Fix project permissons (anybody in org could see the list of projects) (#4201)

4 years ago · 5e59ba1791
parent 2a417a980c
commit 5e59ba1791
1 changed files with 12 additions and 1 deletions
--- a/cvat/apps/iam/rules/projects.rego
+++ b/cvat/apps/iam/rules/projects.rego
@ -88,12 +88,23 @@ filter = [] { # Django Q object to filter list of entries
    utils.is_admin
    utils.is_sandbox
 } else = qobject {
+    utils.is_admin
    utils.is_organization
    qobject := [ {"organization": input.auth.organization.id} ]
 } else = qobject {
    utils.is_sandbox
    user := input.auth.user
-    qobject := [ {"owner_id": user.id}, {"assignee_id": user.id}, "|"]
+    qobject := [ {"owner_id": user.id}, {"assignee_id": user.id}, "|" ]
+} else = qobject {
+    utils.is_organization
+    utils.has_perm(utils.USER)
+    organizations.has_perm(organizations.MAINTAINER)
+    qobject := [ {"organization": input.auth.organization.id} ]
+} else = qobject {
+    organizations.has_perm(organizations.WORKER)
+    user := input.auth.user
+    qobject := [ {"owner_id": user.id}, {"assignee_id": user.id}, "|",
+        {"organization": input.auth.organization.id}, "&" ]
 }

 allow {