Merge pull request #1217 from thunderstore-io/cyberstorm-api-package-listing-permission

Update getting package listing visibility (TS-2915)

Author: Roffenlund

django/thunderstore/api/cyberstorm/tests/test_package_listing.py

@@ -4,6 +4,7 @@
 
 import pytest
 from django.db import connection
+from django.http import Http404
 from django.test.utils import CaptureQueriesContext
 from rest_framework.test import APIClient
 
@@ -36,6 +37,47 @@ def get_listing_url(package_listing) -> str:
     return f"{base_url}/{community_id}/{namespace_id}/{package_name}/status/"
 
 
+@pytest.mark.django_db
+@pytest.mark.parametrize("user_type", TestUserTypes.options())
+def test_get_custom_package_listing__rejected_package_visibility_user_types(
+    user_type,
+) -> None:
+    listing = PackageListingFactory(review_status="rejected")
+
+    community_id = listing.community.identifier
+    namespace = listing.package.namespace.name
+    package_name = listing.package.name
+    user = TestUserTypes.get_user_by_type(user_type)
+
+    expected_visibility = {
+        TestUserTypes.no_user: False,
+        TestUserTypes.unauthenticated: False,
+        TestUserTypes.regular_user: False,
+        TestUserTypes.deactivated_user: False,
+        TestUserTypes.service_account: False,
+        TestUserTypes.site_admin: True,
+        TestUserTypes.superuser: True,
+    }
+
+    is_visible = expected_visibility[user_type]
+
+    if is_visible:
+        listing = get_custom_package_listing(
+            community_id,
+            namespace,
+            package_name,
+            user=user,
+        )
+    else:
+        with pytest.raises(Http404):
+            listing = get_custom_package_listing(
+                community_id,
+                namespace,
+                package_name,
+                user=user,
+            )
+
+
 @pytest.mark.django_db
 def test_get_custom_package_listing__returns_objects_matching_args() -> None:
     expected = PackageListingFactory()

django/thunderstore/api/cyberstorm/views/package_listing.py

@@ -12,6 +12,7 @@
     Sum,
     Value,
 )
+from django.http import Http404
 from drf_yasg.utils import swagger_auto_schema
 from rest_framework import serializers, status
 from rest_framework.exceptions import PermissionDenied
@@ -34,6 +35,7 @@
     conditional_swagger_auto_schema,
 )
 from thunderstore.community.models.package_listing import PackageListing
+from thunderstore.core.types import UserType
 from thunderstore.repository.models.package import get_package_dependants
 from thunderstore.repository.models.package_version import PackageVersion
 from thunderstore.repository.views.package.detail import PermissionsChecker
@@ -122,6 +124,7 @@ def get_object(self):
             community_id=self.kwargs["community_id"],
             namespace_id=self.kwargs["namespace_id"],
             package_name=self.kwargs["package_name"],
+            user=self.request.user,
         )
 
 
@@ -141,12 +144,12 @@ def get_custom_package_listing(
     community_id: str,
     namespace_id: str,
     package_name: str,
+    user: UserType = None,
 ) -> CustomListing:
     listing_ref = PackageListing.objects.filter(pk=OuterRef("pk"))
 
     qs = (
         PackageListing.objects.active()
-        .filter_by_community_approval_rule()
         .select_related(
             "community",
             "package__latest",
@@ -185,6 +188,9 @@ def get_custom_package_listing(
         package__name=package_name,
     )
 
+    if not listing.can_be_viewed_by_user(user):
+        raise Http404()
+
     dependencies = (
         listing.package.latest.dependencies.listed_in(community_id)
         .annotate(community_identifier=Value(community_id, CharField()))