From 39466285a058e67263c1f9b99e32a2042f02f940 Mon Sep 17 00:00:00 2001 From: Hannah Eslinger Date: Tue, 31 Oct 2023 16:51:54 -0600 Subject: [PATCH] Add Permissions to TaxlotViewViewSet (#4298) Co-authored-by: kflemin <2205659+kflemin@users.noreply.github.com> --- seed/tests/test_taxlot_views_viewset.py | 27 +++++++++++++++++++++++++ seed/views/v3/taxlot_views.py | 8 +++++++- 2 files changed, 34 insertions(+), 1 deletion(-) create mode 100644 seed/tests/test_taxlot_views_viewset.py diff --git a/seed/tests/test_taxlot_views_viewset.py b/seed/tests/test_taxlot_views_viewset.py new file mode 100644 index 0000000000..0461bb67e6 --- /dev/null +++ b/seed/tests/test_taxlot_views_viewset.py @@ -0,0 +1,27 @@ +from django.urls import reverse_lazy + +from seed.tests.util import AccessLevelBaseTestCase + + +class TaxlotViewsTests(AccessLevelBaseTestCase): + def setUp(self): + super().setUp() + self.root_taxlot = self.taxlot_factory.get_taxlot(access_level_instance=self.root_level_instance) + self.root_view = self.taxlot_view_factory.get_taxlot_view(taxlot=self.root_taxlot) + + self.child_taxlot = self.taxlot_factory.get_taxlot(access_level_instance=self.child_level_instance) + self.child_view = self.taxlot_view_factory.get_taxlot_view(taxlot=self.child_taxlot) + + self.cycle = self.cycle_factory.get_cycle() + + def test_taxlot_views_list(self): + url = reverse_lazy('api:v3:taxlot_views-list') + f"?organization_id={self.org.id}" + + self.login_as_child_member() + resp = self.client.get(url, content_type='application/json') + assert len(resp.json()["taxlot_views"]) == 1 + + # root member can + self.login_as_root_member() + resp = self.client.get(url, content_type='application/json') + assert len(resp.json()["taxlot_views"]) == 2 diff --git a/seed/views/v3/taxlot_views.py b/seed/views/v3/taxlot_views.py index ed208c54fc..e6bb27bac9 100644 --- a/seed/views/v3/taxlot_views.py +++ b/seed/views/v3/taxlot_views.py @@ -9,6 +9,7 @@ from seed.decorators import ajax_request_class from seed.lib.superperms.orgs.decorators import has_perm_class +from seed.lib.superperms.orgs.models import AccessLevelInstance from seed.models import TaxLotView from seed.serializers.taxlots import BriefTaxlotViewSerializer from seed.utils.api import OrgMixin, ProfileIdMixin, api_endpoint_class @@ -23,13 +24,18 @@ def list(self, request): List all the taxlots """ org_id = request.query_params.get('organization_id') + access_level_instance = AccessLevelInstance.objects.get(pk=request.access_level_instance_id) if not org_id: return JsonResponse( {'status': 'error', 'message': 'Need to pass organization_id as query parameter'}, status=status.HTTP_400_BAD_REQUEST) - views = TaxLotView.objects.filter(taxlot__organization_id=org_id) + views = TaxLotView.objects.filter( + taxlot__organization_id=org_id, + taxlot__access_level_instance__lft__gte=access_level_instance.lft, + taxlot__access_level_instance__rgt__lte=access_level_instance.rgt, + ) taxlot = request.query_params.get('taxlot') if taxlot is not None: