Handle permissions in doc count annotation
This commit is contained in:
shamoon
parent
41ab5a58c3
commit
2cb1e66965
@ -1,6 +1,7 @@
|
|||||||
import json
|
import json
|
||||||
from datetime import date
|
from datetime import date
|
||||||
|
|
||||||
|
from django.contrib.auth.models import Permission
|
||||||
from django.contrib.auth.models import User
|
from django.contrib.auth.models import User
|
||||||
from rest_framework import status
|
from rest_framework import status
|
||||||
from rest_framework.test import APITestCase
|
from rest_framework.test import APITestCase
|
||||||
@ -933,3 +934,51 @@ class TestCustomFieldsAPI(DirectoriesMixin, APITestCase):
|
|||||||
results = response.data["results"]
|
results = response.data["results"]
|
||||||
self.assertEqual(len(results), 1)
|
self.assertEqual(len(results), 1)
|
||||||
self.assertEqual(results[0]["name"], custom_field_int.name)
|
self.assertEqual(results[0]["name"], custom_field_int.name)
|
||||||
|
|
||||||
|
def test_custom_fields_document_count(self):
|
||||||
|
custom_field_string = CustomField.objects.create(
|
||||||
|
name="Test Custom Field String",
|
||||||
|
data_type=CustomField.FieldDataType.STRING,
|
||||||
|
)
|
||||||
|
doc = Document.objects.create(
|
||||||
|
title="WOW",
|
||||||
|
content="the content",
|
||||||
|
checksum="123",
|
||||||
|
mime_type="application/pdf",
|
||||||
|
owner=self.user,
|
||||||
|
)
|
||||||
|
|
||||||
|
response = self.client.get(
|
||||||
|
f"{self.ENDPOINT}",
|
||||||
|
)
|
||||||
|
self.assertEqual(response.status_code, status.HTTP_200_OK)
|
||||||
|
results = response.data["results"]
|
||||||
|
self.assertEqual(results[0]["document_count"], 0)
|
||||||
|
|
||||||
|
CustomFieldInstance.objects.create(
|
||||||
|
document=doc,
|
||||||
|
field=custom_field_string,
|
||||||
|
value_text="test value",
|
||||||
|
)
|
||||||
|
|
||||||
|
response = self.client.get(
|
||||||
|
f"{self.ENDPOINT}",
|
||||||
|
)
|
||||||
|
self.assertEqual(response.status_code, status.HTTP_200_OK)
|
||||||
|
results = response.data["results"]
|
||||||
|
self.assertEqual(results[0]["document_count"], 1)
|
||||||
|
|
||||||
|
# Test as user without access to the document
|
||||||
|
non_superuser = User.objects.create_user(username="non_superuser")
|
||||||
|
non_superuser.user_permissions.add(
|
||||||
|
*Permission.objects.all(),
|
||||||
|
)
|
||||||
|
non_superuser.save()
|
||||||
|
self.client.force_authenticate(user=non_superuser)
|
||||||
|
self.client.force_login(user=non_superuser)
|
||||||
|
response = self.client.get(
|
||||||
|
f"{self.ENDPOINT}",
|
||||||
|
)
|
||||||
|
self.assertEqual(response.status_code, status.HTTP_200_OK)
|
||||||
|
results = response.data["results"]
|
||||||
|
self.assertEqual(results[0]["document_count"], 0)
|
||||||
|
|||||||
@ -1898,12 +1898,27 @@ class CustomFieldViewSet(ModelViewSet):
|
|||||||
queryset = CustomField.objects.all().order_by("-created")
|
queryset = CustomField.objects.all().order_by("-created")
|
||||||
|
|
||||||
def get_queryset(self):
|
def get_queryset(self):
|
||||||
|
filter = (
|
||||||
|
Q(fields__document__deleted_at__isnull=True)
|
||||||
|
if self.request.user is None or self.request.user.is_superuser
|
||||||
|
else (
|
||||||
|
Q(
|
||||||
|
fields__document__deleted_at__isnull=True,
|
||||||
|
fields__document__id__in=get_objects_for_user_owner_aware(
|
||||||
|
self.request.user,
|
||||||
|
"documents.view_document",
|
||||||
|
Document,
|
||||||
|
).values_list("id", flat=True),
|
||||||
|
)
|
||||||
|
)
|
||||||
|
)
|
||||||
return (
|
return (
|
||||||
super()
|
super()
|
||||||
.get_queryset()
|
.get_queryset()
|
||||||
.annotate(
|
.annotate(
|
||||||
document_count=Count(
|
document_count=Count(
|
||||||
"fields",
|
"fields",
|
||||||
|
filter=filter,
|
||||||
),
|
),
|
||||||
)
|
)
|
||||||
)
|
)
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user