From a8f1cd26cddea2cdfb46ff9d6ed0d4f60001a673 Mon Sep 17 00:00:00 2001 From: vabene1111 Date: Tue, 18 Jul 2023 10:54:20 +0200 Subject: [PATCH] change guest recipe permission --- cookbook/helper/permission_helper.py | 4 ++-- cookbook/tests/api/test_api_recipe.py | 6 +++--- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/cookbook/helper/permission_helper.py b/cookbook/helper/permission_helper.py index 78210152b..d45f3e2fd 100644 --- a/cookbook/helper/permission_helper.py +++ b/cookbook/helper/permission_helper.py @@ -322,7 +322,7 @@ class CustomRecipePermission(permissions.BasePermission): def has_permission(self, request, view): # user is either at least a guest or a share link is given and the request is safe share = request.query_params.get('share', None) - return has_group_permission(request.user, ['guest']) or (share and request.method in SAFE_METHODS and 'pk' in view.kwargs) + return ((has_group_permission(request.user, ['guest']) and request.method in SAFE_METHODS) or has_group_permission(request.user, ['user'])) or (share and request.method in SAFE_METHODS and 'pk' in view.kwargs) def has_object_permission(self, request, view, obj): share = request.query_params.get('share', None) @@ -332,7 +332,7 @@ class CustomRecipePermission(permissions.BasePermission): if obj.private: return ((obj.created_by == request.user) or (request.user in obj.shared.all())) and obj.space == request.space else: - return has_group_permission(request.user, ['guest']) and obj.space == request.space + return ((has_group_permission(request.user, ['guest']) and request.method in SAFE_METHODS) or has_group_permission(request.user, ['user'])) and obj.space == request.space class CustomUserPermission(permissions.BasePermission): diff --git a/cookbook/tests/api/test_api_recipe.py b/cookbook/tests/api/test_api_recipe.py index 3d665a167..fa1838b7a 100644 --- a/cookbook/tests/api/test_api_recipe.py +++ b/cookbook/tests/api/test_api_recipe.py @@ -81,10 +81,10 @@ def test_share_permission(recipe_1_s1, u1_s1, u1_s2, u2_s1, a_u): @pytest.mark.parametrize("arg", [ ['a_u', 403], - ['g1_s1', 200], + ['g1_s1', 403], ['u1_s1', 200], ['a1_s1', 200], - ['g1_s2', 404], + ['g1_s2', 403], ['u1_s2', 404], ['a1_s2', 404], ]) @@ -140,7 +140,7 @@ def test_update_private_recipe(u1_s1, u2_s1, recipe_1_s1): @pytest.mark.parametrize("arg", [ ['a_u', 403], - ['g1_s1', 201], + ['g1_s1', 403], ['u1_s1', 201], ['a1_s1', 201], ])