first approach at filtering viewed compounds based on permissions

WIP on #68

ippisite/ippidb/views/compound_query.py

@@ -564,6 +564,16 @@ class CompoundListView(ListView):
         self.filter_context = {}
         # get queryset
         qs = super().get_queryset()
+        # compounds can be accessed only if they are validated or
+        # if the current user is an admin OR their contributor
+        current_user = self.request.user
+        if current_user.is_anonymous:
+            qs = qs.exclude(compoundaction__ppi__contribution__validated=False)
+        elif not current_user.is_superuser:
+            qs = qs.exclude(
+                Q(compoundaction__ppi__contribution__validated=False),
+                ~Q(compoundaction__ppi__contribution__contributor=current_user),
+            )
         # add filters
         self.filter_context[
             "disabled"