diff --git a/pount/apps/api/tests/api/test_item.py b/pount/apps/api/tests/api/test_item.py index 2b2247f4e537d5950ef0cb38f337372f36991665..14b493fb0eb0ce292f13683cf43cf8a159dfbf7c 100644 --- a/pount/apps/api/tests/api/test_item.py +++ b/pount/apps/api/tests/api/test_item.py @@ -290,7 +290,7 @@ class ViewItemTest(SetUpMixin, APITestCase): user = User.objects.create_user("user") self.client.force_login(user) response = self.client.get(reverse("item-detail", kwargs={"pk": self.private_item.pk})) - self.assertEqual(response.status_code, status.HTTP_404_NOT_FOUND) + self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN) def test_set_must_be_public_to_view_public_item(self): self.public_item.set = self.set diff --git a/pount/apps/api/tests/api/test_item_export.py b/pount/apps/api/tests/api/test_item_export.py index eb9aa0098c2f82e2bc5c1c87db27487445d5922b..633e9d2d14d0ab6acdb19740e5b2cc9da3b9d567 100644 --- a/pount/apps/api/tests/api/test_item_export.py +++ b/pount/apps/api/tests/api/test_item_export.py @@ -108,7 +108,7 @@ class XmlExportTest(SetUpMixin, APITestCase): def test_other_project_member_can_not_export_xml(self): self.client.force_login(self.project2_member) response = self._get_response() - self.assertEqual(response.status_code, status.HTTP_404_NOT_FOUND) + self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN) def test_view_returns_exported_datacite_xml(self): self.client.force_login(self.creator) diff --git a/pount/apps/api/views/item.py b/pount/apps/api/views/item.py index c17f41747489692808be71530169b5bd20f290e0..dbd622e0282df59fef6884149a71bea3d2539df0 100644 --- a/pount/apps/api/views/item.py +++ b/pount/apps/api/views/item.py @@ -49,7 +49,8 @@ class ItemViewSet(ThumbnailMixin, viewsets.ModelViewSet): def get_queryset(self): queryset = super().get_queryset() - queryset = queryset.is_public_or_user_is_project_member(self.request.user) + # There is no need to filter. If the user has access to the set, they can access the items + # queryset = queryset.is_public_or_user_is_project_member(self.request.user) if self.action == "retrieve": # we need the parent objects to determine if it can be shared queryset = queryset.select_related("set", "set__project") diff --git a/pyproject.toml b/pyproject.toml index 6537df4a84af2985e394bc9b451eebff5af9ab82..1ddedd4ee518027fc60ba6d5765281cd58c89c0b 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -23,7 +23,7 @@ extend_skip_glob = ["pount/apps/*/migrations/*"] [tool.poetry] name = "pount-api" -version = "3.1.8" +version = "3.1.9" description = "" authors = ["DIP - Université de Strasbourg <dnum-dip@unistra.fr>"] readme = "README.md" diff --git a/setup.py b/setup.py index 7126bc9d2a66f5cf092aa0d318e4b41fa79818c9..96f29dfd613a5b5d69c929a853c60eba6f00d962 100644 --- a/setup.py +++ b/setup.py @@ -1,7 +1,7 @@ from setuptools import find_packages, setup NAME = "Pount" -VERSION = "3.1.8" +VERSION = "3.1.9" setup(