🛂(abilities) fix anonymous and unrelated users accessing resources

The function computing abilities return "True" for method get, even if role of request user was None.
2024-03-06 16:06:59 +01:00
parent 18971a10e0
commit b2956e42d3
2 changed files with 3 additions and 3 deletions
--- a/src/backend/core/models.py
+++ b/src/backend/core/models.py
@@ -355,7 +355,7 @@ class Team(BaseModel):
            is_owner_or_admin = role in [RoleChoices.OWNER, RoleChoices.ADMIN]

        return {
-            "get": True,
+            "get": bool(role),
            "patch": is_owner_or_admin,
            "put": is_owner_or_admin,
            "delete": role == RoleChoices.OWNER,
--- a/src/backend/core/tests/test_models_teams.py
+++ b/src/backend/core/tests/test_models_teams.py
@@ -62,7 +62,7 @@ def test_models_teams_get_abilities_anonymous():
    abilities = team.get_abilities(AnonymousUser())
    assert abilities == {
        "delete": False,
-        "get": True,
+        "get": False,
        "patch": False,
        "put": False,
        "manage_accesses": False,
@@ -75,7 +75,7 @@ def test_models_teams_get_abilities_authenticated():
    abilities = team.get_abilities(factories.UserFactory())
    assert abilities == {
        "delete": False,
-        "get": True,
+        "get": False,
        "patch": False,
        "put": False,
        "manage_accesses": False,