Update query to only allow open boards for team members (#4335)

* update query to only allow open boards for team members

* remove debug lines

server/services/store/mattermostauthlayer/mattermostauthlayer.go

@@ -676,35 +676,14 @@ func (s *MattermostAuthLayer) SearchBoardsForUser(term, userID string, includePu
 	// question mark placeholder here
 	builder := s.getQueryBuilder().PlaceholderFormat(sq.Question)
 
-	var boardMembersWhere sq.Or
-	var channelMembersWhere sq.Or
-
-	if includePublicBoards {
-		boardMembersWhere = sq.Or{
-			sq.Eq{"b.type": model.BoardTypeOpen},
-			sq.Eq{"bm.user_id": userID},
-		}
-		channelMembersWhere = sq.Or{
-			sq.Eq{"b.type": model.BoardTypeOpen},
-			sq.Eq{"cm.userId": userID},
-		}
-	} else {
-		boardMembersWhere = sq.Or{
-			sq.Eq{"bm.user_id": userID},
-		}
-		channelMembersWhere = sq.Or{
-			sq.Eq{"cm.userId": userID},
-		}
-	}
-
 	boardMembersQ := builder.
 		Select(boardFields("b.")...).
 		From(s.tablePrefix + "boards as b").
 		Join(s.tablePrefix + "board_members as bm on b.id=bm.board_id").
 		Where(sq.Eq{
 			"b.is_template": false,
-		}).
+			"bm.user_id":    userID,
-		Where(boardMembersWhere)
+		})
 
 	teamMembersQ := builder.
 		Select(boardFields("b.")...).
@@ -714,6 +693,7 @@ func (s *MattermostAuthLayer) SearchBoardsForUser(term, userID string, includePu
 			"b.is_template": false,
 			"tm.userID":     userID,
 			"tm.deleteAt":   0,
+			"b.type":        model.BoardTypeOpen,
 		})
 
 	channelMembersQ := builder.
@@ -722,8 +702,8 @@ func (s *MattermostAuthLayer) SearchBoardsForUser(term, userID string, includePu
 		Join("ChannelMembers as cm on cm.channelId=b.channel_id").
 		Where(sq.Eq{
 			"b.is_template": false,
-		}).
+			"cm.userId":     userID,
-		Where(channelMembersWhere)
+		})
 
 	if term != "" {
 		// break search query into space separated words
@@ -753,30 +733,24 @@ func (s *MattermostAuthLayer) SearchBoardsForUser(term, userID string, includePu
 		return nil, fmt.Errorf("SearchBoardsForUser error getting channelMembersSQL: %w", err)
 	}
 
-	unionQ := boardMembersQ.
+	unionQ := boardMembersQ
-		Prefix("(").
-		Suffix(") UNION ("+teamMembersSQL, teamMembersArgs...).
-		Suffix(") UNION ("+channelMembersSQL+")", channelMembersArgs...)
-
 	user, err := s.GetUserByID(userID)
 	if err != nil {
 		return nil, err
 	}
 	// NOTE: theoretically, could do e.g. `isGuest := !includePublicBoards`
 	// but that introduces some tight coupling + fragility
-	if user.IsGuest {
+	if !user.IsGuest {
-		var explicitMembers []*model.BoardMember
+		unionQ = unionQ.
-		explicitMembers, err = s.Store.GetMembersForUser(userID)
+			Prefix("(").
-		if err != nil {
+			Suffix(") UNION ("+channelMembersSQL+")", channelMembersArgs...)
-			s.logger.Error(`getMembersForUser ERROR`, mlog.Err(err))
+		if includePublicBoards {
-			return nil, err
+			unionQ = unionQ.Suffix(" UNION ("+teamMembersSQL+")", teamMembersArgs...)
 		}
-		boardIDs := []string{}
+	} else if includePublicBoards {
-		for _, m := range explicitMembers {
+		unionQ = unionQ.
-			boardIDs = append(boardIDs, m.BoardID)
+			Prefix("(").
-		}
+			Suffix(") UNION ("+teamMembersSQL+")", teamMembersArgs...)
-		// Only explicit memberships for guests
-		unionQ = unionQ.Where(sq.Eq{"b.id": boardIDs})
 	}
 
 	unionSQL, unionArgs, err := unionQ.ToSql()