fix downloading RoR response CSV for users with assignments

Was relying on the marker's assigned council which is not true for all users so if that's missing look at assignments too. Also throw a 403 if none of them matches.
mysociety · Dec 4, 2024 · 0194e02 · 0194e02
1 parent 6f81580
commit 0194e02
Show file tree

Hide file tree

Showing 2 changed files with 49 additions and 6 deletions.
diff --git a/crowdsourcer/tests/test_right_of_reply_views.py b/crowdsourcer/tests/test_right_of_reply_views.py
@@ -611,6 +611,11 @@ def get_download_df(self):
 
         return df
 
+    def test_wrong_council(self):
+        url = reverse("authority_ror_download", args=("Adur District Council",))
+        response = self.client.get(url)
+        self.assertEqual(response.status_code, 403)
+
     def test_download(self):
         df = self.get_download_df()
 
@@ -635,6 +640,32 @@ def test_download(self):
         self.assertEqual(b_and_h_q5.agree_with_mark, "No")
         self.assertEqual(b_and_h_q5.council_notes, "a council objection")
 
+    def test_download_with_two_councils(self):
+        self.user.marker.authority = None
+        self.user.marker.save()
+
+        rt = ResponseType.objects.get(type="Right of Reply")
+        ms = MarkingSession.objects.get(label="Default")
+        Assigned.objects.create(
+            user=self.user,
+            response_type=rt,
+            authority=PublicAuthority.objects.get(name="Aberdeenshire Council"),
+            marking_session=ms,
+        )
+        Assigned.objects.create(
+            user=self.user,
+            response_type=rt,
+            authority=PublicAuthority.objects.get(name="Aberdeen City Council"),
+            marking_session=ms,
+        )
+
+        df = self.get_download_df()
+        self.assertEqual(df.shape[0], 2)
+
+        url = reverse("authority_ror_download", args=("Adur District Council",))
+        response = self.client.get(url)
+        self.assertEqual(response.status_code, 403)
+
     def test_download_with_props(self):
         sp = SessionProperties.objects.get(name="ror_property")
         SessionPropertyValues.objects.create(

diff --git a/crowdsourcer/views/rightofreply.py b/crowdsourcer/views/rightofreply.py
@@ -241,15 +241,27 @@ def get_queryset(self):
         user = self.request.user
 
         rt = ResponseType.objects.get(type="Right of Reply")
+        authority_name = self.kwargs["name"]
+        requested_authority = PublicAuthority.objects.get(name=authority_name)
+        authority = None
         if user.is_superuser:
-            authority_name = self.kwargs["name"]
-            authority = PublicAuthority.objects.get(name=authority_name)
-        else:
+            authority = requested_authority
+        elif (
+            self.request.user.marker.authority is not None
+            and self.request.user.marker.authority == requested_authority
+        ):
             authority = self.request.user.marker.authority
-
-        self.authority = authority
+        else:
+            if Assigned.objects.filter(
+                user=self.request.user,
+                authority=requested_authority,
+                marking_session=self.request.current_session,
+                response_type=rt,
+            ).exists():
+                authority = requested_authority
 
         if authority is not None:
+            self.authority = authority
             return (
                 Response.objects.filter(
                     question__section__marking_session=self.request.current_session,
@@ -264,7 +276,7 @@ def get_queryset(self):
                 )
             )
 
-        return None
+        raise PermissionDenied
 
     def get_first_mark_responses(self):
         rt = ResponseType.objects.get(type="First Mark")