Merge pull request #412 from weni-ai/feature/my-apps-crm-authorization

Grants project app listing permission to CRM users
weni-ai · Feb 5, 2024 · 496e64f · 496e64f
2 parents 6c181f8 + 143ff9e
commit 496e64f
Show file tree

Hide file tree

Showing 3 changed files with 20 additions and 7 deletions.
diff --git a/marketplace/accounts/permissions.py b/marketplace/accounts/permissions.py
@@ -10,7 +10,7 @@
 READ_METHODS = ["GET"]
 
 
-def _is_crm_user(user):
+def is_crm_user(user):
     if not settings.ALLOW_CRM_ACCESS:
         return False
 
@@ -89,7 +89,7 @@ def has_permission(self, request, view) -> bool:
         if not is_authenticated:
             return False
 
-        return _is_crm_user(request.user)
+        return is_crm_user(request.user)
 
     def has_object_permission(self, request, view, obj):
-        return _is_crm_user(request.user)
+        return is_crm_user(request.user)
diff --git a/marketplace/applications/tests/test_views.py b/marketplace/applications/tests/test_views.py
@@ -2,6 +2,7 @@
 
 from django.urls import reverse
 from django.contrib.auth import get_user_model
+from django.test import override_settings
 from rest_framework import status
 
 from marketplace.applications.models import AppTypeAsset, AppTypeFeatured, App
@@ -306,3 +307,9 @@ def test_request_without_authorization(self):
         self.user_authorization.delete()
         response = self.request.get(self.url + f"?project_uuid={self.project_uuid}")
         self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN)
+
+    @override_settings(ALLOW_CRM_ACCESS=True, CRM_EMAILS_LIST=["user@marketplace.ai"])
+    def test_request_with_crm_authorization(self):
+        self.user_authorization.delete()
+        response = self.request.get(self.url + f"?project_uuid={self.project_uuid}")
+        self.assertEqual(response.status_code, status.HTTP_200_OK)
diff --git a/marketplace/applications/views.py b/marketplace/applications/views.py
@@ -3,11 +3,13 @@
 from rest_framework import status
 from rest_framework.exceptions import ValidationError, PermissionDenied
 from rest_framework.decorators import action
+from rest_framework.permissions import IsAuthenticated
 
 from marketplace.applications.serializers import AppTypeSerializer, MyAppSerializer
 from marketplace.core import types
 from marketplace.applications.models import App, AppTypeFeatured
 from marketplace.accounts.models import ProjectAuthorization
+from marketplace.accounts.permissions import is_crm_user
 
 
 class AppTypeViewSet(viewsets.ViewSet):
@@ -61,6 +63,7 @@ class MyAppViewSet(viewsets.ReadOnlyModelViewSet):
     lookup_field = "uuid"
     serializer_class = MyAppSerializer
     queryset = App.objects
+    permission_classes = (IsAuthenticated,)
 
     def get_queryset(self):
         queryset = super().get_queryset()
@@ -72,10 +75,13 @@ def get_queryset(self):
         if not project_uuid:
             raise ValidationError("project_uuid is a required parameter!")
 
-        try:
-            self.request.user.authorizations.get(project_uuid=project_uuid)
-        except ProjectAuthorization.DoesNotExist:
-            raise PermissionDenied()
+        user = self.request.user
+
+        if not is_crm_user(user):
+            try:
+                user.authorizations.get(project_uuid=project_uuid)
+            except ProjectAuthorization.DoesNotExist:
+                raise PermissionDenied()
 
         queryset = queryset.filter(project_uuid=project_uuid)