From 2652354da3ee43423af0c132bf020087940b33a5 Mon Sep 17 00:00:00 2001
From: Selase Krakani <849886+s3lase@users.noreply.github.com>
Date: Wed, 14 Jun 2023 15:25:45 +0000
Subject: [PATCH] FIX: Moderator(non-admin staff user) group visibility scope
 queries (#22109)

Currently, groups owned by moderators are not visible to them on the
groups page. This happens because, the group visibility queries don't
account for non-admin staff user group ownership.

This change updates the group visibility scope queries to account for a
moderator(non-admin staff user) group ownership.
---
 app/models/group.rb       | 27 ++++++++++++++++++++++++---
 spec/models/group_spec.rb | 10 ++++++++++
 2 files changed, 34 insertions(+), 3 deletions(-)

diff --git a/app/models/group.rb b/app/models/group.rb
index 4e5f1ce8a1e..8532aeaa89c 100644
--- a/app/models/group.rb
+++ b/app/models/group.rb
@@ -165,7 +165,18 @@ class Group < ActiveRecord::Base
             if user.blank?
               sql = "groups.visibility_level = :public"
             elsif is_staff
-              sql = "groups.visibility_level IN (:public, :logged_on_users, :members, :staff)"
+              sql = <<~SQL
+                groups.visibility_level IN (:public, :logged_on_users, :members, :staff)
+                OR
+                groups.id IN (
+                  SELECT g.id
+                    FROM groups g
+                    JOIN group_users gu ON gu.group_id = g.id
+                    AND gu.user_id = :user_id
+                    AND gu.owner
+                  WHERE g.visibility_level = :owners
+                )
+              SQL
             else
               sql = <<~SQL
           groups.id IN (
@@ -209,8 +220,18 @@ class Group < ActiveRecord::Base
             if user.blank?
               sql = "groups.members_visibility_level = :public"
             elsif is_staff
-              sql =
-                "groups.members_visibility_level IN (:public, :logged_on_users, :members, :staff)"
+              sql = <<~SQL
+                groups.members_visibility_level IN (:public, :logged_on_users, :members, :staff)
+                OR
+                groups.id IN (
+                  SELECT g.id
+                    FROM groups g
+                    JOIN group_users gu ON gu.group_id = g.id
+                    AND gu.user_id = :user_id
+                    AND gu.owner
+                  WHERE g.members_visibility_level = :owners
+                )
+              SQL
             else
               sql = <<~SQL
           groups.id IN (
diff --git a/spec/models/group_spec.rb b/spec/models/group_spec.rb
index 0db630cd921..7fdbe2f74d6 100644
--- a/spec/models/group_spec.rb
+++ b/spec/models/group_spec.rb
@@ -766,6 +766,11 @@ RSpec.describe Group do
       expect(can_view?(logged_on_user, group)).to eq(false)
       expect(can_view?(nil, group)).to eq(false)
 
+      group.add_owner(moderator)
+
+      expect(can_view?(moderator, group)).to eq(true)
+
+      GroupUser.delete_by(group: group, user: moderator)
       group.update_columns(visibility_level: Group.visibility_levels[:staff])
 
       expect(can_view?(admin, group)).to eq(true)
@@ -829,6 +834,11 @@ RSpec.describe Group do
       expect(can_view?(logged_on_user, group)).to eq(false)
       expect(can_view?(nil, group)).to eq(false)
 
+      group.add_owner(moderator)
+
+      expect(can_view?(moderator, group)).to eq(true)
+
+      GroupUser.delete_by(group: group, user: moderator)
       group.update_columns(members_visibility_level: Group.visibility_levels[:staff])
 
       expect(can_view?(admin, group)).to eq(true)