diff --git a/taiga/base/filters.py b/taiga/base/filters.py index 5b487496..f7ea91bb 100644 --- a/taiga/base/filters.py +++ b/taiga/base/filters.py @@ -212,7 +212,7 @@ class CanViewProjectObjFilterBackend(FilterBackend): qs = qs.filter((Q(id__in=projects_list) | Q(public_permissions__contains=["view_project"]))) else: - qs = qs.filter(public_permissions__contains=["view_project"]) + qs = qs.filter(anon_permissions__contains=["view_project"]) return super().filter_queryset(request, qs.distinct(), view) @@ -229,22 +229,49 @@ class IsProjectMemberFilterBackend(FilterBackend): return super().filter_queryset(request, queryset.distinct(), view) -class MembersFilterBackend(filters.BaseFilterBackend): +class MembersFilterBackend(PermissionBasedFilterBackend): + permission = "view_project" + def filter_queryset(self, request, queryset, view): - project_id = request.QUERY_PARAMS.get('project', None) + project_id = None + project = None + qs = queryset + if "project" in request.QUERY_PARAMS: + try: + project_id = int(request.QUERY_PARAMS["project"]) + except: + logger.error("Filtering project diferent value than an integer: {}".format(request.QUERY_PARAMS["project"])) + raise exc.BadRequest("'project' must be an integer value.") + if project_id: - project_model = apps.get_model('projects', 'Project') - project = get_object_or_404(project_model, pk=project_id) - if (request.user.is_authenticated() and - project.memberships.filter(user=request.user).exists()): - return queryset.filter(memberships__project=project).distinct() - else: - raise exc.PermissionDenied(_("You don't have permisions to see this project users.")) + Project = apps.get_model('projects', 'Project') + project = get_object_or_404(Project, pk=project_id) - if request.user.is_superuser: - return queryset + if request.user.is_authenticated() and request.user.is_superuser: + qs = qs + elif request.user.is_authenticated(): + memberships_qs = Membership.objects.filter(user=request.user) + if project_id: + memberships_qs = memberships_qs.filter(project_id=project_id) + memberships_qs = memberships_qs.filter(Q(role__permissions__contains=[self.permission]) | + Q(is_owner=True)) - return [] + projects_list = [membership.project_id for membership in memberships_qs] + + if project and not "view_project" in project.public_permissions: + qs = qs.none() + + qs = qs.filter(Q(memberships__project_id__in=projects_list) | + Q(memberships__project__public_permissions__contains=[self.permission])| + Q(id=request.user.id)) + + else: + if project and not "view_project" in project.anon_permissions: + qs = qs.none() + + qs = qs.filter(memberships__project__anon_permissions__contains=[self.permission]) + + return qs.distinct() class BaseIsProjectAdminFilterBackend(object): diff --git a/taiga/projects/permissions.py b/taiga/projects/permissions.py index 5fa9180b..fc9ef228 100644 --- a/taiga/projects/permissions.py +++ b/taiga/projects/permissions.py @@ -52,12 +52,12 @@ class ProjectPermission(TaigaResourcePermission): destroy_perms = IsProjectOwner() modules_perms = IsProjectOwner() list_perms = AllowAny() - stats_perms = AllowAny() + stats_perms = HasProjectPerm('view_project') member_stats_perms = HasProjectPerm('view_project') star_perms = IsAuthenticated() unstar_perms = IsAuthenticated() - issues_stats_perms = AllowAny() - issues_filters_data_perms = AllowAny() + issues_stats_perms = HasProjectPerm('view_project') + issues_filters_data_perms = HasProjectPerm('view_project') tags_perms = HasProjectPerm('view_project') tags_colors_perms = HasProjectPerm('view_project') fans_perms = HasProjectPerm('view_project') diff --git a/taiga/users/api.py b/taiga/users/api.py index 547e99c6..b582ac20 100644 --- a/taiga/users/api.py +++ b/taiga/users/api.py @@ -30,6 +30,7 @@ from taiga.auth.tokens import get_user_for_token from taiga.base.decorators import list_route from taiga.base.decorators import detail_route from taiga.base.api import ModelCrudViewSet +from taiga.base.filters import PermissionBasedFilterBackend from taiga.base.api.utils import get_object_or_404 from taiga.base.filters import MembersFilterBackend from taiga.projects.votes import services as votes_service @@ -46,14 +47,11 @@ from . import permissions from .signals import user_cancel_account as user_cancel_account_signal -###################################################### -## User -###################################################### - class UsersViewSet(ModelCrudViewSet): permission_classes = (permissions.UserPermission,) serializer_class = serializers.UserSerializer queryset = models.User.objects.all() + filter_backends = (MembersFilterBackend,) def create(self, *args, **kwargs): raise exc.NotSupported() diff --git a/tests/integration/resources_permissions/test_users_resources.py b/tests/integration/resources_permissions/test_users_resources.py index 0d9bf536..f20eaab4 100644 --- a/tests/integration/resources_permissions/test_users_resources.py +++ b/tests/integration/resources_permissions/test_users_resources.py @@ -86,7 +86,7 @@ def test_user_delete(client, data): ] results = helper_test_http_method(client, 'delete', url, None, users) - assert results == [401, 403, 204] + assert results == [404, 404, 204] def test_user_list(client, data): @@ -101,14 +101,14 @@ def test_user_list(client, data): response = client.get(url) users_data = json.loads(response.content.decode('utf-8')) - assert len(users_data) == 0 + assert len(users_data) == 1 assert response.status_code == 200 client.login(data.other_user) response = client.get(url) users_data = json.loads(response.content.decode('utf-8')) - assert len(users_data) == 0 + assert len(users_data) == 1 assert response.status_code == 200 client.login(data.superuser) @@ -146,7 +146,7 @@ def test_user_patch(client, data): patch_data = json.dumps({"full_name": "test"}) results = helper_test_http_method(client, 'patch', url, patch_data, users) - assert results == [401, 200, 403, 200] + assert results == [404, 200, 404, 200] def test_user_action_change_password(client, data):