Project

General

Profile

« Previous | Next » 

Revision 825e3990

Added by Dominic Cleal about 9 years ago

fixes #8817 - look up reports with all joins from host scoped_search

This changes the optimisation in d50c799 which caused errors for users with
host filters referencing tables other than hosts.

When retrieving all reports joined with authorised hosts, the nested joins need
to be passed into AR via .joins on the main scope (reports) rather than what
happened with scoped_search, which only specifies the joins on the inner scope.
In that case, they're ignored and not included in the table list.

Retrieving the conditionals and tables from scoped_search directly allows us to
build up a more correct authorisation AR query with joins.

(cherry picked from commit 54592c2f126680db8980f3909ad085124c5983d1)

Conflicts:
app/models/report.rb

View differences:

app/models/concerns/authorizable.rb
end
}
def self.authorized(permission = nil, resource = nil)
self.authorized_as(User.current, permission, resource)
end
# joins to another class, on which the authorization is applied
#
# permission can be nil (therefore we use Proc instead of lambda)
#
# e.g.
# Report.joins_authorized_as(user, Host, :view_hosts)
# Host.joins_authorized_as(user, Domain, :view_domains)
#
# Or you may simply use authorized for User.current
#
scope :joins_authorized_as, Proc.new { |user, resource, permission|
if user.nil?
self.where('1=0')
elsif user.admin?
self.scoped
else
Authorizer.new(user).find_collection(resource, :permission => permission, :joined_on => self)
end
}
def authorized?(permission)
return false if User.current.nil?
......
def allows_location_filtering?
allows_taxonomy_filtering?(:location_id)
end
def authorized(permission = nil, resource = nil)
authorized_as(User.current, permission, resource)
end
def joins_authorized(resource, permission = nil)
joins_authorized_as(User.current, resource, permission)
end
end
end

Also available in: Unified diff