improve access to collections via groups (#4441)

* refactor get_org_collections_details * improve access to collection check * fix get_org_collection_detail too
2025-10-31 02:08:20 +02:00 · 2024-04-27 22:09:00 +02:00
parent 84a7c7da5d
commit 9dcc738f85
3 changed files with 23 additions and 41 deletions
--- a/src/api/core/organizations.rs
+++ b/src/api/core/organizations.rs
@@ -329,27 +329,19 @@ async fn get_org_collections_details(org_id: &str, headers: ManagerHeadersLoose,
            && GroupUser::has_full_access_by_member(org_id, &user_org.uuid, &mut conn).await);

    for col in Collection::find_by_organization(org_id, &mut conn).await {
-        // assigned indicates whether the current user has access to the given collection
-        let mut assigned = has_full_access_to_org;
+        // check whether the current user has access to the given collection
+        let assigned = has_full_access_to_org
+            || CollectionUser::has_access_to_collection_by_user(&col.uuid, &user_org.user_uuid, &mut conn).await
+            || (CONFIG.org_groups_enabled()
+                && GroupUser::has_access_to_collection_by_member(&col.uuid, &user_org.uuid, &mut conn).await);

        // get the users assigned directly to the given collection
        let users: Vec<Value> = coll_users
            .iter()
            .filter(|collection_user| collection_user.collection_uuid == col.uuid)
-            .map(|collection_user| {
-                // check if the current user is assigned to this collection directly
-                if collection_user.user_uuid == user_org.uuid {
-                    assigned = true;
-                }
-                SelectionReadOnly::to_collection_user_details_read_only(collection_user).to_json()
-            })
+            .map(|collection_user| SelectionReadOnly::to_collection_user_details_read_only(collection_user).to_json())
            .collect();

-        // check if the current user has access to the given collection via a group
-        if !assigned && CONFIG.org_groups_enabled() {
-            assigned = GroupUser::has_access_to_collection_by_member(&col.uuid, &user_org.uuid, &mut conn).await;
-        }
-
        // get the group details for the given collection
        let groups: Vec<Value> = if CONFIG.org_groups_enabled() {
            CollectionGroup::find_by_collection(&col.uuid, &mut conn)
@@ -672,24 +664,16 @@ async fn get_org_collection_detail(
                Vec::with_capacity(0)
            };

-            let mut assigned = false;
            let users: Vec<Value> =
                CollectionUser::find_by_collection_swap_user_uuid_with_org_user_uuid(&collection.uuid, &mut conn)
                    .await
                    .iter()
                    .map(|collection_user| {
-                        // Remember `user_uuid` is swapped here with the `user_org.uuid` with a join during the `find_by_collection_swap_user_uuid_with_org_user_uuid` call.
-                        // We check here if the current user is assigned to this collection or not.
-                        if collection_user.user_uuid == user_org.uuid {
-                            assigned = true;
-                        }
                        SelectionReadOnly::to_collection_user_details_read_only(collection_user).to_json()
                    })
                    .collect();

-            if user_org.access_all {
-                assigned = true;
-            }
+            let assigned = Collection::can_access_collection(&user_org, &collection.uuid, &mut conn).await;

            let mut json_object = collection.to_json();
            json_object["Assigned"] = json!(assigned);