From 0c7f0c25a816e5755704e6b651e5569b050da40f Mon Sep 17 00:00:00 2001
From: Arik Fraimovich <arik@arikfr.com>
Date: Thu, 9 Jun 2016 19:59:26 +0300
Subject: [PATCH] Fix #1109: mixed group permissions resulting in wrong
 permission

---
 redash/permissions.py     | 3 ++-
 tests/test_permissions.py | 8 ++++++++
 2 files changed, 10 insertions(+), 1 deletion(-)

diff --git a/redash/permissions.py b/redash/permissions.py
index d5a3939403..def4a00afb 100644
--- a/redash/permissions.py
+++ b/redash/permissions.py
@@ -17,7 +17,8 @@ def has_access(object_groups, user, need_view_only):
         return False
 
     required_level = 1 if need_view_only else 2
-    group_level = 1 if any(flatten([object_groups[group] for group in matching_groups])) else 2
+
+    group_level = 1 if all(flatten([object_groups[group] for group in matching_groups])) else 2
 
     return required_level <= group_level
 
diff --git a/tests/test_permissions.py b/tests/test_permissions.py
index 170b9b9f39..7ed70e5940 100644
--- a/tests/test_permissions.py
+++ b/tests/test_permissions.py
@@ -24,6 +24,14 @@ def test_allows_if_user_member_in_group_with_full_access(self):
 
         self.assertTrue(has_access({1: not view_only}, user, not view_only))
 
+    def test_allows_if_user_member_in_multiple_groups(self):
+        user = MockUser([], [1, 2, 3])
+
+        self.assertTrue(has_access({1: not view_only, 2: view_only}, user, not view_only))
+        self.assertFalse(has_access({1: view_only, 2: view_only}, user, not view_only))
+        self.assertTrue(has_access({1: view_only, 2: view_only}, user, view_only))
+        self.assertTrue(has_access({1: not view_only, 2: not view_only}, user, view_only))
+
     def test_not_allows_if_not_enough_permission(self):
         user = MockUser([], [1])