Allow annotators to access their annotated identification tasks attributes

Author: epou

api/permissions.py

@@ -3,7 +3,7 @@
 
 from rest_framework import permissions
 
-from tigacrafting.models import ExpertReportAnnotation
+from tigacrafting.models import IdentificationTask, ExpertReportAnnotation
 from tigaserver_app.models import TigaUser, Notification
 
 from .utils import get_fk_fieldnames
@@ -29,6 +29,11 @@ def has_permission(self, request, view):
             request.user, User
         ) and super().has_permission(request, view)
 
+    def has_object_permission(self, request, view, obj):
+        return isinstance(
+            request.user, User
+        ) and super().has_object_permission(request, view, obj)
+
 class FullDjangoModelPermissions(DjangoRegularUserModelPermissions):
     perms_map = {
         **permissions.DjangoObjectPermissions.perms_map,
@@ -130,29 +135,47 @@ def has_permission(self, request, view):
             return super().has_permission(request=request, view=view)
         return False
 
-class IdentificationTaskPermissions(FullDjangoModelPermissions):
-    def has_permission(self, request, view):
-        # Always require authentication
-        if not request.user or not request.user.is_authenticated:
+
+class BaseIdentificationTaskPermissions(FullDjangoModelPermissions):
+    def _check_is_annotator(self, request, view, obj) -> bool:
+        if isinstance(request.user, TigaUser):
             return False
 
-        if view.action == 'retrieve':
-            return True
+        if isinstance(obj, IdentificationTask):
+            task = obj
+        else:
+            inferred_fieldnames = get_fk_fieldnames(
+                model=obj._meta.model, related_model=IdentificationTask
+            )
+            if len(inferred_fieldnames) > 1:
+                raise MultipleObjectsReturned(
+                    "Model {obj._meta.model} has {len(inferred_fieldnames)} relation to model {TigaUser}."
+                )
+            task_fname = inferred_fieldnames[0]
+            if not hasattr(obj, task_fname):
+                return False
+            task = getattr(obj, task_fname)
+        return task.annotators.filter(pk=request.user.pk).exists()
 
+    def has_permission(self, request, view):
+        if request.user and request.user.is_authenticated:
+            if view.action == 'retrieve':
+                return True
         return super().has_permission(request, view)
 
     def has_object_permission(self, request, view, obj):
-        if isinstance(request.user, TigaUser):
+        if not super().has_object_permission(request, view,obj):
             return False
 
-        if obj.annotators.filter(pk=request.user.pk).exists():
-            # If it's a user that has annotated this task, allow access
-            if view.action == 'retrieve':
-                return True
+        if view.action == 'retrieve' and self._check_is_annotator(request, view, obj):
+            return True
 
         perms = self.get_required_permissions(request.method, obj._meta.model)
         return request.user.has_perms(perms)
 
+class IdentificationTaskPermissions(BaseIdentificationTaskPermissions):
+    pass
+
 class MyIdentificationTaskPermissions(DjangoRegularUserModelPermissions):
     pass
 
@@ -166,25 +189,24 @@ def has_permission(self, request, view):
             'model_name': ExpertReportAnnotation._meta.model_name
         })
 
-class AnnotationPermissions(FullDjangoModelPermissions):
-    # Always allow retrieve owned annotations
-
-    def has_permission(self, request, view):
-        if request.user and request.user.is_authenticated and view.action == 'retrieve':
-            return True
-        return super().has_permission(request=request, view=view)
+class BaseIdentificationTaskAttributePermissions(BaseIdentificationTaskPermissions):
+    pass
 
+class AnnotationPermissions(BaseIdentificationTaskAttributePermissions):
+    # Always allow retrieve owned attributes
     def has_object_permission(self, request, view, obj):
         # Allow retrieve if user is the owner
         if view.action == 'retrieve':
             if obj.user == request.user:
                 return True
-            return super().has_permission(request=request, view=view)
         return super().has_object_permission(request, view, obj)
 
 class MyAnnotationPermissions(DjangoRegularUserModelPermissions):
     pass
 
+class PhotoPredictionPermissions(BaseIdentificationTaskAttributePermissions):
+    pass
+
 class TaxaPermissions(UserObjectPermissions):
     perms_map = permissions.DjangoModelPermissions.perms_map
 

api/tests/integration/identification_tasks/annotations/get.tavern.yml

@@ -75,7 +75,6 @@ marks:
     - api_live_url
     - endpoint
     - annotation
-    - annotation_from_another_user
     - jwt_token_user
 
