Clean up private story filtering code

This commit updates the code for filtering out private stories that the
user doesn't have permission to see to use a clearer relationship-based
approach rather than multiple joins and a union.

Change-Id: Ic3ce974e9e1ac443d1cdb03dec6d56ba558b69eb

storyboard/db/api/base.py

@@ -23,9 +23,8 @@ from oslo_db.sqlalchemy.utils import paginate_query as utils_paginate_query
 from oslo_log import log
 from pecan import request
 import six
-from sqlalchemy import and_, or_
+from sqlalchemy import or_
-from sqlalchemy.orm import aliased
+from sqlalchemy.sql.expression import false
-from sqlalchemy.sql.expression import false, true
 import sqlalchemy.types as sqltypes
 
 from storyboard._i18n import _
@@ -384,57 +383,34 @@ def filter_private_stories(query, current_user, story_model=models.Story):
     :param story_model: The database model used for stories in the query.
 
     """
-    # First filter based on users with permissions set directly
-    query = query.outerjoin(models.story_permissions,
-                            models.Permission,
-                            models.user_permissions,
-                            models.User)
     if current_user:
-        visible_to_users = query.filter(
+        query = query.filter(
             or_(
-                and_(
+                story_model.permissions.any(
-                    models.User.id == current_user,
+                    models.Permission.users.any(
-                    story_model.private == true()
+                        models.User.id == current_user
+                    )
+                ),
+                story_model.permissions.any(
+                    models.Permission.teams.any(
+                        models.Team.users.any(
+                            models.User.id == current_user
+                        )
+                    )
                 ),
                 story_model.private == false(),
                 story_model.id.is_(None)
             )
         )
     else:
-        visible_to_users = query.filter(
+        query = query.filter(
             or_(
                 story_model.private == false(),
                 story_model.id.is_(None)
             )
         )
 
-    # Now filter based on membership of teams with permissions
+    return query
-    users = aliased(models.User, name="story_users")
-    query = query.outerjoin(models.team_permissions,
-                            models.Team,
-                            models.team_membership,
-                            (users,
-                             users.id == models.team_membership.c.user_id))
-    if current_user:
-        visible_to_teams = query.filter(
-            or_(
-                and_(
-                    users.id == current_user,
-                    story_model.private == true()
-                ),
-                story_model.private == false(),
-                story_model.id.is_(None)
-            )
-        )
-    else:
-        visible_to_teams = query.filter(
-            or_(
-                story_model.private == false(),
-                story_model.id.is_(None)
-            )
-        )
-
-    return visible_to_users.union(visible_to_teams)
 
 
 def filter_private_worklists(query, current_user, hide_lanes=True):