Fix visibility of private project snippets for members when searching

256cd8e4 · Douglas Barbosa Alexandre · 8f9b64c7 · 256cd8e4 · 256cd8e4 · 256cd8e4
Commit 256cd8e4 authored Jun 22, 2016 by Douglas Barbosa Alexandre
Showing with 68 additions and 20 deletions

app/models/snippet.rb app/models/snippet.rb +10 -4

spec/models/snippet_spec.rb spec/models/snippet_spec.rb +28 -8

spec/services/search/snippet_service_spec.rb spec/services/search/snippet_service_spec.rb +30 -8

No files found.
--- a/app/models/snippet.rb
+++ b/app/models/snippet.rb
@@ -135,10 +135,16 @@ class Snippet < ActiveRecord::Base
    end

    def accessible_to(user)
-      visibility_levels = [Snippet::PUBLIC]
-      visibility_levels << Snippet::INTERNAL if user
-
-      where('visibility_level IN (?) OR author_id = ?', visibility_levels, user)
+      return are_public unless user.present?
+      return all if user.admin?
+
+      where(
+        'visibility_level IN (:visibility_levels)
+         OR author_id = :author_id
+         OR project_id IN (:project_ids)',
+         visibility_levels: [Snippet::PUBLIC, Snippet::INTERNAL],
+         author_id: user.id,
+         project_ids: user.authorized_projects.select(:id))
    end
  end
 end
--- a/spec/models/snippet_spec.rb
+++ b/spec/models/snippet_spec.rb
@@ -89,22 +89,42 @@ describe Snippet, models: true do
  end

  describe '.accessible_to' do
-    let(:author) { create(:author) }
-    let(:user) { create(:user) }
+    let(:author)  { create(:author) }
+    let(:project) { create(:empty_project) }
+
    let!(:public_snippet)   { create(:snippet, :public) }
    let!(:internal_snippet) { create(:snippet, :internal) }
    let!(:private_snippet)  { create(:snippet, :private, author: author) }

-    it 'returns only public snippets when user is nil' do
-      expect(described_class.accessible_to(nil)).to eq [public_snippet]
+    let!(:project_public_snippet)   { create(:snippet, :public, project: project) }
+    let!(:project_internal_snippet) { create(:snippet, :internal, project: project) }
+    let!(:project_private_snippet)  { create(:snippet, :private, project: project) }
+
+    it 'returns only public snippets when user is blank' do
+      expect(described_class.accessible_to(nil)).to match_array [public_snippet, project_public_snippet]
+    end
+
+    it 'returns only public, and internal snippets for regular users' do
+      user = create(:user)
+
+      expect(described_class.accessible_to(user)).to match_array [public_snippet, internal_snippet, project_public_snippet, project_internal_snippet]
    end

-    it 'returns only public, and internal snippets when user is not nil' do
-      expect(described_class.accessible_to(user)).to match_array [public_snippet, internal_snippet]
+    it 'returns public, internal snippets and project private snippets for project members' do
+      member = create(:user)
+      project.team << [member, :developer]
+
+      expect(described_class.accessible_to(member)).to match_array [public_snippet, internal_snippet, project_public_snippet, project_internal_snippet, project_private_snippet]
    end

-    it 'returns snippets where the user is the author' do
-      expect(described_class.accessible_to(author)).to match_array [public_snippet, internal_snippet, private_snippet]
+    it 'returns private snippets where the user is the author' do
+      expect(described_class.accessible_to(author)).to match_array [public_snippet, internal_snippet, private_snippet, project_public_snippet, project_internal_snippet]
+    end
+
+    it 'returns all snippets when for admins' do
+      admin = create(:admin)
+
+      expect(described_class.accessible_to(admin)).to match_array [public_snippet, internal_snippet, private_snippet, project_public_snippet, project_internal_snippet, project_private_snippet]
    end
  end


--- a/spec/services/search/snippet_service_spec.rb
+++ b/spec/services/search/snippet_service_spec.rb
@@ -2,35 +2,57 @@ require 'spec_helper'

 describe Search::SnippetService, services: true do
  let(:author) { create(:author) }
-  let(:internal_user) { create(:user) }
+  let(:project) { create(:empty_project) }

  let!(:public_snippet)   { create(:snippet, :public, content: 'password: XXX') }
  let!(:internal_snippet) { create(:snippet, :internal, content: 'password: XXX') }
  let!(:private_snippet)  { create(:snippet, :private, content: 'password: XXX', author: author) }

+  let!(:project_public_snippet)   { create(:snippet, :public, project: project, content: 'password: XXX') }
+  let!(:project_internal_snippet) { create(:snippet, :internal, project: project, content: 'password: XXX') }
+  let!(:project_private_snippet)  { create(:snippet, :private, project: project, content: 'password: XXX') }
+
  describe '#execute' do
    context 'unauthenticated' do
-      it 'should return public snippets only' do
+      it 'returns public snippets only' do
        search = described_class.new(nil, search: 'password')
        results = search.execute

-        expect(results.objects('snippet_blobs')).to match_array [public_snippet]
+        expect(results.objects('snippet_blobs')).to match_array [public_snippet, project_public_snippet]
      end
    end

    context 'authenticated' do
-      it 'should return only public & internal snippets' do
-        search = described_class.new(internal_user, search: 'password')
+      it 'returns only public & internal snippets for regular users' do
+        user = create(:user)
+        search = described_class.new(user, search: 'password')
+        results = search.execute
+
+        expect(results.objects('snippet_blobs')).to match_array [public_snippet, internal_snippet, project_public_snippet, project_internal_snippet]
+      end
+
+      it 'returns public, internal snippets and project private snippets for project members' do
+        member = create(:user)
+        project.team << [member, :developer]
+        search = described_class.new(member, search: 'password')
        results = search.execute

-        expect(results.objects('snippet_blobs')).to match_array [public_snippet, internal_snippet]
+        expect(results.objects('snippet_blobs')).to match_array [public_snippet, internal_snippet, project_public_snippet, project_internal_snippet, project_private_snippet]
      end

-      it 'should return public, internal and private snippets for author' do
+      it 'returns public, internal and private snippets where user is the author' do
        search = described_class.new(author, search: 'password')
        results = search.execute

-        expect(results.objects('snippet_blobs')).to match_array [public_snippet, internal_snippet, private_snippet]
+        expect(results.objects('snippet_blobs')).to match_array [public_snippet, internal_snippet, private_snippet, project_public_snippet, project_internal_snippet]
+      end
+
+      it 'returns all snippets when user is admin' do
+        admin = create(:admin)
+        search = described_class.new(admin, search: 'password')
+        results = search.execute
+
+        expect(results.objects('snippet_blobs')).to match_array [public_snippet, internal_snippet, private_snippet, project_public_snippet, project_internal_snippet, project_private_snippet]
      end
    end
  end