Fix visibility of non-public plans in section list

2022-06-20 11:18:38 +02:00 · 2022-06-20 11:18:38 +02:00 · 5e43d627d7
commit 5e43d627d7
parent 07d562f2d8
4 changed files with 25 additions and 21 deletions
--- a/froide_govplan/admin.py
+++ b/froide_govplan/admin.py
@ -13,6 +13,7 @@ from froide.helper.widgets import TagAutocompleteWidget
 from froide.organization.models import Organization

 from .api_views import GovernmentPlanViewSet
+from .auth import get_allowed_plans, has_limited_access
 from .forms import (
    GovernmentPlanForm,
    GovernmentPlanUpdateAcceptProposalForm,
@ -53,19 +54,6 @@ class GovernmentAdmin(admin.ModelAdmin):
    list_filter = ("public",)


-def has_limited_access(user):
-    if not user.is_authenticated:
-        return True
-    return not user.has_perm("froide_govplan.add_governmentplan")
-
-
-def get_allowed_plans(request):
-    if not has_limited_access(request.user):
-        return GovernmentPlan.objects.all()
-    groups = request.user.groups.all()
-    return GovernmentPlan.objects.filter(group__in=groups).distinct()
-
-
 def execute_assign_organization(admin, request, queryset, action_obj):
    queryset.update(organization=action_obj)

--- a/froide_govplan/auth.py
+++ b/froide_govplan/auth.py
@ -0,0 +1,14 @@
+from .models import GovernmentPlan
+
+
+def has_limited_access(user):
+    if not user.is_authenticated:
+        return True
+    return not user.has_perm("froide_govplan.add_governmentplan")
+
+
+def get_allowed_plans(request):
+    if not has_limited_access(request.user):
+        return GovernmentPlan.objects.all()
+    groups = request.user.groups.all()
+    return GovernmentPlan.objects.filter(group__in=groups).distinct()
--- a/froide_govplan/models.py
+++ b/froide_govplan/models.py
@ -427,14 +427,14 @@ class GovernmentPlanSection(models.Model):
    def get_absolute_domain_url(self):
        return settings.SITE_URL + self.get_absolute_url()

-    def get_plans(self):
-        return (
-            GovernmentPlan.objects.filter(
+    def get_plans(self, queryset=None):
+        if queryset is None:
+            queryset = GovernmentPlan.objects.filter(public=True)
+
+        queryset = queryset.filter(
            categories__in=self.categories.all(), government_id=self.government_id
        )
-            .distinct()
-            .order_by("title")
-        )
+        return queryset.distinct().order_by("title")


 if CMSPlugin:
--- a/froide_govplan/views.py
+++ b/froide_govplan/views.py
@ -4,6 +4,7 @@ from django.shortcuts import get_object_or_404, redirect, render
 from django.utils.translation import gettext_lazy as _
 from django.views.generic import DetailView, UpdateView

+from .auth import get_allowed_plans
 from .forms import GovernmentPlanUpdateProposalForm
 from .models import Government, GovernmentPlan, GovernmentPlanSection

@ -33,7 +34,8 @@ class GovPlanSectionDetailView(GovernmentMixin, DetailView):

    def get_context_data(self, **kwargs):
        context = super().get_context_data(**kwargs)
-        context["plans"] = context["object"].get_plans()
+        queryset = get_allowed_plans(self.request)
+        context["plans"] = context["object"].get_plans(queryset=queryset)
        return context