avoid left joining on roles to avoid multiple projects returned

As the permission check used to be left joined directly to the list of projects, with a user having multiple roles, this lead to having a project returned multiple times.

The permission check is not necessary at this point at all however since the query will already add a visible scope if necessary.
pull/10479/head
ulferts 3 years ago committed by Oliver Günther
parent 65f3aeeb66
commit 464bfaa33c
  1. 18
      lib/api/v3/projects/projects_api.rb
  2. 5
      spec/requests/api/v3/projects/index_resource_spec.rb

@ -30,20 +30,10 @@ module API
module V3
module Projects
class ProjectsAPI < ::API::OpenProjectAPI
helpers do
def visible_project_scope
if current_user.admin?
Project.all
else
Project.visible(current_user)
end
end
end
resources :projects do
get &::API::V3::Utilities::Endpoints::SqlFallbackedIndex.new(model: Project,
scope: -> {
visible_project_scope
Project
.includes(ProjectRepresenter.to_eager_load)
})
.mount
@ -61,7 +51,11 @@ module API
end
route_param :id do
after_validation do
@project = visible_project_scope.find(params[:id])
@project = if current_user.admin?
Project.all
else
Project.visible(current_user)
end.find(params[:id])
end
get &::API::V3::Utilities::Endpoints::Show.new(model: Project).mount

@ -43,12 +43,15 @@ describe 'API v3 Project resource index', type: :request, content_type: :json do
create(:project, public: false)
end
let(:parent_project) do
create(:project, public: false, members: { current_user => role }).tap do |parent|
# Adding two roles in here to guard against regression where projects were returned twice if a user
# had multiple roles in the same project.
create(:project, public: false, members: { current_user => [role, second_role] }).tap do |parent|
project.parent = parent
project.save
end
end
let(:role) { create(:role) }
let(:second_role) { create(:role) }
let(:filters) { [] }
let(:get_path) do
api_v3_paths.path_for :projects, filters: filters

Loading…
Cancel
Save