Fix missing results in review group accessible queries with special perms.

Review Request #13120 — Created June 22, 2023 and submitted

Information

Review Board
release-5.0.x

Reviewers

When querying accessible review groups with the permission allowing a
user to see invite-only groups and without restricting to visible review
groups, the query would only return groups that the user is a member of.
This isn't correct behavior, as they should have seen all applicable
review groups, regardless of membership.

The reason this failed was that we had a part of the query that checked
if a user was a member, and this was meant to be an OR on top of other
accessibility checks. In this case, those were turned off, meaning the
only check left was the membership check.

This is not a security issue. It didn't expose any information. Quite
the opposite: It prevented users from seeing information they had access
to with this specific set of flags.

The logic now avoids the membership check in this particular case.

All unit tests passed. Verified they failed prior to this test.

Tested this with some other in-progress fixes, which exposed this bug.

Summary ID
Fix missing results in review group accessible queries with special perms.
When querying accessible review groups with the permission allowing a user to see invite-only groups and without restricting to visible review groups, the query would only return groups that the user is a member of. This isn't correct behavior, as they should have seen all applicable review groups, regardless of membership. The reason this failed was that we had a part of the query that checked if a user was a member, and this was meant to be an OR on top of other accessibility checks. In this case, those were turned off, meaning the only check left was the membership check. This is *not* a security issue. It didn't expose any information. Quite the opposite: It prevented users from seeing information they had access to with this specific set of flags. The logic now avoids the membership check in this particular case.
aeebfe58b9f77e93320a1d4c30840646280d17ec
maubin
  1. Ship It!
  2. 
      
chipx86
Review request changed
Status:
Completed
Change Summary:
Pushed to release-5.0.x (b615b67)