Summary

Fix missing results in review group accessible queries with special perms.

Review Request #13120 — Created June 22, 2023 and submitted July 3, 2023, 8:15 p.m.

Information

Owner

chipx86

Repository

Review Board

Branch

release-5.0.x

Bugs

Depends On

Reviewers

Groups

reviewboard

People

Description

When querying accessible review groups with the permission allowing a

user to see invite-only groups and without restricting to visible review

groups, the query would only return groups that the user is a member of.

This isn't correct behavior, as they should have seen all applicable

review groups, regardless of membership.
The reason this failed was that we had a part of the query that checked

if a user was a member, and this was meant to be an OR on top of other

accessibility checks. In this case, those were turned off, meaning the

only check left was the membership check.
This is not a security issue. It didn't expose any information. Quite

the opposite: It prevented users from seeing information they had access

to with this specific set of flags.
The logic now avoids the membership check in this particular case.

Testing Done

All unit tests passed. Verified they failed prior to this test.

Tested this with some other in-progress fixes, which exposed this bug.

Commits

Summary	ID
Fix missing results in review group accessible queries with special perms. When querying accessible review groups with the permission allowing a user to see invite-only groups and without restricting to visible review groups, the query would only return groups that the user is a member of. This isn't correct behavior, as they should have seen all applicable review groups, regardless of membership. The reason this failed was that we had a part of the query that checked if a user was a member, and this was meant to be an OR on top of other accessibility checks. In this case, those were turned off, meaning the only check left was the membership check. This is not a security issue. It didn't expose any information. Quite the opposite: It prevented users from seeing information they had access to with this specific set of flags. The logic now avoids the membership check in this particular case.	aeebfe58b9f77e93320a1d4c30840646280d17ec

Summary

Fix missing results in review group accessible queries with special perms.

When querying accessible review groups with the permission allowing a user to see invite-only groups and without restricting to visible review groups, the query would only return groups that the user is a member of. This isn't correct behavior, as they should have seen all applicable review groups, regardless of membership. The reason this failed was that we had a part of the query that checked if a user was a member, and this was meant to be an OR on top of other accessibility checks. In this case, those were turned off, meaning the only check left was the membership check. This is *not* a security issue. It didn't expose any information. Quite the opposite: It prevented users from seeing information they had access to with this specific set of flags. The logic now avoids the membership check in this particular case.

aeebfe58b9f77e93320a1d4c30840646280d17ec

flake8 passed.

JSHint passed.

Ship it!

```
Ship It!
```

Status:: Completed
Change Summary:: Pushed to release-5.0.x (b615b67)