Commit 97ef9adb authored by Bernard Letourmy's avatar Bernard Letourmy
Browse files

Fixes broken access to artefact_snapshot by peer reviewer by extending...

Fixes broken access to artefact_snapshot by peer reviewer by extending EditorReviewViewSet queryset accordingly

- EditorReviewViewSet we also allow detail access to EditorReview record for associated peer reviewers.

- todo improve privacy and optimize data exchange size by removing these extra access,  copying relevant EditorReview fields in PeerReview and avoid fetching whole EditorReview from peer review component.

ref #374
parent 2c5ddd89
......@@ -113,10 +113,13 @@ class EditorReviewViewSet(viewsets.ModelViewSet):
# "Main administrator" members have access to all editor reviews
queryset = EditorReview.objects.all()
else:
# returns only editorreview records related to authenticated user's publications
# and only for single record (self.detail for author-review) or
# returns only editorreview records related to authenticated user's publications or peer_review
# and only for single record (self.detail for author-review or editor-review)
if self.detail:
queryset = EditorReview.objects.filter(
publication__artefact__object__user=user) | EditorReview.objects.filter(peer_reviews__user=user)
# in case of list view for author component only (when requested with query_params set)
if self.detail or 'publication__artefact__object__user' in self.request.query_params:
elif 'publication__artefact__object__user' in self.request.query_params:
queryset = EditorReview.objects.filter(publication__artefact__object__user=user)
return queryset
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment