From 1080289891fcc220dbd909a475a17f1e412e0b7e Mon Sep 17 00:00:00 2001 From: Adam Coldrick Date: Wed, 4 Oct 2017 20:19:09 +0100 Subject: [PATCH] Check story permissions when populating automatic worklists Currently, when populating the items of an automatic worklist, the permissions set on private stories is not taken into account. This commit fixes this issue by filtering out stories and tasks that the user shouldn't be able to see when finding the list of stories and tasks which match the worklist's filters. Change-Id: If37be62890db913b428af4e6a94ee21754c6ac56 --- storyboard/api/v1/wmodels.py | 2 +- storyboard/db/api/worklists.py | 25 ++++++++++++++++++------- 2 files changed, 19 insertions(+), 8 deletions(-) diff --git a/storyboard/api/v1/wmodels.py b/storyboard/api/v1/wmodels.py index cdd05648..52796c9b 100644 --- a/storyboard/api/v1/wmodels.py +++ b/storyboard/api/v1/wmodels.py @@ -817,7 +817,7 @@ class Worklist(base.APIBase): @nodoc def _resolve_automatic_items(self, worklist, user_id): - items, stories, tasks = worklists_api.filter_items(worklist) + items, stories, tasks = worklists_api.filter_items(worklist, user_id) story_cache = {story.id: story for story in stories} task_cache = {task.id: task for task in tasks} for item in items: diff --git a/storyboard/db/api/worklists.py b/storyboard/db/api/worklists.py index 87880453..7eb5b101 100644 --- a/storyboard/db/api/worklists.py +++ b/storyboard/db/api/worklists.py @@ -1,4 +1,5 @@ # Copyright (c) 2015-2016 Codethink Limited +# Copyright (c) 2017 Adam Coldrick # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -540,7 +541,7 @@ def translate_criterion_to_field(criterion): return criterion_fields[criterion.field] -def filter_stories(worklist, filters): +def filter_stories(worklist, filters, user_id): filter_queries = [] for filter in filters: subquery = api_base.model_query(models.Story.id).distinct().subquery() @@ -585,14 +586,19 @@ def filter_stories(worklist, filters): if len(filter_queries) > 1: query = filter_queries[0] query = query.union(*filter_queries[1:]) + query = api_base.filter_private_stories( + query, user_id, models.StorySummary) return query.all() elif len(filter_queries) == 1: - return filter_queries[0].all() + query = filter_queries[0] + query = api_base.filter_private_stories( + query, user_id, models.StorySummary) + return query.all() else: return [] -def filter_tasks(worklist, filters): +def filter_tasks(worklist, filters, user_id): filter_queries = [] for filter in filters: query = api_base.model_query(models.Task) @@ -628,23 +634,28 @@ def filter_tasks(worklist, filters): if len(filter_queries) > 1: query = filter_queries[0] query = query.union(*filter_queries[1:]) + query = api_base.filter_private_stories( + query, user_id, models.StorySummary) return query.all() elif len(filter_queries) == 1: - return filter_queries[0].all() + query = filter_queries[0] + query = api_base.filter_private_stories( + query, user_id, models.StorySummary) + return query.all() else: return [] -def filter_items(worklist): +def filter_items(worklist, user_id): story_filters = [f for f in worklist.filters if f.type == 'Story'] task_filters = [f for f in worklist.filters if f.type == 'Task'] filtered_stories = [] filtered_tasks = [] if story_filters: - filtered_stories = filter_stories(worklist, story_filters) + filtered_stories = filter_stories(worklist, story_filters, user_id) if task_filters: - filtered_tasks = filter_tasks(worklist, task_filters) + filtered_tasks = filter_tasks(worklist, task_filters, user_id) items = [] for story in filtered_stories: