Check story permissions when populating automatic worklists

Currently, when populating the items of an automatic worklist, the permissions set on private stories is not taken into account. This commit fixes this issue by filtering out stories and tasks that the user shouldn't be able to see when finding the list of stories and tasks which match the worklist's filters. Change-Id: If37be62890db913b428af4e6a94ee21754c6ac56
2017-10-04 20:19:09 +01:00 · 2017-10-04 20:19:09 +01:00 · 1080289891
parent 9937096cfc
commit 1080289891
2 changed files with 19 additions and 8 deletions
--- a/storyboard/api/v1/wmodels.py
+++ b/storyboard/api/v1/wmodels.py
@ -817,7 +817,7 @@ class Worklist(base.APIBase):

    @nodoc
    def _resolve_automatic_items(self, worklist, user_id):
-        items, stories, tasks = worklists_api.filter_items(worklist)
+        items, stories, tasks = worklists_api.filter_items(worklist, user_id)
        story_cache = {story.id: story for story in stories}
        task_cache = {task.id: task for task in tasks}
        for item in items:
--- a/storyboard/db/api/worklists.py
+++ b/storyboard/db/api/worklists.py
@ -1,4 +1,5 @@
 # Copyright (c) 2015-2016 Codethink Limited
+# Copyright (c) 2017 Adam Coldrick
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@ -540,7 +541,7 @@ def translate_criterion_to_field(criterion):
    return criterion_fields[criterion.field]


-def filter_stories(worklist, filters):
+def filter_stories(worklist, filters, user_id):
    filter_queries = []
    for filter in filters:
        subquery = api_base.model_query(models.Story.id).distinct().subquery()
@ -585,14 +586,19 @@ def filter_stories(worklist, filters):
    if len(filter_queries) > 1:
        query = filter_queries[0]
        query = query.union(*filter_queries[1:])
+        query = api_base.filter_private_stories(
+            query, user_id, models.StorySummary)
        return query.all()
    elif len(filter_queries) == 1:
-        return filter_queries[0].all()
+        query = filter_queries[0]
+        query = api_base.filter_private_stories(
+            query, user_id, models.StorySummary)
+        return query.all()
    else:
        return []


-def filter_tasks(worklist, filters):
+def filter_tasks(worklist, filters, user_id):
    filter_queries = []
    for filter in filters:
        query = api_base.model_query(models.Task)
@ -628,23 +634,28 @@ def filter_tasks(worklist, filters):
    if len(filter_queries) > 1:
        query = filter_queries[0]
        query = query.union(*filter_queries[1:])
+        query = api_base.filter_private_stories(
+            query, user_id, models.StorySummary)
        return query.all()
    elif len(filter_queries) == 1:
-        return filter_queries[0].all()
+        query = filter_queries[0]
+        query = api_base.filter_private_stories(
+            query, user_id, models.StorySummary)
+        return query.all()
    else:
        return []


-def filter_items(worklist):
+def filter_items(worklist, user_id):
    story_filters = [f for f in worklist.filters if f.type == 'Story']
    task_filters = [f for f in worklist.filters if f.type == 'Task']

    filtered_stories = []
    filtered_tasks = []
    if story_filters:
-        filtered_stories = filter_stories(worklist, story_filters)
+        filtered_stories = filter_stories(worklist, story_filters, user_id)
    if task_filters:
-        filtered_tasks = filter_tasks(worklist, task_filters)
+        filtered_tasks = filter_tasks(worklist, task_filters, user_id)

    items = []
    for story in filtered_stories: