Fix missing results in review group accessible queries with special perms.

Review Request #13120 — Created June 22, 2023 and submitted — Latest diff uploaded

Information

Review Board
release-5.0.x

Reviewers

When querying accessible review groups with the permission allowing a
user to see invite-only groups and without restricting to visible review
groups, the query would only return groups that the user is a member of.
This isn't correct behavior, as they should have seen all applicable
review groups, regardless of membership.

The reason this failed was that we had a part of the query that checked
if a user was a member, and this was meant to be an OR on top of other
accessibility checks. In this case, those were turned off, meaning the
only check left was the membership check.

This is not a security issue. It didn't expose any information. Quite
the opposite: It prevented users from seeing information they had access
to with this specific set of flags.

The logic now avoids the membership check in this particular case.

All unit tests passed. Verified they failed prior to this test.

Tested this with some other in-progress fixes, which exposed this bug.

Commits

Files