end
def index
+ uuid_list = [current_user.uuid, *current_user.groups_i_can(:read)]
+ sanitized_uuid_list = uuid_list.
+ collect { |uuid| model_class.sanitize(uuid) }.join(', ')
@objects ||= model_class.
- joins("LEFT JOIN links permissions ON permissions.head_uuid=#{table_name}.owner AND permissions.tail_uuid=#{model_class.sanitize current_user.uuid} AND permissions.link_class='permission'").
- where("?=? OR #{table_name}.owner=? OR #{table_name}.uuid=? OR permissions.head_uuid IS NOT NULL",
+ joins("LEFT JOIN links permissions ON permissions.head_uuid=#{table_name}.owner AND permissions.tail_uuid in (#{sanitized_uuid_list}) AND permissions.link_class='permission'").
+ where("?=? OR #{table_name}.owner in (?) OR #{table_name}.uuid=? OR permissions.head_uuid IS NOT NULL",
true, current_user.is_admin,
- current_user.uuid, current_user.uuid)
+ uuid_list,
+ current_user.uuid)
if params[:where]
where = params[:where]
where = Oj.load(where) if where.is_a?(String)
user = nil
api_client = nil
api_client_auth = nil
- if params[:api_token]
+ supplied_token = params[:api_token] || params[:oauth_token]
+ if supplied_token
api_client_auth = ApiClientAuthorization.
includes(:api_client, :user).
- where('api_token=?', params[:api_token]).
+ where('api_token=?', supplied_token).
first
if api_client_auth
session[:user_id] = api_client_auth.user.id