FIX: Moderator(non-admin staff user) group visibility scope queries (#22109)

Currently, groups owned by moderators are not visible to them on the groups page. This happens because, the group visibility queries don't account for non-admin staff user group ownership. This change updates the group visibility scope queries to account for a moderator(non-admin staff user) group ownership.
2024-11-26 04:56:18 +08:00 · 2023-06-14 15:25:45 +00:00 · 2023-06-14 15:25:45 +00:00 · 2652354da3
commit 2652354da3
parent 1865eb1de3
2 changed files with 34 additions and 3 deletions
--- a/app/models/group.rb
+++ b/app/models/group.rb
@ -165,7 +165,18 @@ class Group < ActiveRecord::Base
            if user.blank?
              sql = "groups.visibility_level = :public"
            elsif is_staff
-              sql = "groups.visibility_level IN (:public, :logged_on_users, :members, :staff)"
+              sql = <<~SQL
+                groups.visibility_level IN (:public, :logged_on_users, :members, :staff)
+                OR
+                groups.id IN (
+                  SELECT g.id
+                    FROM groups g
+                    JOIN group_users gu ON gu.group_id = g.id
+                    AND gu.user_id = :user_id
+                    AND gu.owner
+                  WHERE g.visibility_level = :owners
+                )
+              SQL
            else
              sql = <<~SQL
          groups.id IN (
@ -209,8 +220,18 @@ class Group < ActiveRecord::Base
            if user.blank?
              sql = "groups.members_visibility_level = :public"
            elsif is_staff
-              sql =
-                "groups.members_visibility_level IN (:public, :logged_on_users, :members, :staff)"
+              sql = <<~SQL
+                groups.members_visibility_level IN (:public, :logged_on_users, :members, :staff)
+                OR
+                groups.id IN (
+                  SELECT g.id
+                    FROM groups g
+                    JOIN group_users gu ON gu.group_id = g.id
+                    AND gu.user_id = :user_id
+                    AND gu.owner
+                  WHERE g.members_visibility_level = :owners
+                )
+              SQL
            else
              sql = <<~SQL
          groups.id IN (
--- a/spec/models/group_spec.rb
+++ b/spec/models/group_spec.rb
@ -766,6 +766,11 @@ RSpec.describe Group do
      expect(can_view?(logged_on_user, group)).to eq(false)
      expect(can_view?(nil, group)).to eq(false)

+      group.add_owner(moderator)
+
+      expect(can_view?(moderator, group)).to eq(true)
+
+      GroupUser.delete_by(group: group, user: moderator)
      group.update_columns(visibility_level: Group.visibility_levels[:staff])

      expect(can_view?(admin, group)).to eq(true)
@ -829,6 +834,11 @@ RSpec.describe Group do
      expect(can_view?(logged_on_user, group)).to eq(false)
      expect(can_view?(nil, group)).to eq(false)

+      group.add_owner(moderator)
+
+      expect(can_view?(moderator, group)).to eq(true)
+
+      GroupUser.delete_by(group: group, user: moderator)
      group.update_columns(members_visibility_level: Group.visibility_levels[:staff])

      expect(can_view?(admin, group)).to eq(true)