Fix dani-garcia#3624: fix manager permission within groups

matlink · Feb 17, 2024 · bb100df · bb100df
1 parent bb2412d
commit bb100df
Show file tree

Hide file tree

Showing 2 changed files with 33 additions and 0 deletions.
diff --git a/src/api/core/organizations.rs b/src/api/core/organizations.rs
@@ -337,6 +337,9 @@ async fn get_org_collections_details(org_id: &str, headers: ManagerHeadersLoose,
             Vec::with_capacity(0)
         };
 
+        // uuids of users belonging to a group of this collection
+        let group_users = GroupUser::get_collection_group_users_uuid(&col.uuid, &mut conn).await;
+
         let mut assigned = false;
         let users: Vec<Value> = coll_users
             .iter()
@@ -351,6 +354,11 @@ async fn get_org_collections_details(org_id: &str, headers: ManagerHeadersLoose,
             })
             .collect();
 
+        // if current user is in any collection-assigned group
+        if group_users.contains(&user_org.uuid) {
+            assigned = true;
+        }
+
         if user_org.access_all {
             assigned = true;
         }

diff --git a/src/db/models/group.rs b/src/db/models/group.rs
@@ -1,3 +1,5 @@
+use std::collections::HashSet;
+
 use chrono::{NaiveDateTime, Utc};
 use serde_json::Value;
 
@@ -486,6 +488,29 @@ impl GroupUser {
         }}
     }
 
+    pub async fn find_by_collection(collection_uuid: &str, conn: &mut DbConn) -> Vec<Self> {
+        db_run! { conn: {
+            groups_users::table
+                .inner_join(collections_groups::table.on(
+                    collections_groups::groups_uuid.eq(groups_users::groups_uuid)
+                ))
+                .filter(collections_groups::collections_uuid.eq(collection_uuid))
+                .select(groups_users::all_columns)
+                .load::<GroupUserDb>(conn)
+                .expect("Error loading group users for collection")
+                .from_db()
+        }}
+    }
+
+    /// returns uuid of members of collection groups
+    pub async fn get_collection_group_users_uuid(collection_uuid: &str, conn: &mut DbConn) -> HashSet<String> {
+        GroupUser::find_by_collection(collection_uuid, conn)
+            .await
+            .iter()
+            .map(|u| u.users_organizations_uuid.clone())
+            .collect()
+    }
+
     pub async fn update_user_revision(&self, conn: &mut DbConn) {
         match UserOrganization::find_by_uuid(&self.users_organizations_uuid, conn).await {
             Some(user) => User::update_uuid_revision(&user.user_uuid, conn).await,