From 61a38adcf5af0559cd53b692c580c12cf40ba89e Mon Sep 17 00:00:00 2001 From: ulferts Date: Wed, 6 Sep 2023 11:18:40 +0200 Subject: [PATCH] exclude entity memberships from non member capability calculation --- app/models/capabilities/scopes/default.rb | 2 ++ spec/models/capabilities/scopes/default_spec.rb | 17 +++++++++++++++++ 2 files changed, 19 insertions(+) diff --git a/app/models/capabilities/scopes/default.rb b/app/models/capabilities/scopes/default.rb index 190904c95e1..e267fba64bd 100644 --- a/app/models/capabilities/scopes/default.rb +++ b/app/models/capabilities/scopes/default.rb @@ -112,6 +112,8 @@ module Capabilities::Scopes FROM members WHERE members.project_id = projects.id AND members.user_id = users.id + AND members.entity_type IS NULL + AND members.entity_id IS NULL LIMIT 1)) LEFT OUTER JOIN enabled_modules ON enabled_modules.project_id = projects.id diff --git a/spec/models/capabilities/scopes/default_spec.rb b/spec/models/capabilities/scopes/default_spec.rb index f7656b8ff40..1b8e5327cd1 100644 --- a/spec/models/capabilities/scopes/default_spec.rb +++ b/spec/models/capabilities/scopes/default_spec.rb @@ -503,6 +503,23 @@ RSpec.describe Capabilities::Scopes::Default do include_examples 'is empty' end + + context 'for a public project' do + let(:non_member_permissions) { %i[view_members] } + let(:members) { [work_package_member, non_member_role] } + + before do + project.update(public: true) + end + + include_examples 'consists of contract actions', with: 'the actions of the non member role`s permission' do + let(:expected) do + [ + ['memberships/read', user.id, project.id] + ] + end + end + end end end end