Handle permissions in doc count annotation

2024-10-03 22:46:42 -07:00 · 2024-10-03 22:46:42 -07:00 · 2cb1e66965
commit 2cb1e66965
parent 41ab5a58c3
2 changed files with 64 additions and 0 deletions
--- a/src/documents/tests/test_api_custom_fields.py
+++ b/src/documents/tests/test_api_custom_fields.py
@ -1,6 +1,7 @@
 import json
 from datetime import date

+from django.contrib.auth.models import Permission
 from django.contrib.auth.models import User
 from rest_framework import status
 from rest_framework.test import APITestCase
@ -933,3 +934,51 @@ class TestCustomFieldsAPI(DirectoriesMixin, APITestCase):
        results = response.data["results"]
        self.assertEqual(len(results), 1)
        self.assertEqual(results[0]["name"], custom_field_int.name)
+
+    def test_custom_fields_document_count(self):
+        custom_field_string = CustomField.objects.create(
+            name="Test Custom Field String",
+            data_type=CustomField.FieldDataType.STRING,
+        )
+        doc = Document.objects.create(
+            title="WOW",
+            content="the content",
+            checksum="123",
+            mime_type="application/pdf",
+            owner=self.user,
+        )
+
+        response = self.client.get(
+            f"{self.ENDPOINT}",
+        )
+        self.assertEqual(response.status_code, status.HTTP_200_OK)
+        results = response.data["results"]
+        self.assertEqual(results[0]["document_count"], 0)
+
+        CustomFieldInstance.objects.create(
+            document=doc,
+            field=custom_field_string,
+            value_text="test value",
+        )
+
+        response = self.client.get(
+            f"{self.ENDPOINT}",
+        )
+        self.assertEqual(response.status_code, status.HTTP_200_OK)
+        results = response.data["results"]
+        self.assertEqual(results[0]["document_count"], 1)
+
+        # Test as user without access to the document
+        non_superuser = User.objects.create_user(username="non_superuser")
+        non_superuser.user_permissions.add(
+            *Permission.objects.all(),
+        )
+        non_superuser.save()
+        self.client.force_authenticate(user=non_superuser)
+        self.client.force_login(user=non_superuser)
+        response = self.client.get(
+            f"{self.ENDPOINT}",
+        )
+        self.assertEqual(response.status_code, status.HTTP_200_OK)
+        results = response.data["results"]
+        self.assertEqual(results[0]["document_count"], 0)
--- a/src/documents/views.py
+++ b/src/documents/views.py
@ -1898,12 +1898,27 @@ class CustomFieldViewSet(ModelViewSet):
    queryset = CustomField.objects.all().order_by("-created")

    def get_queryset(self):
+        filter = (
+            Q(fields__document__deleted_at__isnull=True)
+            if self.request.user is None or self.request.user.is_superuser
+            else (
+                Q(
+                    fields__document__deleted_at__isnull=True,
+                    fields__document__id__in=get_objects_for_user_owner_aware(
+                        self.request.user,
+                        "documents.view_document",
+                        Document,
+                    ).values_list("id", flat=True),
+                )
+            )
+        )
        return (
            super()
            .get_queryset()
            .annotate(
                document_count=Count(
                    "fields",
+                    filter=filter,
                ),
            )
        )