From 5e59ba179137b18230ffcbff08341f00c9023d0d Mon Sep 17 00:00:00 2001
From: Nikita Manovich <nikita.manovich@intel.com>
Date: Thu, 20 Jan 2022 10:10:26 +0300
Subject: [PATCH] Fix project permissons (anybody in org could see the list of
 projects) (#4201)

---
 cvat/apps/iam/rules/projects.rego | 13 ++++++++++++-
 1 file changed, 12 insertions(+), 1 deletion(-)

diff --git a/cvat/apps/iam/rules/projects.rego b/cvat/apps/iam/rules/projects.rego
index 1aafc077..4f4458d5 100644
--- a/cvat/apps/iam/rules/projects.rego
+++ b/cvat/apps/iam/rules/projects.rego
@@ -88,12 +88,23 @@ filter = [] { # Django Q object to filter list of entries
     utils.is_admin
     utils.is_sandbox
 } else = qobject {
+    utils.is_admin
     utils.is_organization
     qobject := [ {"organization": input.auth.organization.id} ]
 } else = qobject {
     utils.is_sandbox
     user := input.auth.user
-    qobject := [ {"owner_id": user.id}, {"assignee_id": user.id}, "|"]
+    qobject := [ {"owner_id": user.id}, {"assignee_id": user.id}, "|" ]
+} else = qobject {
+    utils.is_organization
+    utils.has_perm(utils.USER)
+    organizations.has_perm(organizations.MAINTAINER)
+    qobject := [ {"organization": input.auth.organization.id} ]
+} else = qobject {
+    organizations.has_perm(organizations.WORKER)
+    user := input.auth.user
+    qobject := [ {"owner_id": user.id}, {"assignee_id": user.id}, "|",
+        {"organization": input.auth.organization.id}, "&" ]
 }
 
 allow {