Allow superuser to view all dref

Author: k9845

dref/test_views.py

@@ -446,7 +446,7 @@ def test_dref_is_published(self):
         )
         url = f'/api/v2/dref/{dref.id}/'
         data = {
-            "title" : "New Update Title"
+            "title": "New Update Title"
         }
         self.client.force_authenticate(self.user)
         response = self.client.patch(url, data)
@@ -795,3 +795,55 @@ def test_dref_for_assessment_report(self):
         response = self.client.post(url, data)
         self.assertEqual(response.status_code, 201)
         self.assertEqual(Dref.objects.count(), old_count + 1)
+
+    def test_dref_for_super_user(self):
+        user1 = UserFactory.create(
+            username='[email protected]',
+            first_name='Test',
+            last_name='User1',
+            password='admin123',
+            email='[email protected]',
+            is_superuser=True,
+        )
+        user2 = UserFactory.create(
+            username='[email protected]',
+            first_name='Test',
+            last_name='User2',
+            password='admin123',
+            email='[email protected]',
+        )
+        user3 = UserFactory.create(
+            username='[email protected]',
+            first_name='Test',
+            last_name='User3',
+            password='admin123',
+            email='[email protected]',
+        )
+        dref1 = DrefFactory.create(
+            title='Test Title',
+            created_by=user2,
+        )
+        DrefFactory.create(
+            title='Test Title New',
+        )
+
+        # authenticate with user1(superuser)
+        # user1 should be able to view all dref
+        url = '/api/v2/dref/'
+        self.client.force_authenticate(user1)
+        response = self.client.get(url)
+        self.assertEqual(response.status_code, 200)
+        self.assertEqual(len(response.data['results']), 2)
+
+        # authenticate with User2
+        self.client.force_authenticate(user2)
+        response = self.client.get(url)
+        self.assertEqual(response.status_code, 200)
+        self.assertEqual(len(response.data['results']), 1)
+        self.assertEqual(response.data['results'][0]['id'], dref1.id)
+
+        # authenticate with User3
+        self.client.force_authenticate(user3)
+        response = self.client.get(url)
+        self.assertEqual(response.status_code, 200)
+        self.assertEqual(len(response.data['results']), 0)

dref/views.py

@@ -40,17 +40,17 @@ class DrefViewSet(viewsets.ModelViewSet):
     filterset_class = DrefFilter
 
     def get_queryset(self):
-        return Dref.objects\
-            .filter(
-                models.Q(created_by=self.request.user) |
-                models.Q(users=self.request.user)
-            )\
-            .prefetch_related(
-                'planned_interventions',
-                'needs_identified',
-                'national_society_actions',
-                'users'
-            ).order_by('-created_at').distinct()
+        user = self.request.user
+        queryset = Dref.objects.prefetch_related(
+            'planned_interventions',
+            'needs_identified',
+            'national_society_actions',
+            'users'
+        ).order_by('-created_at').distinct()
+        if user.is_superuser:
+            return queryset
+        else:
+            return queryset.filter(models.Q(created_by=user) | models.Q(users=user))
 
     @action(
         detail=True,
@@ -74,10 +74,8 @@ class DrefOperationalUpdateViewSet(viewsets.ModelViewSet):
     filterset_class = DrefOperationalUpdateFilter
 
     def get_queryset(self):
-        return DrefOperationalUpdate.objects.filter(
-            models.Q(created_by=self.request.user) |
-            models.Q(users=self.request.user)
-        ).select_related(
+        user = self.request.user
+        queryset = DrefOperationalUpdate.objects.select_related(
             'national_society',
             'national_society',
             'disaster_type',
@@ -94,6 +92,10 @@ def get_queryset(self):
             'images',
             'photos',
         ).order_by('-created_at').distinct()
+        if user.is_superuser:
+            return queryset
+        else:
+            return queryset.filter(models.Q(created_by=user) | models.Q(users=user))
 
     @action(
         detail=True,
@@ -121,7 +123,6 @@ def get_queryset(self):
             'dref__needs_identified',
         ).order_by('-created_at').distinct()
 
-
     @action(
         detail=True,
         url_path='publish',