Skip to content

[ENG-8526] Fixed affiliations deletions for write contributors #11260

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
wants to merge 5 commits into from
Closed

[ENG-8526] Fixed affiliations deletions for write contributors #11260

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
a733b47
fixed affiliation update for write contributors in registrations
ihorsokhanexoft Aug 7, 2025
08b2dbc
removed redundant blank line
ihorsokhanexoft Aug 7, 2025
7aadd02
fixed tests
ihorsokhanexoft Aug 8, 2025
d1fa8ef
fixed tests
ihorsokhanexoft Aug 8, 2025
0cf9e14
fixed a test
ihorsokhanexoft Aug 8, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
16 changes: 16 additions & 0 deletions api/nodes/permissions.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -127,6 +127,22 @@ def has_object_permission(self, request, view, obj):
return obj.has_permission(auth.user, osf_permissions.WRITE)


class AdminOrWriteContributor(permissions.BasePermission):
acceptable_models = (AbstractNode, OSFUser, Institution, BaseAddonSettings, DraftRegistration)

def has_object_permission(self, request, view, obj):
if isinstance(obj, dict) and 'self' in obj:
obj = obj['self']

assert_resource_type(obj, self.acceptable_models)
auth = get_user_auth(request)

if request.method in permissions.SAFE_METHODS:
return obj.is_public or obj.can_view(auth)

return obj.has_permission(auth.user, osf_permissions.ADMIN) or obj.has_permission(auth.user, osf_permissions.WRITE)


class AdminOrPublic(permissions.BasePermission):

acceptable_models = (AbstractNode, OSFUser, Institution, BaseAddonSettings, DraftRegistration)
Expand Down
3 changes: 2 additions & 1 deletion api/registrations/views.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -59,6 +59,7 @@
AdminOrPublic,
ExcludeWithdrawals,
NodeLinksShowIfVersion,
AdminOrWriteContributor,
)
from api.registrations.permissions import ContributorOrModerator, ContributorOrModeratorOrPublic
from api.registrations.serializers import (
Expand Down Expand Up @@ -682,7 +683,7 @@ class RegistrationInstitutionsRelationship(NodeInstitutionsRelationship, Registr
permission_classes = (
drf_permissions.IsAuthenticatedOrReadOnly,
base_permissions.TokenHasScope,
AdminOrPublic,
AdminOrWriteContributor,
)


Expand Down
34 changes: 26 additions & 8 deletions api_tests/registrations/views/test_registration_relationship_institutions.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -43,11 +43,11 @@ def resource_factory(self):
return RegistrationFactory

# test override, write contribs can't update institution
def test_put_not_admin_but_affiliated(self, app, institution_one, node, node_institutions_url):
def test_put_not_admin_but_affiliated_read_permission(self, app, institution_one, node, node_institutions_url):
user = AuthUserFactory()
user.add_or_update_affiliated_institution(institution_one)
user.save()
node.add_contributor(user)
node.add_contributor(user, permissions=permissions.READ)
node.save()

res = app.put_json_api(
Expand All @@ -61,7 +61,25 @@ def test_put_not_admin_but_affiliated(self, app, institution_one, node, node_ins
assert res.status_code == 403
assert institution_one not in node.affiliated_institutions.all()

# test override, write contribs cannot delete
def test_put_not_admin_but_affiliated_and_write_permission(self, app, institution_one, node, node_institutions_url):
user = AuthUserFactory()
user.add_or_update_affiliated_institution(institution_one)
user.save()
node.add_contributor(user)
node.save()

res = app.put_json_api(
node_institutions_url,
self.create_payload([institution_one]),
expect_errors=True,
auth=user.auth
)

node.reload()
assert res.status_code == 200
assert institution_one in node.affiliated_institutions.all()

# test override, write contribs can delete
def test_delete_user_is_read_write(self, app, institution_one, node, node_institutions_url):
user = AuthUserFactory()
user.add_or_update_affiliated_institution(institution_one)
Expand All @@ -77,7 +95,7 @@ def test_delete_user_is_read_write(self, app, institution_one, node, node_instit
expect_errors=True
)

assert res.status_code == 403
assert res.status_code == 204

def test_read_write_contributor_can_add_affiliated_institution(
self, app, write_contrib, write_contrib_institution, node, node_institutions_url):
Expand All @@ -94,8 +112,8 @@ def test_read_write_contributor_can_add_affiliated_institution(
auth=write_contrib.auth,
expect_errors=True
)
assert res.status_code == 403
assert write_contrib_institution not in node.affiliated_institutions.all()
assert res.status_code == 201
assert write_contrib_institution in node.affiliated_institutions.all()

def test_read_write_contributor_can_remove_affiliated_institution(
self, app, write_contrib, write_contrib_institution, node, node_institutions_url):
Expand All @@ -114,8 +132,8 @@ def test_read_write_contributor_can_remove_affiliated_institution(
auth=write_contrib.auth,
expect_errors=True
)
assert res.status_code == 403
assert write_contrib_institution in node.affiliated_institutions.all()
assert res.status_code == 204
assert write_contrib_institution not in node.affiliated_institutions.all()

def test_user_with_institution_and_permissions_through_patch(self, app, user, institution_one, institution_two,
node, node_institutions_url):
Expand Down
Loading