feat: hide information_system from unauthenticated users (#413)

Refs TIED-169
City-of-Helsinki · Dec 13, 2024 · 5b24268 · 5b24268
1 parent 7ba5dd7
commit 5b24268
Show file tree

Hide file tree

Showing 3 changed files with 169 additions and 4 deletions.
diff --git a/metarecord/tests/test_api.py b/metarecord/tests/test_api.py
@@ -2197,15 +2197,23 @@ def test_function_classification_code_filtering(
 
 
 @pytest.mark.django_db
-def test_function_information_system_filtering(api_client, classification):
+def test_function_information_system_filtering(
+    api_client, user_api_client, classification, classification_2
+):
+    third_classification = Classification.objects.create(
+        title="testification",
+        code="00 100",
+        state=Classification.APPROVED,
+        function_allowed=True,
+    )
     function = Function.objects.create(
         classification=classification, state=Function.APPROVED
     )
     function_2 = Function.objects.create(
-        classification=classification, state=Function.APPROVED
+        classification=classification_2, state=Function.APPROVED
     )
     function_3 = Function.objects.create(
-        classification=classification, state=Function.APPROVED
+        classification=third_classification, state=Function.APPROVED
     )
 
     phase = Phase.objects.create(
@@ -2238,13 +2246,103 @@ def test_function_information_system_filtering(api_client, classification):
         attributes={"NotAnInformationSystem": "xyz"}, action=action_3, index=1
     )
 
+    # Dummy check that the functions differ.
+    assert function.uuid.hex != function_2.uuid.hex
+    assert function.uuid.hex != function_3.uuid.hex
+
     response = api_client.get(FUNCTION_LIST_URL + "?information_system=xyz")
     assert response.status_code == 200
     results = response.data["results"]
     assert len(results) == 1
     assert results[0]["id"] == function.uuid.hex
 
 
+@pytest.mark.django_db
+def test_function_detail_shows_record_information_system_for_authenticated_user(
+    user_api_client, classification
+):
+    function = Function.objects.create(
+        classification=classification, state=Function.APPROVED
+    )
+
+    phase = Phase.objects.create(
+        attributes={"TypeSpecifier": "test phase"}, function=function, index=1
+    )
+    action = Action.objects.create(
+        attributes={"TypeSpecifier": "test action"}, phase=phase, index=1
+    )
+    Record.objects.create(
+        attributes={"InformationSystem": "xyz"}, action=action, index=1
+    )
+
+    response = user_api_client.get(get_function_detail_url(function))
+    assert response.status_code == 200
+    assert (
+        response.data["phases"][0]["actions"][0]["records"][0]["attributes"][
+            "InformationSystem"
+        ]
+        == "xyz"
+    )
+
+
+@pytest.mark.django_db
+def test_function_detail_does_not_show_record_information_system_for_unauthenticated_user(
+    api_client, classification
+):
+    function = Function.objects.create(
+        classification=classification, state=Function.APPROVED
+    )
+
+    phase = Phase.objects.create(
+        attributes={"TypeSpecifier": "test phase"}, function=function, index=1
+    )
+    action = Action.objects.create(
+        attributes={"TypeSpecifier": "test action"}, phase=phase, index=1
+    )
+    Record.objects.create(
+        attributes={"InformationSystem": "xyz"}, action=action, index=1
+    )
+
+    response = api_client.get(get_function_detail_url(function))
+    assert response.status_code == 200
+    assert (
+        response.data["phases"][0]["actions"][0]["records"][0]["attributes"].get(
+            "InformationSystem"
+        )
+        is None
+    )
+
+
+@pytest.mark.django_db
+def test_function_list_shows_information_system_for_authenticated_user(
+    user_api_client, classification
+):
+    Function.objects.create(
+        classification=classification,
+        state=Function.APPROVED,
+        attributes={"InformationSystem": "xyz"},
+    )
+
+    response = user_api_client.get(FUNCTION_LIST_URL)
+    assert response.status_code == 200
+    assert response.data["results"][0]["attributes"]["InformationSystem"] == "xyz"
+
+
+@pytest.mark.django_db
+def test_function_list_does_not_show_information_system_for_unauthenticated_user(
+    api_client, classification
+):
+    Function.objects.create(
+        classification=classification,
+        state=Function.APPROVED,
+        attributes={"InformationSystem": "xyz"},
+    )
+
+    response = api_client.get(FUNCTION_LIST_URL)
+    assert response.status_code == 200
+    assert response.data["results"][0]["attributes"].get("InformationSystem") is None
+
+
 @pytest.mark.parametrize("authenticated", (False, True))
 @pytest.mark.django_db
 def test_function_visibility_in_version_history(
@@ -2450,6 +2548,36 @@ def test_classification_fields_visibility(
         assert "additional_information" not in response.data
 
