Merge pull request #1110 from getredash/fix-1097

Fix #1109: mixed group permissions resulting in wrong permission
getredash · Jun 9, 2016 · 4ec473c · 4ec473c
2 parents 8c21e91 + 0c7f0c2
commit 4ec473c
Show file tree

Hide file tree

Showing 2 changed files with 10 additions and 1 deletion.
diff --git a/redash/permissions.py b/redash/permissions.py
@@ -17,7 +17,8 @@ def has_access(object_groups, user, need_view_only):
         return False
 
     required_level = 1 if need_view_only else 2
-    group_level = 1 if any(flatten([object_groups[group] for group in matching_groups])) else 2
+
+    group_level = 1 if all(flatten([object_groups[group] for group in matching_groups])) else 2
 
     return required_level <= group_level
 

diff --git a/tests/test_permissions.py b/tests/test_permissions.py
@@ -24,6 +24,14 @@ def test_allows_if_user_member_in_group_with_full_access(self):
 
         self.assertTrue(has_access({1: not view_only}, user, not view_only))
 
+    def test_allows_if_user_member_in_multiple_groups(self):
+        user = MockUser([], [1, 2, 3])
+
+        self.assertTrue(has_access({1: not view_only, 2: view_only}, user, not view_only))
+        self.assertFalse(has_access({1: view_only, 2: view_only}, user, not view_only))
+        self.assertTrue(has_access({1: view_only, 2: view_only}, user, view_only))
+        self.assertTrue(has_access({1: not view_only, 2: not view_only}, user, view_only))
+
     def test_not_allows_if_not_enough_permission(self):
         user = MockUser([], [1])