[Timepoint List] Hide visits that are from user unaffiliated projects (#8723)

skarya22 · web-flow · commit e2ef3ab0b5fb · 2023-06-15T12:12:46.000-04:00
Adjusted the Timepoint_List module to also filter out the visits of projects that are not affiliated to the current user when they have permission to all sites. Resolves #8710
diff --git a/modules/candidate_profile/test/TestPlan.md b/modules/candidate_profile/test/TestPlan.md
@@ -50,6 +50,7 @@ that widget (ie. the media module for CandID 587630 (DCC090) or CandID 300001 (M
 4. Ensure that, when the module which added the extra `CandidateInfo` terms
    is disabled, the terms from that module no longer show up in the
    `Candidate Info` card.
+5. Ensure that you can always only see visits from projects that you are affiliated with.
 
 All other widgets are part of other modules, and should be tested as
 part of that module's testing.
diff --git a/modules/timepoint_list/php/timepoint_list.class.inc b/modules/timepoint_list/php/timepoint_list.class.inc
@@ -99,15 +99,12 @@ class Timepoint_List extends \NDB_Menu
             },
             $listOfSessionIDs,
         );
-
-        if ($user->hasPermission('access_all_profiles') === false) {
-            $listOfTimePoints = array_filter(
-                $listOfTimePoints,
-                function ($timePoint) use ($user) {
-                    return $timePoint->isAccessibleBy($user);
-                }
-            );
-        }
+        $listOfTimePoints = array_filter(
+            $listOfTimePoints,
+            function ($timePoint) use ($user) {
+                return $timePoint->isAccessibleBy($user);
+            }
+        );
 
         /*
          * List of visits
diff --git a/modules/timepoint_list/test/TestPlan.md b/modules/timepoint_list/test/TestPlan.md
@@ -5,6 +5,7 @@
     - For a candidate of a different site than your user, ensure that either 
         - `access_all_profiles` permission is required 
         - or that the candidate's registration site is the same as the user's site
+    - Ensure that you can always only see visits from projects that you are affiliated with.
 2. **Action buttons** 
     - For a candidate of a different site than your user, attempt to access the timepoint list via the url. The page should load with a message of 'Permission Denied'.
     - For a candidate of the same site as your user, there should be up to 3 additional buttons:
