From dfd12889857ad6cdefc74dd6d63039e2ef3131b7 Mon Sep 17 00:00:00 2001
From: Valentin Rigal <rigal@teklia.com>
Date: Tue, 15 Dec 2020 12:38:36 +0100
Subject: [PATCH] Correct handling of special authentications in the mixin

---
 arkindex/project/mixins.py | 15 ++++++++++-----
 1 file changed, 10 insertions(+), 5 deletions(-)

diff --git a/arkindex/project/mixins.py b/arkindex/project/mixins.py
index cda2c95e87..12f0c472cc 100644
--- a/arkindex/project/mixins.py
+++ b/arkindex/project/mixins.py
@@ -51,13 +51,18 @@ class ACLMixin(object):
         self._check_level(level)
         include_public = level <= Role.Guest.value and self._has_public_field(model)
 
-        # Handle specific cases (i.e. admin or anonymous user)
-        if self.user.is_admin or self.user.is_internal:
-            return model.objects.all().annotate(max_level=Value(Role.Admin.value))
-        elif self.user.is_anonymous:
+        # Handle special authentications
+        if self.user.is_anonymous:
+            # Anonymous users have Guest access on public instances only
             if not include_public:
                 return model.objects.none()
-            return self.get_public_instances(model, Role.Guest.value)
+            return self.get_public_instances(model, Role.Guest.value) \
+                .order_by(*self.mixin_order_by_fields, 'id')
+        elif self.user.is_admin or self.user.is_internal:
+            # Superusers have an Admin access to all corpora
+            return model.objects.all() \
+                .annotate(max_level=Value(Role.Admin.value, IntegerField())) \
+                .order_by(*self.mixin_order_by_fields, 'id')
 
         # Filter users rights and annotate the resulting level for those rights
         queryset = model.objects \
-- 
GitLab