some small improvements and leads how to solve the nested relational …

…field access based filters

src/datasets/datasets.service.ts

@@ -83,6 +83,55 @@ export class DatasetsService {
       if (fieldValue) {
         fieldValue.$lookup.as = field;
 
+        // TODO: Should implement something similar like addAccessBasedFilters in the controller including the access based checks on each relational field
+        // For example if we have proposals included we should check something like:
+        /*
+            const ability = this.caslAbilityFactory.proposalInstanceAccess(user);
+            const canViewAny = ability.can(Action.ProposalReadAny, Proposal);
+            const canViewOwner = ability.can(Action.ProposalReadManyOwner, Proposal);
+            const canViewAccess = ability.can(
+              Action.ProposalReadManyAccess,
+              Proposal,
+            );
+            const canViewPublic = ability.can(
+              Action.ProposalReadManyPublic,
+              Proposal,
+            );
+
+            if (!canViewAny) {
+              if (canViewAccess) {
+                fieldValue.$lookup.pipeline = [
+                  {
+                    $match: {
+                      $or: [
+                        { ownerGroup: { $in: user.currentGroups } },
+                        { accessGroups: { $in: user.currentGroups } },
+                        { sharedWith: { $in: [user.email] } },
+                        { isPublished: true },
+                      ],
+                    },
+                  },
+                ];
+              } else if (canViewOwner) {
+               fieldValue.$lookup.pipeline = [
+                  {
+                    $match: {
+                      ownerGroup: { $in: user.currentGroups } 
+                    }
+                  },
+                ];
+              } else if (canViewPublic) {
+               fieldValue.$lookup.pipeline = [
+                  {
+                    $match: {
+                      isPublished: true
+                    }
+                  },
+                ];
+              }
+            }
+        */
+
         pipeline.push(fieldValue);
       }
     });

src/datasets/datasets.v4.controller.ts

@@ -198,11 +198,9 @@ export class DatasetsV4Controller {
   }
 
   addAccessBasedFilters(
-    request: Request,
+    user: JWTUser,
     filter: IDatasetFiltersV4<DatasetDocument, IDatasetFields>,
   ): IDatasetFiltersV4<DatasetDocument, IDatasetFields> {
-    const user: JWTUser = request.user as JWTUser;
-
     const ability = this.caslAbilityFactory.datasetInstanceAccess(user);
     const canViewAny = ability.can(Action.DatasetReadAny, DatasetClass);
     const canViewOwner = ability.can(Action.DatasetReadManyOwner, DatasetClass);
@@ -391,7 +389,10 @@ export class DatasetsV4Controller {
     queryFilter: string,
   ) {
     const parsedFilter = JSON.parse(queryFilter ?? "{}");
-    const mergedFilters = this.addAccessBasedFilters(request, parsedFilter);
+    const mergedFilters = this.addAccessBasedFilters(
+      request.user as JWTUser,
+      parsedFilter,
+    );
 
     const datasets = await this.datasetsService.findAllComplete(mergedFilters);
 
@@ -570,7 +571,10 @@ export class DatasetsV4Controller {
   ): Promise<OutputDatasetDto | null> {
     const parsedFilter = JSON.parse(queryFilter ?? "{}");
 
-    const mergedFilters = this.addAccessBasedFilters(request, parsedFilter);
+    const mergedFilters = this.addAccessBasedFilters(
+      request.user as JWTUser,
+      parsedFilter,
+    );
 
     const foundDataset =
       await this.datasetsService.findOneComplete(mergedFilters);
@@ -628,7 +632,10 @@ export class DatasetsV4Controller {
   ) {
     const parsedFilter = JSON.parse(queryFilter ?? "{}");
 
-    const finalFilters = this.addAccessBasedFilters(request, parsedFilter);
+    const finalFilters = this.addAccessBasedFilters(
+      request.user as JWTUser,
+      parsedFilter,
+    );
 
     return this.datasetsService.count(finalFilters);
   }