From ab75a1fc4e21c780ea1e6b053781dc0e451a1cbb Mon Sep 17 00:00:00 2001 From: johnyu95 Date: Wed, 20 Oct 2021 17:14:36 -0400 Subject: [PATCH] Fixed bug with anonymous user read only check and private file access --- app/request/api/views.py | 4 +++- app/response/views.py | 3 ++- 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/app/request/api/views.py b/app/request/api/views.py index 30e80a6f5..b13df6045 100644 --- a/app/request/api/views.py +++ b/app/request/api/views.py @@ -212,7 +212,9 @@ def get_request_responses(): current_request = Requests.query.filter_by(id=flask_request.args['request_id']).one() - if current_user in current_request.agency_users or current_user.is_agency_read_only(current_request.agency.ein): + if current_user.is_agency and \ + (current_user in current_request.agency_users or + current_user.is_agency_read_only(current_request.agency.ein)): # If the user is an agency user assigned to the request, all responses can be retrieved. responses = Responses.query.filter( Responses.request_id == current_request.id, diff --git a/app/response/views.py b/app/response/views.py index 17cabc5ef..8c6baecf9 100644 --- a/app/response/views.py +++ b/app/response/views.py @@ -700,6 +700,7 @@ def get_response_content(response_id): 400 error if response/file not found """ response_ = Responses.query.filter_by(id=response_id, deleted=False).one() + request = Requests.query.filter_by(id=response_.request_id).one() if response_ is not None and response_.type == FILE: upload_path = os.path.join( @@ -751,7 +752,7 @@ def remove(resp): and UserRequests.query.filter_by( request_id=response_.request_id, user_guid=current_user.guid - ).first() is not None): + ).first() is not None or current_user.is_agency_read_only(request.agency_ein)): @after_this_request def remove(resp): os.remove(serving_path)