Skip to content

Commit

Permalink
only show team names of own organization (#3928)
Browse files Browse the repository at this point in the history
  • Loading branch information
@fm3
fm3 authored Mar 25, 2019
1 parent fad6f39 commit 3829ec1
Show file tree
Hide file tree
Showing 2 changed files with 18 additions and 14 deletions.
2 changes: 1 addition & 1 deletion app/controllers/DataSetController.scala
View file
Original file line number Diff line number Diff line change
Expand Up @@ -156,7 +156,7 @@ class DataSetController @Inject()(userService: UserService,

def accessList(organizationName: String, dataSetName: String) = sil.SecuredAction.async { implicit request =>
for {
dataSet <- dataSetDAO.findOneByNameAndOrganization(dataSetName, request.identity._organization) ?~> Messages(
dataSet <- dataSetDAO.findOneByNameAndOrganizationName(dataSetName, organizationName) ?~> Messages(
"dataSet.notFound",
dataSetName) ~> NOT_FOUND
allowedTeams <- dataSetService.allowedTeamIdsFor(dataSet._id)
Expand Down
30 changes: 17 additions & 13 deletions app/models/binary/DataSetService.scala
View file
Original file line number Diff line number Diff line change
Expand Up @@ -252,11 +252,16 @@ class DataSetService @Inject()(organizationDAO: OrganizationDAO,
case _ => Fox.successful(0L)
}

def allowedTeamIdsFor(_dataSet: ObjectId)(implicit ctx: DBAccessContext) =
dataSetAllowedTeamsDAO.findAllForDataSet(_dataSet)(GlobalAccessContext) ?~> "allowedTeams.notFound"
def allowedTeamIdsFor(_dataSet: ObjectId)(implicit ctx: DBAccessContext): Fox[List[ObjectId]] =
dataSetAllowedTeamsDAO.findAllForDataSet(_dataSet) ?~> "allowedTeams.notFound"

def allowedTeamsFor(_dataSet: ObjectId)(implicit ctx: DBAccessContext) =
teamDAO.findAllForDataSet(_dataSet)(GlobalAccessContext) ?~> "allowedTeams.notFound"
def allowedTeamsFor(_dataSet: ObjectId, requestingUser: Option[User])(
implicit ctx: DBAccessContext): Fox[List[Team]] =
for {
teams <- teamDAO.findAllForDataSet(_dataSet) ?~> "allowedTeams.notFound"
// dont leak team names of other organizations
teamsFiltered = teams.filter(team => requestingUser.map(_._organization).contains(team._organization))
} yield teamsFiltered

def isEditableBy(
dataSet: DataSet,
Expand All @@ -271,22 +276,22 @@ class DataSetService @Inject()(organizationDAO: OrganizationDAO,
}

def publicWrites(dataSet: DataSet,
userOpt: Option[User],
requestingUserOpt: Option[User],
skipResolutions: Boolean = false,
requestingUserTeamManagerMemberships: Option[List[TeamMembership]] = None): Fox[JsObject] = {
implicit val ctx = GlobalAccessContext
requestingUserTeamManagerMemberships: Option[List[TeamMembership]] = None)(
implicit ctx: DBAccessContext): Fox[JsObject] =
for {
organization <- organizationDAO.findOne(dataSet._organization) ?~> "organization.notFound"
teams <- allowedTeamsFor(dataSet._id)
organization <- organizationDAO.findOne(dataSet._organization)(GlobalAccessContext) ?~> "organization.notFound"
teams <- allowedTeamsFor(dataSet._id, requestingUserOpt)
teamsJs <- Fox.serialCombined(teams)(t => teamService.publicWrites(t))
logoUrl <- logoUrlFor(dataSet, Some(organization))
isEditable <- isEditableBy(dataSet, userOpt, requestingUserTeamManagerMemberships)
lastUsedByUser <- lastUsedTimeFor(dataSet._id, userOpt)
isEditable <- isEditableBy(dataSet, requestingUserOpt, requestingUserTeamManagerMemberships)
lastUsedByUser <- lastUsedTimeFor(dataSet._id, requestingUserOpt)
dataStore <- dataStoreFor(dataSet)
dataStoreJs <- dataStoreService.publicWrites(dataStore)
dataSource <- dataSourceFor(dataSet, Some(organization), skipResolutions)
publicationOpt <- Fox.runOptional(dataSet._publication)(publicationDAO.findOne(_))
publicationJson <- Fox.runOptional(publicationOpt)(publicationService.publicWrites(_))
publicationJson <- Fox.runOptional(publicationOpt)(publicationService.publicWrites)
} yield {
Json.obj(
"name" -> dataSet.name,
Expand All @@ -308,6 +313,5 @@ class DataSetService @Inject()(organizationDAO: OrganizationDAO,
"isForeign" -> dataStore.isForeign
)
}
}

}

0 comments on commit 3829ec1

Please sign in to comment.