Fixing contacts API

taiga/users/api.py

@@ -93,12 +93,11 @@ class UsersViewSet(ModelCrudViewSet):
 
     @detail_route(methods=["GET"])
     def contacts(self, request, *args, **kwargs):
-        user = self.get_object()
+        user = get_object_or_404(models.User, **kwargs)
         self.check_permissions(request, 'contacts', user)
 
-        self.object_list = user_filters.ContactsFilterBackend().filter_queryset(request,
+        self.object_list = user_filters.ContactsFilterBackend().filter_queryset(
-                                                                  self.get_queryset(),
+            user, request, self.get_queryset(), self)
-                                                                  self)
 
         page = self.paginate_queryset(self.object_list)
         if page is not None:
@@ -109,8 +108,8 @@ class UsersViewSet(ModelCrudViewSet):
         return response.Ok(serializer.data)
 
     @detail_route(methods=["GET"])
-    def stats(self, request, pk=None):
+    def stats(self, request, *args, **kwargs):
-        user = self.get_object()
+        user = get_object_or_404(models.User, **kwargs)
         self.check_permissions(request, "stats", user)
         return response.Ok(services.get_stats_for_user(user))
 

taiga/users/filters.py

@@ -22,25 +22,23 @@ from taiga.base.filters import PermissionBasedFilterBackend
 class ContactsFilterBackend(PermissionBasedFilterBackend):
     permission = "view_project"
 
-    def filter_queryset(self, request, queryset, view):
+    def filter_queryset(self, user, request, queryset, view):
         qs = queryset.filter(is_active=True)
+        Membership = apps.get_model('projects', 'Membership')
+        memberships_qs = Membership.objects.filter(user=user)
 
         # Authenticated
         if request.user.is_authenticated():
             # if super user we don't need to filter anything
             if not request.user.is_superuser:
-                Membership = apps.get_model('projects', 'Membership')
-                memberships_qs = Membership.objects.filter(user=request.user)
                 memberships_qs = memberships_qs.filter(Q(role__permissions__contains=[self.permission]) |
                                                        Q(is_owner=True))
 
-                projects_list = [membership.project_id for membership in memberships_qs]
-                qs = qs.filter(memberships__project_id__in=projects_list)
-
-            qs = qs.exclude(id=request.user.id)
-
         # Anonymous
         else:
-            qs = qs.filter(memberships__project__anon_permissions__contains=[self.permission])
+            memberships_qs = memberships_qs.filter(project__anon_permissions__contains=[self.permission])
 
+        projects_list = [membership.project_id for membership in memberships_qs]
+        qs = qs.filter(memberships__project_id__in=projects_list)
+        qs = qs.exclude(id=user.id)
         return qs.distinct()

tests/integration/test_users.py

@@ -189,12 +189,13 @@ def test_list_contacts_private_projects(client):
 
     url = reverse('users-contacts', kwargs={"pk": user_1.pk})
     response = client.get(url, content_type="application/json")
-    assert response.status_code == 404
+    assert response.status_code == 200
+    response_content = json.loads(response.content.decode("utf-8"))
+    assert len(response_content) == 0
 
     client.login(user_1)
     response = client.get(url, content_type="application/json")
     assert response.status_code == 200
-
     response_content = json.loads(response.content.decode("utf-8"))
     assert len(response_content) == 1
     assert response_content[0]["id"] == user_2.id
@@ -234,6 +235,5 @@ def test_list_contacts_public_projects(client):
     assert response.status_code == 200
 
     response_content = json.loads(response.content.decode("utf-8"))
-    assert len(response_content) == 2
+    assert len(response_content) == 1
-    assert response_content[0]["id"] == user_1.id
+    assert response_content[0]["id"] == user_2.id
-    assert response_content[1]["id"] == user_2.id