Merge branch 'neighbors-acl' into 'master'

Add ACL check on ElementNeighbors endpoint Closes #159 See merge request !1281

Merge branch 'neighbors-acl' into 'master'
162ea457 · Bastien Abadie · 1359d819 · 5d76f35a · 162ea457 · 162ea457
Commit 162ea457 authored 4 years ago by Bastien Abadie
--- a/arkindex/documents/api/elements.py
+++ b/arkindex/documents/api/elements.py
@@ -674,9 +674,11 @@ class ElementRetrieve(ACLMixin, RetrieveUpdateDestroyAPIView):
        ],
    )
 )
-class ElementNeighbors(ListAPIView):
+class ElementNeighbors(ACLMixin, ListAPIView):
    """
-    List neighboring elements
+    List neighboring elements.
+
+    Requires a **read** access to the element's corpus.
    """
    serializer_class = ElementNeighborsSerializer
    # For OpenAPI type discovery
@@ -691,10 +693,14 @@ class ElementNeighbors(ListAPIView):
        if not 1 <= n <= 10:
            raise ValidationError({'n': 'Should be an integer between 1 and 10'})

-        try:
-            element = Element.objects.get(id=self.kwargs['pk'])
-        except Element.DoesNotExist:
-            raise NotFound
+        element = get_object_or_404(
+            Element.objects.select_related('corpus'),
+            id=self.kwargs['pk']
+        )
+
+        # Check access permission
+        if not self.has_access(element.corpus, Role.Guest.value):
+            raise PermissionDenied(detail='You do not have a read access to this element.')

        return Element.objects.get_neighbors(element, n)


--- a/arkindex/documents/tests/test_neighbors.py
+++ b/arkindex/documents/tests/test_neighbors.py
@@ -2,7 +2,7 @@ from django.db.models import F
 from django.urls import reverse
 from rest_framework import status

-from arkindex.documents.models import Element, ElementPath
+from arkindex.documents.models import Corpus, Element, ElementPath
 from arkindex.project.tests import FixtureAPITestCase
 from arkindex.project.tools import build_tree

@@ -15,7 +15,31 @@ class TestElementNeighbors(FixtureAPITestCase):
        cls.volume_type = cls.corpus.types.get(slug='volume')
        cls.page_type = cls.corpus.types.get(slug='page')

+    def test_element_neighbors_acl(self):
+        """
+        A Guest access is required to list neighbors of an element
+        """
+        private_corpus = Corpus.objects.create(name="Private", public=False)
+        private_type = private_corpus.types.create(slug="folder")
+        elements = build_tree(
+            {
+                'B': 'A',
+                'C': 'A',
+                'D': 'A',
+            },
+            corpus=private_corpus,
+            type=private_type,
+        )
+        self.client.force_login(self.user)
+        with self.assertNumQueries(6):
+            response = self.client.get(reverse('api:elements-neighbors', kwargs={'pk': str(elements['A'].id)}))
+        self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN)
+        self.assertDictEqual(response.json(), {'detail': 'You do not have a read access to this element.'})
+
    def test_element_neighbors(self):
+        """
+        A non authenticated user is able to list neighbors of a public element
+        """
        elements = build_tree(
            {
                'Y': 'Z',