[Backport] Fixing anonymous user requests for notify policies

taiga/projects/notifications/api.py

@@ -45,11 +45,14 @@ class NotifyPolicyViewSet(ModelCrudViewSet):
             Q(owner=self.request.user) |
             Q(memberships__user=self.request.user)
         ).distinct()
+
         for project in projects:
             services.create_notify_policy_if_not_exists(project, self.request.user, NotifyLevel.watch)
 
     def get_queryset(self):
-        self._build_needed_notify_policies()
+        if self.request.user.is_anonymous():
+            return models.NotifyPolicy.objects.none()
 
+        self._build_needed_notify_policies()
         qs = models.NotifyPolicy.objects.filter(user=self.request.user)
         return qs.distinct()

tests/integration/test_notifications.py

@@ -418,3 +418,15 @@ def test_watchers_assignation_for_us(client):
     url = reverse("userstories-list")
     response = client.json.post(url, json.dumps(data))
     assert response.status_code == 400
+
+
+def test_retrieve_notify_policies_by_anonymous_user(client):
+    project = f.ProjectFactory.create()
+
+    policy_model_cls = apps.get_model("notifications", "NotifyPolicy")
+    policy = services.get_notify_policy(project, project.owner)
+
+    url = reverse("notifications-detail", args=[policy.pk])
+    response = client.get(url, content_type="application/json")
+    assert response.status_code == 404, response.status_code
+    assert json.loads(response.content.decode("utf-8"))["_error_message"] == "No NotifyPolicy matches the given query.", response.content