Merge branch 'master' into release

suricactus · suricactus · commit dc357e6f9e08 · 2025-08-20T13:25:56.000+03:00
diff --git a/docker-app/qfieldcloud/core/models.py b/docker-app/qfieldcloud/core/models.py
@@ -2414,19 +2414,25 @@ def for_user_and_project(self, user: User, project: Project) -> SecretQueryset:
         secrets_qs = self.filter(
             Q(
                 # organization-assigned secrets
-                Q(organization=organization) & Q(assigned_to__isnull=True)
+                Q(organization=organization)
+                & Q(project__isnull=True)
+                & Q(assigned_to__isnull=True)
             )
             | Q(
                 # user-assigned organization secrets
-                Q(organization=organization) & Q(assigned_to=user)
+                Q(organization=organization)
+                & Q(project__isnull=True)
+                & Q(assigned_to=user)
             )
             | Q(
                 # project-assigned secrets
-                Q(project=project) & Q(assigned_to__isnull=True)
+                Q(organization__isnull=True)
+                & Q(project=project)
+                & Q(assigned_to__isnull=True)
             )
             | Q(
                 # user assigned project secrets
-                Q(project=project) & Q(assigned_to=user)
+                Q(organization__isnull=True) & Q(project=project) & Q(assigned_to=user)
             )
         )
 
diff --git a/docker-app/qfieldcloud/core/tests/test_secret.py b/docker-app/qfieldcloud/core/tests/test_secret.py
@@ -198,3 +198,29 @@ def test_check_secrets_type_priority(self):
 
         self.assertEqual(secrets.count(), 1)
         self.assertEqual(secrets[0], s1_project_assigned)
+
+    def test_check_secrets_do_not_leak(self):
+        p4 = Project.objects.create(name="p4", owner=self.u2)
+
+        p3_s1 = self._create_secret(name="p3_s1", project=self.p3)
+        p4_s2 = self._create_secret(name="p4_s2", project=p4)
+
+        secrets = Secret.objects.for_user_and_project(self.u1, self.p3)
+
+        self.assertEqual(secrets.count(), 1)
+        self.assertEqual(secrets[0], p3_s1)
+
+        with self.assertRaises(UserProjectRoleError):
+            secrets = Secret.objects.for_user_and_project(self.u1, p4)
+
+            self.assertEqual(secrets.count(), 0)
+
+        with self.assertRaises(UserProjectRoleError):
+            secrets = Secret.objects.for_user_and_project(self.u2, self.p3)
+
+            self.assertEqual(secrets.count(), 0)
+
+        secrets = Secret.objects.for_user_and_project(self.u2, p4)
+
+        self.assertEqual(secrets.count(), 1)
+        self.assertEqual(secrets[0], p4_s2)
diff --git a/docker-app/worker_wrapper/wrapper.py b/docker-app/worker_wrapper/wrapper.py
@@ -432,12 +432,14 @@ def _prepare_deltas(self, deltas: Iterable[Delta]) -> dict[str, Any]:
         local_to_remote_pk_deltas = Delta.objects.filter(
             client_id__in=delta_client_ids,
             last_modified_pk__isnull=False,
-        ).values("client_id", "content__localPk", "last_modified_pk")
+        ).values(
+            "client_id", "content__localLayerId", "content__localPk", "last_modified_pk"
+        )
 
         client_pks_map = {}
 
         for delta_with_modified_pk in local_to_remote_pk_deltas:
-            key = f"{delta_with_modified_pk['client_id']}__{delta_with_modified_pk['content__localPk']}"
+            key = f"{delta_with_modified_pk['client_id']}__{delta_with_modified_pk['content__localLayerId']}__{delta_with_modified_pk['content__localPk']}"
             client_pks_map[key] = delta_with_modified_pk["last_modified_pk"]
 
         deltafile_contents = {
diff --git a/docker-qgis/qfc_worker/apply_deltas.py b/docker-qgis/qfc_worker/apply_deltas.py
@@ -816,7 +816,9 @@ def get_feature(
     source_pk = delta["sourcePk"]
 
     if client_pks:
-        client_pk_key = f"{delta['clientId']}__{delta['localPk']}"
+        client_pk_key = (
+            f"{delta['clientId']}__{delta['localLayerId']}__{delta['localPk']}"
+        )
         if client_pk_key in client_pks:
             source_pk = client_pks[client_pk_key]
 

Original file line number	Diff line number	Diff line change
`@@ -2414,19 +2414,25 @@ def for_user_and_project(self, user: User, project: Project) -> SecretQueryset:`
`2414`	`2414`	`secrets_qs = self.filter(`
`2415`	`2415`	`Q(`
`2416`	`2416`	`# organization-assigned secrets`
`2417`		`- Q(organization=organization) & Q(assigned_to__isnull=True)`
	`2417`	`+ Q(organization=organization)`
	`2418`	`+ & Q(project__isnull=True)`
	`2419`	`+ & Q(assigned_to__isnull=True)`
`2418`	`2420`	`)`
`2419`	`2421`	`\| Q(`
`2420`	`2422`	`# user-assigned organization secrets`
`2421`		`- Q(organization=organization) & Q(assigned_to=user)`
	`2423`	`+ Q(organization=organization)`
	`2424`	`+ & Q(project__isnull=True)`
	`2425`	`+ & Q(assigned_to=user)`
`2422`	`2426`	`)`
`2423`	`2427`	`\| Q(`
`2424`	`2428`	`# project-assigned secrets`
`2425`		`- Q(project=project) & Q(assigned_to__isnull=True)`
	`2429`	`+ Q(organization__isnull=True)`
	`2430`	`+ & Q(project=project)`
	`2431`	`+ & Q(assigned_to__isnull=True)`
`2426`	`2432`	`)`
`2427`	`2433`	`\| Q(`
`2428`	`2434`	`# user assigned project secrets`
`2429`		`- Q(project=project) & Q(assigned_to=user)`
	`2435`	`+ Q(organization__isnull=True) & Q(project=project) & Q(assigned_to=user)`
`2430`	`2436`	`)`
`2431`	`2437`	`)`
`2432`	`2438`