Annotators can see the identification tasks where they have contributed

epou · epou · commit 6971fff901be · 2025-06-05T16:49:46.000+02:00
diff --git a/api/permissions.py b/api/permissions.py
@@ -131,7 +131,27 @@ def has_permission(self, request, view):
         return False
 
 class IdentificationTaskPermissions(FullDjangoModelPermissions):
-    pass
+    def has_permission(self, request, view):
+        # Always require authentication
+        if not request.user or not request.user.is_authenticated:
+            return False
+
+        if view.action == 'retrieve':
+            return True
+
+        return super().has_permission(request, view)
+
+    def has_object_permission(self, request, view, obj):
+        if isinstance(request.user, TigaUser):
+            return False
+
+        if obj.annotators.filter(pk=request.user.pk).exists():
+            # If it's a user that has annotated this task, allow access
+            if view.action == 'retrieve':
+                return True
+
+        perms = self.get_required_permissions(request.method, obj._meta.model)
+        return request.user.has_perms(perms)
 
 class MyIdentificationTaskPermissions(DjangoRegularUserModelPermissions):
     pass
diff --git a/api/tests/integration/identification_tasks/get.tavern.yml b/api/tests/integration/identification_tasks/get.tavern.yml
@@ -62,6 +62,31 @@ stages:
 
 ---
 
+test_name: Identification tasks can be read by annotators that has annotated that identification task.
+
+includes:
+  - !include schema.yml
+
+marks:
+  - usefixtures:
+    - api_live_url
+    - identification_task
+    - annotation
+    - jwt_token_user
+
+stages:
+  - name: User with perm view can retrieve
+    request:
+      url: "{api_live_url}/{endpoint}/{identification_task.report.pk}/"
+      method: "GET"
+      headers:
+        Authorization: "Bearer {jwt_token_user:s}"
+    response:
+      status_code: 200
+      json: !force_format_include "{response_data_validation}"
+
+---
+
 test_name: Archived identification tasks can not be retrieved.
 
 includes:
diff --git a/api/views.py b/api/views.py
@@ -521,7 +521,7 @@ def get_queryset(self):
         qs = super().get_queryset()
 
         user = self.request.user
-        if not (user and user.has_perm("tigacrafting.view_archived_identificationtasks")):
+        if isinstance(user, TigaUser) or not (user and user.has_perm("tigacrafting.view_archived_identificationtasks")):
             qs = qs.exclude(status=IdentificationTask.Status.ARCHIVED)
 
         return qs
