From 9565a52995325449a2cca447ff421d68763b57fa Mon Sep 17 00:00:00 2001 From: Evan Blaudy Date: Fri, 15 Nov 2024 16:59:35 +0100 Subject: [PATCH] [permissions] fix permissions for news --- zou/app/blueprints/news/resources.py | 11 ++++++++++- zou/app/services/news_service.py | 8 ++++++++ 2 files changed, 18 insertions(+), 1 deletion(-) diff --git a/zou/app/blueprints/news/resources.py b/zou/app/blueprints/news/resources.py index 9ca78a57f1..68148df329 100644 --- a/zou/app/blueprints/news/resources.py +++ b/zou/app/blueprints/news/resources.py @@ -2,7 +2,12 @@ from flask_jwt_extended import jwt_required from zou.app.mixin import ArgsMixin -from zou.app.services import news_service, projects_service, user_service +from zou.app.services import ( + news_service, + projects_service, + user_service, + persons_service, +) from zou.app.services.exception import NewsNotFoundException from zou.app.utils import permissions @@ -21,6 +26,8 @@ def get_news(self, project_ids=[]): before, ) = self.get_arguments() + current_user = persons_service.get_current_user_raw() + after = self.parse_date_parameter(after) before = self.parse_date_parameter(before) result = news_service.get_last_news_for_project( @@ -34,6 +41,7 @@ def get_news(self, project_ids=[]): page_size=page_size, after=after, before=before, + current_user=current_user, ) stats = news_service.get_news_stats_for_project( project_ids=project_ids, @@ -44,6 +52,7 @@ def get_news(self, project_ids=[]): author_id=person_id, after=after, before=before, + current_user=current_user, ) result["stats"] = stats return result diff --git a/zou/app/services/news_service.py b/zou/app/services/news_service.py index 9b7cd28f14..833cfef89a 100644 --- a/zou/app/services/news_service.py +++ b/zou/app/services/news_service.py @@ -96,6 +96,7 @@ def get_last_news_for_project( before=None, after=None, episode_id=None, + current_user=None, ): """ Return last 50 news for given project. Add related information to make it @@ -120,6 +121,9 @@ def get_last_news_for_project( if len(project_ids) > 0: query = query.filter(Project.id.in_(project_ids)) + elif current_user is not None: + if current_user.role.code != "admin": + query = query.filter(Project.team.contains(current_user)) if entity_id is not None: query = query.filter(Entity.id == entity_id) @@ -239,6 +243,7 @@ def get_news_stats_for_project( author_id=None, before=None, after=None, + current_user=None, ): """ Return the number of news by task status for given project and filters. @@ -262,6 +267,9 @@ def get_news_stats_for_project( if len(project_ids) > 0: query = query.filter(Project.id.in_(project_ids)) + elif current_user is not None: + if current_user.role.code != "admin": + query = query.filter(Project.team.contains(current_user)) if task_status_id is not None: query = query.filter(Comment.task_status_id == task_status_id)