hotosm
diff --git a/‎.github/workflows/pr_test_backend.yml‎
Lines changed: 1 addition & 1 deletion b/‎.github/workflows/pr_test_backend.yml‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎backend/api/projects/activities.py‎
Lines changed: 70 additions & 4 deletions b/‎backend/api/projects/activities.py‎
Lines changed: 70 additions & 4 deletions
diff --git a/‎backend/api/projects/contributions.py‎
Lines changed: 40 additions & 4 deletions b/‎backend/api/projects/contributions.py‎
Lines changed: 40 additions & 4 deletions
diff --git a/‎backend/api/projects/resources.py‎
Lines changed: 36 additions & 2 deletions b/‎backend/api/projects/resources.py‎
Lines changed: 36 additions & 2 deletions
diff --git a/‎backend/api/tasks/resources.py‎
Lines changed: 36 additions & 3 deletions b/‎backend/api/tasks/resources.py‎
Lines changed: 36 additions & 3 deletions
@@ -31,7 +31,7 @@ jobs:
 
       - name: Run PEP8 checks
         run: |
-          flake8 manage.py backend tests migrations
+          flake8 manage.py backend tests migrations --ignore=E203,W503
           black --check manage.py backend tests migrations
 
   pytest:
 
@@ -1,6 +1,10 @@
+from typing import Optional
+from backend.models.dtos.user_dto import AuthUserDTO
+from backend.models.postgis.statuses import ProjectStatus
+from backend.services.users.authentication_service import login_required_optional
 from databases import Database
 from fastapi import APIRouter, Depends, Request, Query
-
+from fastapi.responses import JSONResponse
 from backend.db import get_db
 from backend.services.project_service import ProjectService
 from backend.services.stats_service import StatsService
@@ -16,6 +20,7 @@
 async def get_activities(
     project_id: int,
     page: int = Query(1, description="Page of results user requested", ge=1),
+    user: Optional[AuthUserDTO] = Depends(login_required_optional),
     db: Database = Depends(get_db),
 ):
     """
@@ -44,14 +49,46 @@ async def get_activities(
         500:
             description: Internal Server Error
     """
-    await ProjectService.exists(project_id, db)
+
+    is_private, status = await ProjectService.get_project_privacy_and_status(
+        project_id, db
+    )
+    # If private or draft, enforce login + permission
+    if is_private or status == ProjectStatus.DRAFT.value:
+        user_id = user.id if user else None
+        if user is None:
+            return JSONResponse(
+                content={
+                    "Error": "User not permitted: Private Project",
+                    "SubCode": "PrivateProject",
+                },
+                status_code=403,
+            )
+
+        project_dto = await ProjectService.get_project_dto_for_mapper(
+            project_id,
+            user_id,
+            db,
+        )
+        if not project_dto:
+
+            return JSONResponse(
+                content={
+                    "Error": "User not permitted: Private Project",
+                    "SubCode": "PrivateProject",
+                },
+                status_code=403,
+            )
     activity = await StatsService.get_latest_activity(project_id, page, db)
     return activity
 
 
 @router.get("/{project_id}/activities/latest/")
 async def get_latest_activities(
-    request: Request, project_id: int, db: Database = Depends(get_db)
+    request: Request,
+    project_id: int,
+    user: Optional[AuthUserDTO] = Depends(login_required_optional),
+    db: Database = Depends(get_db),
 ):
     """
     Get latest user activity on all of project task
@@ -74,6 +111,35 @@ async def get_latest_activities(
         500:
             description: Internal Server Error
     """
-    await ProjectService.exists(project_id, db)
+
+    is_private, status = await ProjectService.get_project_privacy_and_status(
+        project_id, db
+    )
+    # If private or draft, enforce login + permission
+    if is_private or status == ProjectStatus.DRAFT.value:
+        user_id = user.id if user else None
+        if user is None:
+            return JSONResponse(
+                content={
+                    "Error": "User not permitted: Private Project",
+                    "SubCode": "PrivateProject",
+                },
+                status_code=403,
+            )
+
+        project_dto = await ProjectService.get_project_dto_for_mapper(
+            project_id,
+            user_id,
+            db,
+        )
+        if not project_dto:
+
+            return JSONResponse(
+                content={
+                    "Error": "User not permitted: Private Project",
+                    "SubCode": "PrivateProject",
+                },
+                status_code=403,
+            )
     activity = await StatsService.get_last_activity(project_id, db)
     return activity
@@ -1,8 +1,11 @@
+from typing import Optional
+from backend.models.dtos.user_dto import AuthUserDTO
+from backend.models.postgis.statuses import ProjectStatus
+from backend.services.users.authentication_service import login_required_optional
 from databases import Database
 from fastapi import APIRouter, Depends
-
+from fastapi.responses import JSONResponse
 from backend.db import get_db
-from backend.models.postgis.project import Project
 from backend.services.project_service import ProjectService
 from backend.services.stats_service import StatsService
 
