From 9e0c2493f779a8e5d3aed9f5498b5618a1e1b8ad Mon Sep 17 00:00:00 2001 From: Leon Kuchenbecker Date: Wed, 28 Apr 2021 18:50:13 +0200 Subject: [PATCH] Respect `site_read` role in View Data view. Fixes #355. --- datameta/api/ui/view.py | 6 ++++-- datameta/security/authz.py | 6 +++--- 2 files changed, 7 insertions(+), 5 deletions(-) diff --git a/datameta/api/ui/view.py b/datameta/api/ui/view.py index 6692e2fd..9a05a7c7 100644 --- a/datameta/api/ui/view.py +++ b/datameta/api/ui/view.py @@ -95,10 +95,12 @@ def post(request: Request): and_filters = [ # This clause joins the EXISTS subquery with the main query MetaDataSet.id==MetaDataSetFilter.id, - # This clause restricts the results to submissions of the user's group - Submission.group_id == auth_user.group_id ] + # This clause restricts the results to submissions of the user's group + if not authz.view_mset_any(auth_user): + and_filters.append(Submission.group_id == auth_user.group_id) + # Additionally, if a search pattern was requested, we create a clause # implementing the the search and add it to the AND clause if searches: diff --git a/datameta/security/authz.py b/datameta/security/authz.py index 8c371916..8f2c523c 100644 --- a/datameta/security/authz.py +++ b/datameta/security/authz.py @@ -30,9 +30,6 @@ def has_data_access(user, data_user_id, data_group_id=None, was_submitted=False) (not was_submitted and data_user_id and data_user_id == user.id) )) -def view_mset_any(user): - return user.site_read - def view_apikey(user, target_user): return user_is_target(user, target_user) @@ -78,6 +75,9 @@ def submit_mset(user, mds_obj): def delete_mset(user, mdata_set): return user.id == mdata_set.user_id +def view_mset_any(user): + return user.site_read + def view_mset(user, mds_obj): was_submitted = bool(mds_obj.submission_id is not None) group_id = mds_obj.submission.group_id if was_submitted else None