api: models: Consider group roles to compute forbidden projects
Task https://phabricator.apertis.org/T9073
Issue summary
There's an issue in the frontend, not considering the group relationships for the different projects.
For example: adding a group as maintainer role is expected to allow its members to see/modify the hidden project.
<project name="testproject">
<person userid="Admin" role="maintainer"/>
<group groupid="testgroup" role="maintainer"/>
<access>
<disable/>
</access>
</project>This is not working as expected. Login in as a member of testgroup is still not being able to access project testproject nor see it.
Debugging
The project model is querying the database by name in:
def self.find_by_name(name, opts = {})
dbp = find_by(name: name)but the project model contains a default_scope defined at:
default_scope { where('projects.id not in (?)', Relationship.forbidden_project_ids) }which will filter out projects in advance if are contained in Relationship.forbidden_project_ids.
This is computed in:
# calculate and cache forbidden_project_ids for users
def self.forbidden_project_idsThe query is considering those projects with access=disable, but it's only considering the user relationships
(i.e. <person> tags in the project meta config).
Relationship.find_by_sql("SELECT ur.project_id, ur.user_id from flags f,
relationships ur where f.flag = 'access' and f.status = 'disable' and ur.project_id = f.project_id").each do |r|So, indeed, the group relationships (i.e. <group> tags in the project meta config) are missing.