api: models: Consider group roles to compute forbidden projects
Task https://phabricator.apertis.org/T9073
Issue summary
There's an issue in the frontend, not considering the group
relationships for the different projects.
For example: adding a group as maintainer role is expected to allow its members to see/modify the hidden project.
<project name="testproject">
<person userid="Admin" role="maintainer"/>
<group groupid="testgroup" role="maintainer"/>
<access>
<disable/>
</access>
</project>
This is not working as expected. Login in as a member of testgroup
is still not being able to access project testproject
nor see it.
Debugging
The project
model is querying the database by name in:
def self.find_by_name(name, opts = {})
dbp = find_by(name: name)
but the project
model contains a default_scope
defined at:
default_scope { where('projects.id not in (?)', Relationship.forbidden_project_ids) }
which will filter out projects in advance if are contained in Relationship.forbidden_project_ids
.
This is computed in:
# calculate and cache forbidden_project_ids for users
def self.forbidden_project_ids
The query is considering those projects with access=disable
, but it's only considering the user
relationships
(i.e. <person>
tags in the project meta config).
Relationship.find_by_sql("SELECT ur.project_id, ur.user_id from flags f,
relationships ur where f.flag = 'access' and f.status = 'disable' and ur.project_id = f.project_id").each do |r|
So, indeed, the group
relationships (i.e. <group>
tags in the project meta config) are missing.