#601: work at private threads permissions

misago/threads/permissions/privatethreads.py

@@ -18,8 +18,6 @@ __all__ = [
     'can_use_private_threads',
     'allow_see_private_thread',
     'can_see_private_thread',
-    'allow_see_private_post',
-    'can_see_private_post',
     'allow_change_owner',
     'can_change_owner',
     'allow_add_participants',
@@ -30,7 +28,6 @@ __all__ = [
     'can_add_participant',
     'allow_message_user',
     'can_message_user',
-    'exclude_invisible_private_threads',
 ]
 
 
@@ -197,16 +194,6 @@ def allow_see_private_thread(user, target):
 can_see_private_thread = return_boolean(allow_see_private_thread)
 
 
-def allow_see_private_post(user, target):
-    can_see_reported = user.acl['can_moderate_private_threads']
-    if not (can_see_reported and target.thread.has_reported_posts):
-        for participant in target.thread.participants_list:
-            if participant.user == user and participant.is_removed:
-                if post.posted_on > target.last_post_on:
-                    raise Http404()
-can_see_private_post = return_boolean(allow_see_private_post)
-
-
 def allow_change_owner(user, target):
     is_moderator = user.acl['can_moderate_private_threads']
     is_owner = target.participant and target.participant.is_owner
@@ -284,24 +271,5 @@ can_add_participant = return_boolean(allow_add_participant)
 
 def allow_message_user(user, target):
     allow_use_private_threads(user)
-
-    if user == target:
-        raise PermissionDenied(_("You can't message yourself."))
-
-    if not user.acl['can_start_private_threads']:
-        raise PermissionDenied(_("You can't start private threads."))
-
     allow_add_participant(user, target)
 can_message_user = return_boolean(allow_message_user)
-
-
-"""
-Queryset helpers
-"""
-def exclude_invisible_private_threads(queryset, user):
-    if user.acl['can_moderate_private_threads']:
-        see_participating = Q(participants=user)
-        see_reported = Q(has_reported_posts=True)
-        return queryset.filter(see_reported | see_participating)
-    else:
-        return queryset.filter(participants=user)

misago/threads/tests/test_privatethread_patch_api.py

@@ -81,6 +81,20 @@ class PrivateThreadAddParticipantApiTests(PrivateThreadPatchApiTestCase):
 
         self.assertContains(response, "BobBoberson is blocking you.", status_code=400)
 
+    def test_add_no_perm_user(self):
+        """can't add user that has no permission to use private threads"""
+        ThreadParticipant.objects.set_owner(self.thread, self.user)
+
+        override_acl(self.other_user, {
+            'can_use_private_threads': 0
+        })
+
+        response = self.patch(self.api_link, [
+            {'op': 'add', 'path': 'participants', 'value': self.other_user.username}
+        ])
+
+        self.assertContains(response, "BobBoberson can't participate", status_code=400)
+
     def test_add_too_many_users(self):
         """can't add user that is already participant"""
         ThreadParticipant.objects.set_owner(self.thread, self.user)
@@ -302,6 +316,44 @@ class PrivateThreadRemoveParticipantApiTests(PrivateThreadPatchApiTestCase):
         self.assertEqual(self.thread.participants.count(), 1)
         self.assertEqual(self.thread.participants.filter(pk=self.user.pk).count(), 0)
 
+    def test_moderator_remove_user(self):
+        """api allows moderator to remove other user"""
+        User = get_user_model()
+        removed_user = User.objects.create_user(
+            'Vigilante', 'test@test.com', 'pass123')
+
+        ThreadParticipant.objects.set_owner(self.thread, self.other_user)
+        ThreadParticipant.objects.add_participants(self.thread, [self.user, removed_user])
+
+        override_acl(self.user, {
+            'can_moderate_private_threads': True
+        })
+
+        response = self.patch(self.api_link, [
+            {'op': 'remove', 'path': 'participants', 'value': removed_user.pk}
+        ])
+
+        self.assertEqual(response.status_code, 200)
+        self.assertFalse(response.json()['deleted'])
+
+        # thread still exists
+        self.assertTrue(Thread.objects.get(pk=self.thread.pk))
+
+        # leave event has valid type
+        event = self.thread.post_set.order_by('id').last()
+        self.assertTrue(event.is_event)
+        self.assertTrue(event.event_type, 'participant_removed')
+
+        # valid users were flagged for sync
+        User = get_user_model()
+        self.assertTrue(User.objects.get(pk=self.user.pk).sync_unread_private_threads)
+        self.assertTrue(User.objects.get(pk=self.other_user.pk).sync_unread_private_threads)
+        self.assertTrue(User.objects.get(pk=removed_user.pk).sync_unread_private_threads)
+
+        # user was removed from participation
+        self.assertEqual(self.thread.participants.count(), 2)
+        self.assertEqual(self.thread.participants.filter(pk=removed_user.pk).count(), 0)
+
     def test_owner_remove_user(self):
         """api allows owner to remove other user"""
         ThreadParticipant.objects.set_owner(self.thread, self.user)

misago/threads/tests/test_privatethread_start_api.py

@@ -35,7 +35,7 @@ class StartPrivateThreadTests(AuthenticatedUserTestCase):
         self.assertEqual(response.status_code, 403)
 
     def test_cant_use_private_threads(self):
-        """has no permission to see selected category"""
+        """has no permission to use private threads"""
         override_acl(self.user, {'can_use_private_threads': 0})
 
         response = self.client.post(self.api_link)
@@ -140,6 +140,25 @@ class StartPrivateThreadTests(AuthenticatedUserTestCase):
             ]
         })
 
+    def test_cant_invite_no_permission(self):
+        """api validates invited user permission to private thread"""
+        override_acl(self.other_user, {
+            'can_use_private_threads': 0
+        })
+
+        response = self.client.post(self.api_link, data={
+            'to': [self.other_user.username],
+            'title': "Lorem ipsum dolor met",
+            'post': "Lorem ipsum dolor.",
+        })
+
+        self.assertEqual(response.status_code, 400)
+        self.assertEqual(response.json(), {
+            'to': [
+                "BobBoberson can't participate in private threads."
+            ]
+        })
+
     def test_cant_invite_blocking(self):
         """api validates that you cant invite blocking user to thread"""
         self.other_user.blocks.add(self.user)