From e29e9a82bb8c5a5bfadf3383a5fd3013ef86d737 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Herv=C3=A9=20M=C3=A9nager?= <herve.menager@pasteur.fr>
Date: Mon, 23 Dec 2019 16:10:59 +0100
Subject: [PATCH] first approach at filtering viewed compounds based on
 permissions

WIP on #68
---
 ippisite/ippidb/views/compound_query.py | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/ippisite/ippidb/views/compound_query.py b/ippisite/ippidb/views/compound_query.py
index 12c8b66e..b49ebac4 100644
--- a/ippisite/ippidb/views/compound_query.py
+++ b/ippisite/ippidb/views/compound_query.py
@@ -564,6 +564,16 @@ class CompoundListView(ListView):
         self.filter_context = {}
         # get queryset
         qs = super().get_queryset()
+        # compounds can be accessed only if they are validated or
+        # if the current user is an admin OR their contributor
+        current_user = self.request.user
+        if current_user.is_anonymous:
+            qs = qs.exclude(compoundaction__ppi__contribution__validated=False)
+        elif not current_user.is_superuser:
+            qs = qs.exclude(
+                Q(compoundaction__ppi__contribution__validated=False),
+                ~Q(compoundaction__ppi__contribution__contributor=current_user),
+            )
         # add filters
         self.filter_context[
             "disabled"
-- 
GitLab