Merge pull request #238 from awf-dbca/user-org-auth-fix

User Organisation Access Fix

wildlifecompliance/components/organisations/api.py

@@ -180,9 +180,10 @@ def get_queryset(self):
         if is_internal(self.request) or self.allow_external:
             return Organisation.objects.all()
         elif is_customer(self.request):
-            org_contacts = OrganisationContact.objects.filter(is_admin=True).filter(email=user.email)
-            user_admin_orgs = [org.organisation.id for org in org_contacts]
-            return Organisation.objects.filter(id__in=user_admin_orgs)
+            #org_contacts = OrganisationContact.objects.filter(is_admin=True).filter(email=user.email)
+            #user_admin_orgs = [org.organisation.id for org in org_contacts]
+            #return Organisation.objects.filter(id__in=user_admin_orgs)
+            return user.wildlifecompliance_organisations.all()
         return Organisation.objects.none()
 
     @detail_route(methods=['GET'])

wildlifecompliance/components/organisations/utils.py

@@ -5,8 +5,8 @@
 def can_manage_org(organisation, user):
     from wildlifecompliance.components.organisations.models import UserDelegation
     try:
-        UserDelegation.objects.get(organisation=organisation, user=user)
-        return True
+        UserDelegation.objects.get(organisation=organisation,user=user)
+        return can_admin_org(organisation, user)
     except UserDelegation.DoesNotExist:
         pass
     if user.has_perm('wildlifecompliance.system_administrator'):