@@ -492,9 +492,13 @@ const retrieveProjectsFromDB = (req, criteria, sort, ffields) => {
492492
493493 // make sure project.id is part of fields
494494 if ( _ . indexOf ( fields . projects , 'id' ) < 0 ) fields . projects . push ( 'id' ) ;
495+ // add userId to project_members field so it can be used to check READ_PROJECT_MEMBER permission below.
496+ const addMembersUserId = fields . project_members . length > 0 && _ . indexOf ( fields . project_members , 'userId' ) < 0 ;
497+ if ( addMembersUserId ) {
498+ fields . project_members . push ( 'userId' ) ;
499+ }
495500 const retrieveAttachments = ! req . query . fields || req . query . fields . indexOf ( 'attachments' ) > - 1 ;
496- const retrieveMembers = ( ! req . query . fields || ! ! fields . project_members . length )
497- && util . hasPermissionByReq ( PERMISSION . READ_PROJECT_MEMBER , req ) ;
501+ const retrieveMembers = ! req . query . fields || ! ! fields . project_members . length ;
498502
499503 return models . Project . searchText ( {
500504 filters : criteria . filters ,
@@ -534,7 +538,19 @@ const retrieveProjectsFromDB = (req, criteria, sort, ffields) => {
534538 const p = fp ;
535539 // if values length is 1 it could be either attachments or members
536540 if ( retrieveMembers ) {
537- p . members = _ . filter ( allMembers , m => m . projectId === p . id ) ;
541+ const pMembers = _ . filter ( allMembers , m => m . projectId === p . id ) ;
542+ // check if have permission to read project members
543+ if ( util . hasPermission ( PERMISSION . READ_PROJECT_MEMBER , req . authUser , pMembers ) ) {
544+ if ( addMembersUserId ) {
545+ // remove the userId from the returned members array if it was added before
546+ // as it is only needed for checking permission.
547+ _ . forEach ( pMembers , ( m ) => {
548+ const fm = m ;
549+ delete fm . userId ;
550+ } ) ;
551+ }
552+ p . members = pMembers ;
553+ }
538554 }
539555 if ( retrieveAttachments ) {
540556 p . attachments = _ . filter ( allAttachments , a => a . projectId === p . id ) ;
0 commit comments