From a0ecf4ffe00c8c379d404ca9df1df420b2adf913 Mon Sep 17 00:00:00 2001 From: Stefan Wehrmeyer Date: Mon, 28 Oct 2024 21:48:00 +0100 Subject: [PATCH] Take content_hidden flag into account for foimessage API reads --- froide/foirequest/api_views.py | 29 +++++++++++++++++++++-------- froide/foirequest/tests/test_api.py | 10 ++++++++-- 2 files changed, 29 insertions(+), 10 deletions(-) diff --git a/froide/foirequest/api_views.py b/froide/foirequest/api_views.py index e9e9e75e5..7cc46f014 100644 --- a/froide/foirequest/api_views.py +++ b/froide/foirequest/api_views.py @@ -242,8 +242,8 @@ class FoiMessageSerializer(serializers.HyperlinkedModelSerializer): read_only=True, view_name="api:publicbody-detail" ) - subject = serializers.CharField(source="get_subject") - content = serializers.CharField(source="get_content") + subject = serializers.SerializerMethodField(source="get_subject") + content = serializers.SerializerMethodField(source="get_content") redacted_subject = serializers.SerializerMethodField(source="get_redacted_subject") redacted_content = serializers.SerializerMethodField(source="get_redacted_content") sender = serializers.CharField() @@ -281,20 +281,33 @@ class Meta: "last_modified_at", ) - def get_redacted_subject(self, obj): + def _is_authenticated_read(self, obj): request = self.context["request"] + return can_read_foirequest_authenticated(obj.request, request, allow_code=False) + + def get_subject(self, obj): + if obj.content_hidden and not self._is_authenticated_read(obj): + return "" + return obj.get_subject() - if can_read_foirequest_authenticated(obj.request, request, allow_code=False): + def get_content(self, obj): + if obj.content_hidden and not self._is_authenticated_read(obj): + return "" + return obj.get_subject() + + def get_redacted_subject(self, obj): + if self._is_authenticated_read(obj): show, hide = obj.subject, obj.subject_redacted else: + if obj.content_hidden: + return [] show, hide = obj.subject_redacted, obj.subject return list(get_differences(show, hide)) def get_redacted_content(self, obj): - request = self.context["request"] - authenticated_read = can_read_foirequest_authenticated( - obj.request, request, allow_code=False - ) + authenticated_read = self._is_authenticated_read(obj) + if obj.content_hidden and not authenticated_read: + return [] return obj.get_redacted_content(authenticated_read) def get_attachments(self, obj): diff --git a/froide/foirequest/tests/test_api.py b/froide/foirequest/tests/test_api.py index 7c1b8e0fe..94b5d16a9 100644 --- a/froide/foirequest/tests/test_api.py +++ b/froide/foirequest/tests/test_api.py @@ -81,7 +81,13 @@ def test_permissions(self): def test_content_hidden(self): marker = "TESTMARKER" - mes = factories.FoiMessageFactory.create(content_hidden=True, plaintext=marker) + mes = factories.FoiMessageFactory.create( + content_hidden=True, + plaintext=marker, + plaintext_redacted=marker, + subject=marker, + subject_redacted=marker, + ) response = self.client.get("/api/v1/message/%d/" % mes.pk) self.assertEqual(response.status_code, 200) self.assertNotContains(response, marker) @@ -90,7 +96,7 @@ def test_username_hidden(self): user = factories.UserFactory.create(first_name="Reinhardt") user.private = True user.save() - mes = factories.FoiMessageFactory.create(content_hidden=True, sender_user=user) + mes = factories.FoiMessageFactory.create(sender_user=user) response = self.client.get("/api/v1/message/%d/" % mes.pk) self.assertEqual(response.status_code, 200) self.assertNotContains(response, user.username)