Hide spent_time when cost disabled #15528
Conversation
oliverguenther
force-pushed
the
fix/53772/hide-spent-time-if-cost-disabled
branch
from
4295f5a
to
4f99df6
Compare
There was a problem hiding this comment.
Please double check what I wrote here @oliverguenther since I would really prefer it to be differently.
| @@ -186,6 +186,7 @@ def initialize(schema, self_link:, **context) | |||
| type: "Duration", | |||
| required: false, | |||
| show_if: ->(*) { | |||
| represented.project&.costs_enabled? && | |||
| current_user.allowed_in_project?(:view_time_entries, represented.project) || | |||
| current_user.allowed_in_any_work_package?(:view_own_time_entries, in_project: represented.project) | |||
There was a problem hiding this comment.
The added represented.project&.cost_enabled? check does not tackle the problem at its root. A check for current_user.allowed_in_project?(:view_time_entries, represented.project) will always include the check of whether the module the permission is in is enabled. So in that regard, it will not add any new constraint.
But I checked and it seems that the
current_user.allowed_in_any_work_package?(:view_own_time_entries, in_project: represented.project) does not carry out the same check which surprised me. But then, because of a higher precedence of the && over ||, the added check is only applied to the first condition which already does the check. So the second, faulty, check does not profit from it.
I fear we need to dig into why the allowed_in_any_work_package? method does not check for the module being enabled.
On a different level, but the check in place already had another flaw, I fear. Because the schema is project AND type specific. So the condition should check whether the user is allowed to view_time_entries in the project OR view_own_time_entries in any work package in the project of the type in question. Cause if user has the permission on a work package of a different type, it should not show up. That is not something the current scopes cover, though. The only way to check it I see would be to construct an intersection query that checks the existence of a work package of the type in the project to which the user has the permission directly or via the project.
There was a problem hiding this comment.
@klaustopher checked and it seems to be that the modules are not always checked in case of allowed_in_any_work_package?. I believe it was for admins where this is the case.
There was a problem hiding this comment.
In the case of allowed_in_any_work_package? we are not checking the condition that the module is enabled in the project the work package belongs to. We are simply checking memberships on the work package and if that contains the checked permission. It would be easy to add a join to the project and enabled modules and check if the module the permission belongs to is also enabled on the project. We should create an issue for this.
In the case where we are using the in_project: argument to allowed_in_any_work_package? we can quickly add a filter like we do in allowed_in_project? as we already have the project model in our hand and can filter the requested permissions easily:
openproject/app/services/authorization/user_permissible_service.rb
Lines 60 to 64 in 0be63d4
could be changed to:
if in_project
perms = permissions_by_enabled_project_modules(project, perms)
allowed_scope = entity_class.allowed_to(user, perms)
allowed_in_single_project?(perms, in_project) || allowed_scope.exists?(project: in_project)
else
allowed_in_any_project?(perms) || allowed_scope.exists?
end
https://community.openproject.org/work_packages/53772