 stages:
@@ -87,7 +86,48 @@ stages:
         Authorization: "Bearer {jwt_token_user:s}"
     response:
       status_code: 200
-  - name: User without perm view can not retrieve if not owned annotation
+
+---
+
+test_name: Annotation can be retrieved by users without permissions if from a identification task they have annotate.
+
+includes:
+  - !include schema.yml
+
+marks:
+  - usefixtures:
+    - api_live_url
+    - endpoint
+    - annotation
+    - annotation_from_another_user
+    - jwt_token_user
+
+stages:
+  - name: User without perm view can retrieve if annotation from the same task
+    request:
+      url: "{api_live_url}/{endpoint}/{annotation_from_another_user.pk}/"
+      method: "GET"
+      headers:
+        Authorization: "Bearer {jwt_token_user:s}"
+    response:
+      status_code: 200
+
+---
+
+test_name: Annotation can not be retrieved by users if not owned and they have not annotated in the same identification task.
+
+includes:
+  - !include schema.yml
+
+marks:
+  - usefixtures:
+    - api_live_url
+    - endpoint
+    - annotation_from_another_user
+    - jwt_token_user
+
+stages:
+  - name: User without perm view can not retrieve if not owned annotation and not annotator from the identification task
     request:
       url: "{api_live_url}/{endpoint}/{annotation_from_another_user.pk}/"
       method: "GET"

api/tests/integration/identification_tasks/predictions/get.tavern.yml

@@ -1,6 +1,6 @@
 ---
 
-test_name: Predictions can be read only by authenticated users.
+test_name: Predictions can be read by users not authenticated or without permissions.
 
 includes:
   - !include schema.yml
@@ -28,12 +28,62 @@ stages:
       method: "GET"
     response:
       status_code: 401
-  - name: User without perm view can retrieve
+  - name: User without perm view can not retrieve
     request:
       url: "{api_live_url}/{endpoint}/{photo_prediction.photo.uuid}/"
       method: "GET"
       headers:
         Authorization: "Bearer {jwt_token_user:s}"
+    response:
+      status_code: 403
+
+---
+
+test_name: Predictions can be read only by authenticated users with permissions.
+
+includes:
+  - !include schema.yml
+
+marks:
+  - usefixtures:
+    - api_live_url
+    - endpoint
+    - photo_prediction
+    - jwt_token_user_can_view
+
+stages:
+  - name: User without perm view can not retrieve
+    request:
+      url: "{api_live_url}/{endpoint}/{photo_prediction.photo.uuid}/"
+      method: "GET"
+      headers:
+        Authorization: "Bearer {jwt_token_user_can_view:s}"
     response:
       status_code: 200
       json: !force_format_include "{response_data_validation}"
+
+---
+
+test_name: Photo prediction can be retrieved by users without permissions if from a identification task they have annotate.
+
+includes:
+  - !include schema.yml
+
+marks:
+  - usefixtures:
+    - api_live_url
+    - endpoint
+    - annotation
+    - photo_prediction
+    - jwt_token_user
+
+stages:
+  - name: User without perm view can retrieve if annotation from the same task
+    request:
+      url: "{api_live_url}/{endpoint}/{photo_prediction.photo.uuid}/"
+      method: "GET"
+      headers:
+        Authorization: "Bearer {jwt_token_user:s}"
+    response:
+      status_code: 200
+      json: !force_format_include "{response_data_validation}"

api/tests/integration/identification_tasks/predictions/list.tavern.yml

@@ -26,12 +26,36 @@ stages:
       method: "GET"
     response:
       status_code: 401
-  - name: User without perm view can retrieve
+  - name: User without perm view can not retrieve
     request:
       url: "{api_live_url}/{endpoint}/"
       method: "GET"
       headers:
         Authorization: "Bearer {jwt_token_user:s}"
+    response:
+      status_code: 403
+
+---
+
+test_name: Predictions can be list only by authenticated users with permissions.
+
+includes:
+  - !include schema.yml
+
+marks:
+  - usefixtures:
+    - api_live_url
+    - endpoint
+    - photo_prediction
+    - jwt_token_user_can_view
+
+stages:
+  - name: User without perm view can not retrieve
+    request:
+      url: "{api_live_url}/{endpoint}/"
+      method: "GET"
+      headers:
+        Authorization: "Bearer {jwt_token_user_can_view:s}"
     response:
       status_code: 200
       json: !force_format_include "{response_list_data_validation}"

api/views.py

@@ -93,6 +93,7 @@
     IdentificationTaskAssignmentPermissions,
     AnnotationPermissions,
     MyAnnotationPermissions,
+    PhotoPredictionPermissions,
     TaxaPermissions,
     CountriesPermissions
 )
@@ -566,6 +567,7 @@ def assign_next(self, request):
     )
     class PhotoPredictionViewSet(NestedViewSetMixin, CreateModelMixin, RetrieveModelMixin, ListModelMixin, UpdateModelMixin, DestroyModelMixin, GenericNoMobileViewSet):
         queryset = PhotoPrediction.objects.all()
+        permission_classes = (PhotoPredictionPermissions, )
 
         parent_lookup_kwargs = {
             'observation_uuid': 'identification_task__pk'