@@ -14,7 +17,11 @@
 
 
 @router.get("/{project_id}/contributions/")
-async def get_project_contributions(project_id: int, db: Database = Depends(get_db)):
+async def get_project_contributions(
+    project_id: int,
+    user: Optional[AuthUserDTO] = Depends(login_required_optional),
+    db: Database = Depends(get_db),
+):
     """
     Get all user contributions on a project
     ---
@@ -37,7 +44,36 @@ async def get_project_contributions(project_id: int, db: Database = Depends(get_
         500:
             description: Internal Server Error
     """
-    await Project.exists(project_id, db)
+
+    is_private, status = await ProjectService.get_project_privacy_and_status(
+        project_id, db
+    )
+    # If private or draft, enforce login + permission
+    if is_private or status == ProjectStatus.DRAFT.value:
+        user_id = user.id if user else None
+        if user is None:
+            return JSONResponse(
+                content={
+                    "Error": "User not permitted: Private Project",
+                    "SubCode": "PrivateProject",
+                },
+                status_code=403,
+            )
+
+        project_dto = await ProjectService.get_project_dto_for_mapper(
+            project_id,
+            user_id,
+            db,
+        )
+        if not project_dto:
+
+            return JSONResponse(
+                content={
+                    "Error": "User not permitted: Private Project",
+                    "SubCode": "PrivateProject",
+                },
+                status_code=403,
+            )
     contributions = await StatsService.get_user_contributions(project_id, db)
     return contributions
 
 
@@ -16,7 +16,7 @@
     ProjectSearchDTO,
 )
 from backend.models.dtos.user_dto import AuthUserDTO
-from backend.models.postgis.statuses import UserRole
+from backend.models.postgis.statuses import ProjectStatus, UserRole
 from backend.services.organisation_service import OrganisationService
 from backend.services.project_admin_service import (
     InvalidData,
@@ -1104,7 +1104,10 @@ async def get_mapped_projects(
 
 @router.get("/{project_id}/queries/summary/")
 async def get_project_summary(
-    request: Request, project_id: int, db: Database = Depends(get_db)
+    request: Request,
+    project_id: int,
+    user: Optional[AuthUserDTO] = Depends(login_required_optional),
+    db: Database = Depends(get_db),
 ):
     """
     Gets project summary
@@ -1135,6 +1138,37 @@ async def get_project_summary(
             description: Internal Server Error
     """
     preferred_locale = request.headers.get("accept-language")
+
+    is_private, status = await ProjectService.get_project_privacy_and_status(
+        project_id, db
+    )
+    # If private or draft, enforce login + permission
+    if is_private or status == ProjectStatus.DRAFT.value:
+        user_id = user.id if user else None
+        if user is None:
+            return JSONResponse(
+                content={
+                    "Error": "User not permitted: Private Project",
+                    "SubCode": "PrivateProject",
+                },
+                status_code=403,
+            )
+
+        project_dto = await ProjectService.get_project_dto_for_mapper(
+            project_id,
+            user_id,
+            db,
+        )
+        if not project_dto:
+
+            return JSONResponse(
+                content={
+                    "Error": "User not permitted: Private Project",
+                    "SubCode": "PrivateProject",
+                },
+                status_code=403,
+            )
+
     summary = await ProjectService.get_project_summary(project_id, db, preferred_locale)
     return summary
 
 
@@ -1,6 +1,8 @@
 import io
 import json
+from typing import Optional
 
+from backend.models.dtos.user_dto import AuthUserDTO
 from databases import Database
 from fastapi import APIRouter, Depends, Request, Query
 from fastapi.responses import JSONResponse, Response, StreamingResponse
@@ -9,12 +11,12 @@
 
 from backend.db import get_db
 from backend.models.dtos.grid_dto import GridDTO
-from backend.models.postgis.statuses import UserRole
+from backend.models.postgis.statuses import ProjectStatus, UserRole
 from backend.models.postgis.utils import InvalidGeoJson
 from backend.services.grid.grid_service import GridService
 from backend.services.mapping_service import MappingService
 from backend.services.project_service import ProjectService, ProjectServiceError
-from backend.services.users.authentication_service import tm
+from backend.services.users.authentication_service import login_required_optional, tm
 from backend.services.users.user_service import UserService
 from backend.services.validator_service import ValidatorService
 
@@ -75,6 +77,7 @@ async def get_project_tasks(
     project_id: int,
     tasks: str = Query(default=None),
     as_file: bool = Query(default=False, alias="as_file"),
+    user: Optional[AuthUserDTO] = Depends(login_required_optional),
     db: Database = Depends(get_db),
 ):
     """
@@ -112,8 +115,38 @@ async def get_project_tasks(
             description: Internal Server Error
     """
     try:
-        tasks_json = await ProjectService.get_project_tasks(db, project_id, tasks)
 
+        is_private, status = await ProjectService.get_project_privacy_and_status(
+            project_id, db
+        )
+        # If private or draft, enforce login + permission
+        if is_private or status == ProjectStatus.DRAFT.value:
+            user_id = user.id if user else None
+            if user is None:
+                return JSONResponse(
+                    content={
+                        "Error": "User not permitted: Private Project",
+                        "SubCode": "PrivateProject",
+                    },
+                    status_code=403,
+                )
+
+            project_dto = await ProjectService.get_project_dto_for_mapper(
+                project_id,
+                user_id,
+                db,
+            )
+            if not project_dto:
+
+                return JSONResponse(
+                    content={
+                        "Error": "User not permitted: Private Project",
+                        "SubCode": "PrivateProject",
+                    },
+                    status_code=403,
+                )
+
+        tasks_json = await ProjectService.get_project_tasks(db, project_id, tasks)
         if as_file:
             tasks_str = json.dumps(tasks_json, indent=4)
             return Response(