diff --git a/taiga/users/api.py b/taiga/users/api.py index 93eef318..487229d4 100644 --- a/taiga/users/api.py +++ b/taiga/users/api.py @@ -93,12 +93,11 @@ class UsersViewSet(ModelCrudViewSet): @detail_route(methods=["GET"]) def contacts(self, request, *args, **kwargs): - user = self.get_object() + user = get_object_or_404(models.User, **kwargs) self.check_permissions(request, 'contacts', user) - self.object_list = user_filters.ContactsFilterBackend().filter_queryset(request, - self.get_queryset(), - self) + self.object_list = user_filters.ContactsFilterBackend().filter_queryset( + user, request, self.get_queryset(), self) page = self.paginate_queryset(self.object_list) if page is not None: @@ -109,8 +108,8 @@ class UsersViewSet(ModelCrudViewSet): return response.Ok(serializer.data) @detail_route(methods=["GET"]) - def stats(self, request, pk=None): - user = self.get_object() + def stats(self, request, *args, **kwargs): + user = get_object_or_404(models.User, **kwargs) self.check_permissions(request, "stats", user) return response.Ok(services.get_stats_for_user(user)) diff --git a/taiga/users/filters.py b/taiga/users/filters.py index b2f46a83..5e7ceb92 100644 --- a/taiga/users/filters.py +++ b/taiga/users/filters.py @@ -22,25 +22,23 @@ from taiga.base.filters import PermissionBasedFilterBackend class ContactsFilterBackend(PermissionBasedFilterBackend): permission = "view_project" - def filter_queryset(self, request, queryset, view): + def filter_queryset(self, user, request, queryset, view): qs = queryset.filter(is_active=True) + Membership = apps.get_model('projects', 'Membership') + memberships_qs = Membership.objects.filter(user=user) # Authenticated if request.user.is_authenticated(): # if super user we don't need to filter anything if not request.user.is_superuser: - Membership = apps.get_model('projects', 'Membership') - memberships_qs = Membership.objects.filter(user=request.user) memberships_qs = memberships_qs.filter(Q(role__permissions__contains=[self.permission]) | Q(is_owner=True)) - projects_list = [membership.project_id for membership in memberships_qs] - qs = qs.filter(memberships__project_id__in=projects_list) - - qs = qs.exclude(id=request.user.id) - # Anonymous else: - qs = qs.filter(memberships__project__anon_permissions__contains=[self.permission]) + memberships_qs = memberships_qs.filter(project__anon_permissions__contains=[self.permission]) + projects_list = [membership.project_id for membership in memberships_qs] + qs = qs.filter(memberships__project_id__in=projects_list) + qs = qs.exclude(id=user.id) return qs.distinct() diff --git a/tests/integration/test_users.py b/tests/integration/test_users.py index 4e42968b..4682d5a2 100644 --- a/tests/integration/test_users.py +++ b/tests/integration/test_users.py @@ -189,12 +189,13 @@ def test_list_contacts_private_projects(client): url = reverse('users-contacts', kwargs={"pk": user_1.pk}) response = client.get(url, content_type="application/json") - assert response.status_code == 404 + assert response.status_code == 200 + response_content = json.loads(response.content.decode("utf-8")) + assert len(response_content) == 0 client.login(user_1) response = client.get(url, content_type="application/json") assert response.status_code == 200 - response_content = json.loads(response.content.decode("utf-8")) assert len(response_content) == 1 assert response_content[0]["id"] == user_2.id @@ -234,6 +235,5 @@ def test_list_contacts_public_projects(client): assert response.status_code == 200 response_content = json.loads(response.content.decode("utf-8")) - assert len(response_content) == 2 - assert response_content[0]["id"] == user_1.id - assert response_content[1]["id"] == user_2.id + assert len(response_content) == 1 + assert response_content[0]["id"] == user_2.id