Merge pull request #182 from pneumaticapp/backend/template/45313__owner_has_access_all_templates

 45313 backend [ templates ] Account owner has full access to all templates in the account

Author: EBirkenfeld

backend/src/processes/queries.py

@@ -13,6 +13,7 @@
 )
 from src.processes.enums import (
     DirectlyStatus,
+    OwnerRole,
     OwnerType,
     TaskOrdering,
     TaskStatus,
@@ -2110,15 +2111,6 @@ def _get_filter_by_type(self):
 
     def _get_accessible_templates(self):
         """Returns templates where user is owner or viewer"""
-        # Account owner has full access to all templates in the account
-        if self.user.is_account_owner:
-            return """
-                SELECT DISTINCT t.id AS template_id
-                FROM processes_template t
-                WHERE t.is_deleted IS FALSE
-                  AND t.account_id = %(account_id)s
-            """
-        # For other users (including admins), apply filtering logic
         # Users can see templates where they are:
         # 1. Template owners (user or via group)
         # 2. Template viewers (user or via group)
@@ -2128,8 +2120,8 @@ def _get_accessible_templates(self):
         self.params['owner_type_group'] = OwnerType.GROUP
         self.params['viewer_type_user'] = OwnerType.USER
         self.params['viewer_type_group'] = OwnerType.GROUP
-        self.params['owner_role'] = 'owner'
-        self.params['viewer_role'] = 'viewer'
+        self.params['owner_role'] = OwnerRole.OWNER
+        self.params['viewer_role'] = OwnerRole.VIEWER
         return """
                 SELECT DISTINCT template_id
                 FROM (

backend/src/processes/tests/test_views/test_templates/test_titles_by_workflows.py

@@ -2,6 +2,7 @@
 
 from src.authentication.services.guest_auth import GuestJWTAuthService
 from src.processes.enums import (
+    OwnerRole,
     OwnerType,
     TemplateType,
     WorkflowApiStatus,
@@ -284,6 +285,73 @@ def test_titles__user_not_template_owner__empty_result__ok(api_client):
     assert len(response.data) == 0
 
 
+def test_titles__account_owner_not_template_owner__empty_result__ok(
+    api_client,
+):
+
+    """Account owner should only see templates where they are
+       an owner or viewer, not all templates in the account."""
+
+    # arrange
+    account = create_test_account()
+    account_owner = create_test_owner(account=account)
+    admin = create_test_admin(account=account)
+    template = create_test_template(
+        user=admin,
+        is_active=True,
+        tasks_count=1,
+    )
+    create_test_workflow(
+        user=admin,
+        template=template,
+    )
+    api_client.token_authenticate(account_owner)
+
+    # act
+    response = api_client.get('/templates/titles-by-workflows')
+
+    # assert
+    assert response.status_code == 200
+    assert len(response.data) == 0
+
+
+def test_titles__account_owner_is_viewer__ok(api_client):
+
+    """Account owner with viewer role should see the template."""
+
+    # arrange
+    account = create_test_account()
+    account_owner = create_test_owner(account=account)
+    admin = create_test_admin(account=account)
+    template = create_test_template(
+        user=admin,
+        is_active=True,
+        tasks_count=1,
+    )
+    create_test_workflow(
+        user=admin,
+        template=template,
+    )
+    TemplateOwner.objects.create(
+        template=template,
+        account=account,
+        user_id=account_owner.id,
+        type=OwnerType.USER,
+        role=OwnerRole.VIEWER,
+    )
+    api_client.token_authenticate(account_owner)
+
+    # act
+    response = api_client.get('/templates/titles-by-workflows')
+
+    # assert
+    assert response.status_code == 200
+    assert len(response.data) == 1
+    assert response.data[0]['id'] == template.id
+    assert response.data[0]['name'] == template.name
+    assert response.data[0]['count'] == 1
+
+
 def test_titles__invited_user__unauthorized(api_client):
 
     # arrange