[fix] Add global view permission requirement for viewing products

gulyasgergely902 · gulyasgergely902 · commit 2ae96b1d6100 · 2025-06-20T15:38:10.000+02:00
Add the global view permission requirement for viewing products. This way if the user has the global view permission but no product related view permission can view any product on the server.
diff --git a/web/server/codechecker_server/api/product_server.py b/web/server/codechecker_server/api/product_server.py
@@ -123,8 +123,12 @@ def __get_product(self, session, product):
 
         args = {'config_db_session': session,
                 'productID': product.id}
-        product_access = permissions.require_permission(
+
+        has_product_permission = permissions.require_permission(
             permissions.PRODUCT_VIEW, args, self.__auth_session)
+        has_global_permission = permissions.require_permission(
+            permissions.PERMISSION_VIEW, args, self.__auth_session)
+        has_access_permission = has_product_permission or has_global_permission
 
         admin_perm_name = permissions.PRODUCT_ADMIN.name
         admins = session.query(ProductPermission). \
@@ -154,7 +158,7 @@ def __get_product(self, session, product):
             runCount=product.num_of_runs,
             latestStoreToProduct=latest_storage_date,
             connected=connected,
-            accessible=product_access,
+            accessible=has_access_permission,
             administrating=self.__administrating(args),
             databaseStatus=server_product.db_status,
             admins=[admin.name for admin in admins],
@@ -260,9 +264,10 @@ def getProductConfiguration(self, product_id):
         Get the product configuration --- WITHOUT THE DB PASSWORD --- of the
         given product.
         """
-        self.__require_permission([permissions.PRODUCT_VIEW], {
-            'productID': product_id
-        })
+        self.__require_permission([
+            permissions.PRODUCT_VIEW,
+            permissions.PERMISSION_VIEW
+        ], {'productID': product_id})
 
         with DBSession(self.__session) as session:
             product = session.query(Product).get(product_id)
diff --git a/web/server/codechecker_server/api/report_server.py b/web/server/codechecker_server/api/report_server.py
@@ -1468,7 +1468,10 @@ def __require_store(self):
         self.__require_permission([permissions.PRODUCT_STORE])
 
     def __require_view(self):
-        self.__require_permission([permissions.PRODUCT_VIEW])
+        self.__require_permission([
+            permissions.PRODUCT_VIEW,
+            permissions.PERMISSION_VIEW
+        ])
 
     def __add_comment(self, bug_id, message, kind=CommentKindValue.USER,
                       date=None):
