Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Allow only events with public visibility for Guest User #2253

Merged
merged 1 commit into from
Sep 4, 2024
Merged

Allow only events with public visibility for Guest User #2253

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion api/drf_views.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -688,7 +688,7 @@ def retrieve(self, request, pk=None, *args, **kwargs):
"field_reports",
queryset=FieldReport.objects.prefetch_related("countries", "contacts"),
)
if self.request.user.is_authenticated:
if self.request.user.is_authenticated and not self.request.user.profile.limit_access_to_guest:
if is_user_ifrc(self.request.user):
instance = Event.objects.prefetch_related(FR).get(pk=pk)
else:
Expand Down
22 changes: 20 additions & 2 deletions api/test_views.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -31,9 +31,11 @@ def setUp(self):
go_user_profile.save()

# Create public field reports
FieldReportFactory.create_batch(4, visibility=VisibilityChoices.PUBLIC)
event_pub = EventFactory.create(visibility=VisibilityChoices.PUBLIC, parent_event=None)
FieldReportFactory.create_batch(4, event=event_pub, visibility=VisibilityChoices.PUBLIC)
# Create non-public field reports
FieldReportFactory.create_batch(5, visibility=VisibilityChoices.IFRC)
event_non_pub = EventFactory.create(visibility=VisibilityChoices.IFRC, parent_event=None)
FieldReportFactory.create_batch(5, event=event_non_pub, visibility=VisibilityChoices.IFRC)

def test_guest_user_permission(self):
body = {}
Expand All @@ -50,6 +52,7 @@ def test_guest_user_permission(self):
f"/api/v2/field-report/{id}/",
"/api/v2/language/",
f"/api/v2/language/{id}/",
"/api/v2/event/",
]

go_post_apis = [
Expand Down Expand Up @@ -159,6 +162,11 @@ def _failure_check(response, check_json_error_code=True):
field_report_pub_response = self.client.post("/api/v2/field-report/", json=body)
_failure_check(field_report_pub_response, check_json_error_code=False)

# Unauthenticated user should be able to view public events
event_pub_response = self.client.get("/api/v2/event/")
_success_check(event_pub_response)
self.assertEqual(len(event_pub_response.json()["results"]), 1)

# authenticate guest user
self.authenticate(user=self.guest_user)

Expand Down Expand Up @@ -194,6 +202,11 @@ def _failure_check(response, check_json_error_code=True):
_success_check(field_report_pub_response)
self.assertEqual(len(field_report_pub_response.json()["results"]), 4)

# Guest user should be able to view public events
event_pub_response = self.client.get("/api/v2/event/")
_success_check(event_pub_response)
self.assertEqual(len(event_pub_response.json()["results"]), 1)

# authenticate ifrc go user
# Go user should be able to access go_post_apis
self.authenticate(user=self.go_user)
Expand All @@ -210,6 +223,11 @@ def _failure_check(response, check_json_error_code=True):
_success_check(field_report_response)
self.assertEqual(len(field_report_response.json()["results"]), 9)

# Go user should be able to view both public + non-pubic events
event_response = self.client.get("/api/v2/event/")
_success_check(event_response)
self.assertEqual(len(event_response.json()["results"]), 2)


class AuthTokenTest(APITestCase):
def setUp(self):
Expand Down