ensure topics and synapses have their permission match the map they're deferring to

app/models/map.rb

@@ -32,6 +32,8 @@ class Map < ApplicationRecord
   # Validate the attached image is image/jpg, image/png, etc
   validates_attachment_content_type :screenshot, content_type: /\Aimage\/.*\Z/
 
+  after_save :update_deferring_topics_and_synapses, if: :permission_changed?
+
   def mappings
     topicmappings.or(synapsemappings)
   end
@@ -131,4 +133,9 @@ class Map < ApplicationRecord
     end
     removed.compact
   end
+
+  def update_deferring_topics_and_synapses
+    Topic.where(defer_to_map_id: id).update_all(permission: permission)
+    Synapse.where(defer_to_map_id: id).update_all(permission: permission)
+  end
 end

app/policies/synapse_policy.rb

@@ -2,11 +2,10 @@
 class SynapsePolicy < ApplicationPolicy
   class Scope < Scope
     def resolve
-      visible = %w(public commons)
+      return scope.where(permission: %w(public commons)) unless user
-      return scope.where(permission: visible) unless user
 
-      scope.where(permission: visible)
+      scope.where(permission: %w(public commons))
-           .or(scope.where.not(defer_to_map_id: nil).where(defer_to_map_id: user.all_accessible_maps.map(&:id)))
+           .or(scope.where(defer_to_map_id: user.all_accessible_maps.map(&:id)))
            .or(scope.where(user_id: user.id))
     end
   end

app/policies/topic_policy.rb

@@ -2,11 +2,10 @@
 class TopicPolicy < ApplicationPolicy
   class Scope < Scope
     def resolve
-      visible = %w(public commons)
+      return scope.where(permission: %w(public commons)) unless user
-      return scope.where(permission: visible) unless user
 
-      scope.where(permission: visible)
+      scope.where(permission: %w(public commons))
-           .or(scope.where.not(defer_to_map_id: nil).where(defer_to_map_id: user.all_accessible_maps.map(&:id)))
+           .or(scope.where(defer_to_map_id: user.all_accessible_maps.map(&:id)))
            .or(scope.where(user_id: user.id))
     end
   end