   }
 
+  # An Organization is considered visible to a given person if one of the
+  # following conditions are met:
+  #   1) The user is an environment administrator.
+  #   2) The user is an administrator of the organization.
+  #   3) The user is a member of the organization and the organization is
+  #   visible.
+  #   4) The user is not a member of the organization but the organization is
+  #   visible, public and enabled.
   scope :visible_for_person, lambda { |person|
-    joins('LEFT JOIN "role_assignments" ON "role_assignments"."resource_id" = "profiles"."id" AND "role_assignments"."resource_type" = \'Profile\'')
+    joins('LEFT JOIN "role_assignments" ON ("role_assignments"."resource_id" = "profiles"."id"
+          AND "role_assignments"."resource_type" = \'Profile\') OR (
+          "role_assignments"."resource_id" = "profiles"."environment_id" AND
+          "role_assignments"."resource_type" = \'Environment\' )')
+    .joins('LEFT JOIN "roles" ON "role_assignments"."role_id" = "roles"."id"')
     .where(
-      ['( ( role_assignments.accessor_type = ? AND role_assignments.accessor_id = ? ) OR
-          (profiles.public_profile = ?)) AND (profiles.visible = ?)', Profile.name, person.id,  true, true]
+      ['( (roles.key = ? OR roles.key = ?) AND role_assignments.accessor_type = ? AND role_assignments.accessor_id = ? )
+        OR
+        ( ( ( role_assignments.accessor_type = ? AND role_assignments.accessor_id = ? ) OR
+            ( profiles.public_profile = ? AND profiles.enabled = ? ) ) AND
+          ( profiles.visible = ? ) )',
+      'profile_admin', 'environment_administrator', Profile.name, person.id,
+      Profile.name, person.id,  true, true, true]
     ).uniq
   }
 
diff --git a/test/unit/organization_test.rb b/test/unit/organization_test.rb
index fe1b8ca..f404c94 100644
--- a/test/unit/organization_test.rb
+++ b/test/unit/organization_test.rb
@@ -479,23 +479,57 @@ class OrganizationTest < ActiveSupport::TestCase
 
   should 'fetch organizations there are visible for a user' do
     person = create_user('some-person').person
+    admin = create_user('some-admin').person
+    env_admin = create_user('env-admin').person
+
     o1 = fast_create(Organization, :public_profile => true , :visible => true )
+    o1.add_admin(admin)
     o1.add_member(person)
+
     o2 = fast_create(Organization, :public_profile => true , :visible => true )
     o3 = fast_create(Organization, :public_profile => false, :visible => true )
+
     o4 = fast_create(Organization, :public_profile => false, :visible => true)
+    o4.add_admin(admin)
     o4.add_member(person)
+
     o5 = fast_create(Organization, :public_profile => true , :visible => false)
-    o6 = fast_create(Organization, :public_profile => false, :visible => false)
+    o5.add_admin(admin)
+    o5.add_member(person)
+
+    o6 = fast_create(Enterprise, :enabled => false, :visible => true)
+    o6.add_admin(admin)
+
+    o7 = fast_create(Organization, :public_profile => false, :visible => false)
+
+    Environment.default.add_admin(env_admin)
+
+    person_orgs    = Organization.visible_for_person(person)
+    admin_orgs     = Organization.visible_for_person(admin)
+    env_admin_orgs = Organization.visible_for_person(env_admin)
+
+    assert_includes     person_orgs,    o1
+    assert_includes     admin_orgs,     o1
+    assert_includes     env_admin_orgs, o1
+
+    assert_includes     person_orgs,    o2
+    assert_includes     env_admin_orgs, o2
+    assert_not_includes person_orgs,    o3
+    assert_includes     env_admin_orgs, o3
+
+    assert_includes     person_orgs,    o4
+    assert_includes     admin_orgs,     o4
+    assert_includes     env_admin_orgs, o4
+
+    assert_not_includes person_orgs,    o5
+    assert_includes     admin_orgs,     o5
+    assert_includes     env_admin_orgs, o5
 
-    organizations = Organization.visible_for_person(person)
+    assert_not_includes person_orgs,    o6
+    assert_includes     admin_orgs,     o6
 
-    assert_includes     organizations, o1
-    assert_includes     organizations, o2
-    assert_not_includes organizations, o3
-    assert_includes     organizations, o4
-    assert_not_includes organizations, o5
-    assert_not_includes organizations, o6
+    assert_not_includes person_orgs,    o7
+    assert_includes     env_admin_orgs, o7
   end
 
 end
--
libgit2 0.21.2