 
+@pytest.mark.django_db
+def test_classification_function_information_system_is_visible_for_authenticated_user(
+    user_api_client, classification
+):
+    Function.objects.create(
+        classification=classification,
+        state=Function.APPROVED,
+        attributes={"InformationSystem": "xyz"},
+    )
+
+    response = user_api_client.get(get_classification_detail_url(classification))
+    assert response.status_code == 200
+    assert response.data["function_attributes"]["InformationSystem"] == "xyz"
+
+
+@pytest.mark.django_db
+def test_classification_function_information_system_is_not_visible_for_unauthenticated_user(
+    api_client, classification
+):
+    Function.objects.create(
+        classification=classification,
+        state=Function.APPROVED,
+        attributes={"InformationSystem": "xyz"},
+    )
+
+    response = api_client.get(get_classification_detail_url(classification))
+    assert response.status_code == 200
+    assert response.data["function_attributes"] == {}
+
+
 @pytest.mark.parametrize("has_permission", (False, True))
 @pytest.mark.django_db
 def test_classification_create_requires_permission(
@@ -2948,3 +3076,26 @@ def test_record_modified_by_display(record, user_api_client, permission):
         assert "modified_by" not in response_data.keys()
     else:
         assert response_data["modified_by"] == "John Rambo"
+
+
+@pytest.mark.django_db
+def test_record_shows_information_system_for_authenticated_user(
+    record, user_api_client
+):
+    record.attributes = {"TypeSpecifier": "test record", "InformationSystem": "xyz"}
+    record.save()
+
+    response = user_api_client.get(get_record_detail_url(record))
+    assert response.status_code == 200
+    assert response.json()["attributes"]["InformationSystem"] == "xyz"
+
+
+@pytest.mark.django_db
+def test_record_does_not_show_information_system_for_unauthenticated_user(
+    record, api_client
+):
+    record.attributes = {"TypeSpecifier": "test record", "InformationSystem": "xyz"}
+    record.save()
+    response = api_client.get(get_record_detail_url(record))
+    assert response.status_code == 200
+    assert response.json()["attributes"].get("InformationSystem") is None
diff --git a/metarecord/views/base.py b/metarecord/views/base.py
@@ -32,6 +32,18 @@ class Meta:
         ordering = ("index",)
         exclude = ("uuid", "created_by", "_created_by", "_modified_by")
 
+    def to_representation(self, obj):
+        ret = super().to_representation(obj)
+        user = self.context["request"].user
+        if (
+            not user.is_authenticated
+            and (attributes := ret.get("attributes", {}))
+            and "InformationSystem" in attributes
+        ):
+            attributes.pop("InformationSystem", None)
+
+        return ret
+
     def get_fields(self):
         fields = super().get_fields()
 

diff --git a/metarecord/views/classification.py b/metarecord/views/classification.py
@@ -111,7 +111,7 @@ def _get_phases(self, obj):
         if function:
             phases = function.phases.all()
 
-        serializer = PhaseSerializer(phases, many=True)
+        serializer = PhaseSerializer(phases, many=True, context=self.context)
 
         return serializer.data
 
@@ -155,6 +155,8 @@ def to_representation(self, obj):
             if not request.user.is_authenticated:
                 data.pop("description_internal", None)
                 data.pop("additional_information", None)
+                if "function_attributes" in data and data["function_attributes"]:
+                    data["function_attributes"].pop("InformationSystem", None)
 
         return data