Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Querying Memberships Fix: ensure distinct memberships when querying for ones own public memberships #4333

Merged
2 changes: 1 addition & 1 deletion app/policies/membership_policy.rb
Original file line number Diff line number Diff line change
Expand Up @@ -20,7 +20,7 @@ def resolve(action)
when :show, :index
public_memberships = scope.where(identity: false, state: Membership.states[:active])
.joins(:user_group).merge(UserGroup.where(private: false))
Membership.union_all(query, public_memberships)
Membership.union_all(query, public_memberships).distinct
else
query
end
Expand Down
107 changes: 73 additions & 34 deletions spec/policies/membership_policy_spec.rb
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,11 @@
MembershipPolicy::Scope.new(api_user, Membership)
end

let(:group_admin_public_membership) { Membership.where(user_id: group_admin.id, user_group_id: public_user_group.id, state: 'active')[0] }
yuenmichelle1 marked this conversation as resolved.
Show resolved Hide resolved
let(:group_admin_private_membership) {
yuenmichelle1 marked this conversation as resolved.
Show resolved Hide resolved
Membership.where(user_id: group_admin.id, user_group_id: private_user_group.id, state: 'active')[0]
}

context 'an anonymous user' do
let(:api_user) { ApiUser.new(anonymous_user) }

Expand All @@ -31,44 +36,58 @@

context 'a normal user', :aggregate_failures do
let(:api_user) { ApiUser.new(logged_in_user) }
let(:other_user) { create(:user) }
let(:other_user_public_membership) { create(:membership, user: other_user, user_group: public_user_group) }
let(:other_user_private_membership) { create(:membership, user: other_user, user_group: private_user_group) }
let(:logged_in_user_public_membership) { create(:membership, user: logged_in_user, user_group: public_user_group) }
let(:logged_in_user_private_membership) { create(:membership, user: logged_in_user, user_group: private_user_group) }

it 'can see other people in public groups' do
other_user = create :user
membership1 = create :membership, user: other_user, user_group: public_user_group
membership2 = create :membership, user: other_user, user_group: private_user_group
membership3 = create :membership, user_group: public_user_group, state: :inactive

expect(scope.resolve(:index)).to include(membership1)
expect(scope.resolve(:show)).to include(membership1)
expect(scope.resolve(:index)).not_to include(membership2)
expect(scope.resolve(:show)).not_to include(membership2)
expect(scope.resolve(:index)).not_to include(membership3)
expect(scope.resolve(:show)).not_to include(membership3)
inactive_membership = create :membership, user_group: public_user_group, state: :inactive

expect(scope.resolve(:index)).to contain_exactly(other_user_public_membership, group_admin_public_membership)
expect(scope.resolve(:show)).to contain_exactly(other_user_public_membership, group_admin_public_membership)
expect(scope.resolve(:index)).not_to include(other_user_private_membership)
expect(scope.resolve(:show)).not_to include(other_user_private_membership)
expect(scope.resolve(:index)).not_to include(inactive_membership)
expect(scope.resolve(:show)).not_to include(inactive_membership)
end

it 'can see who are members of private groups they are in' do
other_user = create :user
membership1 = create :membership, user: logged_in_user, user_group: public_user_group
membership2 = create :membership, user: logged_in_user, user_group: private_user_group
membership3 = create :membership, user: other_user, user_group: public_user_group
membership4 = create :membership, user: other_user, user_group: private_user_group

expect(scope.resolve(:index)).to include(membership1, membership2, membership3, membership4)
expect(scope.resolve(:show)).to include(membership1, membership2, membership3, membership4)
expect(scope.resolve(:index)).to contain_exactly(
logged_in_user_public_membership,
logged_in_user_private_membership,
other_user_public_membership,
other_user_private_membership,
group_admin_public_membership,
group_admin_private_membership
)
expect(scope.resolve(:show)).to contain_exactly(
logged_in_user_public_membership,
logged_in_user_private_membership,
other_user_public_membership,
other_user_private_membership,
group_admin_public_membership,
group_admin_private_membership
)
end

it "cannot modify other user's memberships" do
other_user = create :user
membership1 = create :membership, user: logged_in_user, user_group: public_user_group
membership2 = create :membership, user: logged_in_user, user_group: private_user_group
membership3 = create :membership, user: other_user, user_group: public_user_group
membership4 = create :membership, user: other_user, user_group: private_user_group

expect(scope.resolve(:update)).to include(membership1, membership2)
expect(scope.resolve(:destroy)).to include(membership1, membership2)

expect(scope.resolve(:update)).not_to include(membership3, membership4)
expect(scope.resolve(:destroy)).not_to include(membership3, membership4)
expect(scope.resolve(:update)).to include(logged_in_user_public_membership, logged_in_user_private_membership)
expect(scope.resolve(:destroy)).to include(logged_in_user_public_membership, logged_in_user_private_membership)

expect(scope.resolve(:update)).not_to include(
other_user_private_membership,
other_user_public_membership,
group_admin_private_membership,
group_admin_public_membership
)
expect(scope.resolve(:destroy)).not_to include(
other_user_private_membership,
other_user_public_membership,
group_admin_private_membership,
group_admin_public_membership
)
end
end

Expand All @@ -79,10 +98,30 @@
membership1 = create :membership, user: logged_in_user, user_group: public_user_group
membership2 = create :membership, user: logged_in_user, user_group: private_user_group

expect(scope.resolve(:index)).to include(membership1, membership2)
expect(scope.resolve(:show)).to include(membership1, membership2)
expect(scope.resolve(:update)).to include(membership1, membership2)
expect(scope.resolve(:destroy)).to include(membership1, membership2)
expect(scope.resolve(:index)).to contain_exactly(
membership1,
membership2,
group_admin_private_membership,
group_admin_public_membership
)
expect(scope.resolve(:show)).to contain_exactly(
membership1,
membership2,
group_admin_private_membership,
group_admin_public_membership
)
expect(scope.resolve(:update)).to include(
membership1,
membership2,
group_admin_private_membership,
group_admin_public_membership
)
expect(scope.resolve(:destroy)).to include(
membership1,
membership2,
group_admin_private_membership,
group_admin_public_membership
)
end
end
end
Expand Down
Loading