anonymous user handling (#1691)

* anonynomus user can't view private issue * anonymous user handling in API * automated test added for relevant api --------- Co-authored-by: DonnieBLT <[email protected]>
OWASP-BLT · Feb 8, 2024 · e895e1e · e895e1e
1 parent e8992a9
commit e895e1e
Show file tree

Hide file tree

Showing 4 changed files with 64 additions and 8 deletions.
diff --git a/contributors.json b/contributors.json
@@ -441,5 +441,18 @@
         "linkedin":"https://www.linkedin.com/in/jisanar/",
         "website":"https://github.com/JisanAR03",
         "bch_addr":"wish me luck☺"
+    },
+    {
+        "id":37,
+        "img":"https://avatars.githubusercontent.com/u/119354421?v=4",
+        "name":"Shirsh Jain",
+        "repository":"BLT | BLT-Core",
+        "short_description":"working for better world",
+        "long_description":"Hi, there I'm shirsh jain and I am always excited about the power we can achieve with coding and collabrative work.",
+        "location":"Rajasthan, India",
+        "twitter":"https://twitter.com/jainshirsh",
+        "linkedin":"https://www.linkedin.com/in/shirsh-jain-5a5b751b9/",
+        "website":"https://github.com/haniljain",
+        "bch_addr":"serendipity"
     }
 ]
diff --git a/website/api/views.py b/website/api/views.py
@@ -54,12 +54,18 @@ class UserIssueViewSet(viewsets.ModelViewSet):
     User Issue Model View Set
     """
 
-    queryset = Issue.objects.all()
     serializer_class = IssueSerializer
     filter_backends = (filters.SearchFilter,)
     search_fields = ("user__username", "user__id")
     http_method_names = ["get", "post", "head"]
-
+
+    def get_queryset(self):
+        anonymous_user = self.request.user.is_anonymous
+        user_id = self.request.user.id
+        if anonymous_user:
+            return Issue.objects.exclude(Q(is_hidden=True))
+        else :
+            return Issue.objects.exclude(Q(is_hidden=True) & ~Q(user_id=user_id))
 
 class UserProfileViewSet(viewsets.ModelViewSet):
     """
@@ -120,12 +126,20 @@ class IssueViewSet(viewsets.ModelViewSet):
     Issue View Set
     """
 
-    queryset = Issue.objects.all()
     serializer_class = IssueSerializer
     filter_backends = (filters.SearchFilter,)
     search_fields = ("url", "description", "user__id")
     http_method_names = ["get", "post", "head"]
 
+
+    def get_queryset(self):
+        anonymous_user = self.request.user.is_anonymous
+        user_id = self.request.user.id
+        if anonymous_user:
+            return Issue.objects.exclude(Q(is_hidden=True))
+        else :
+            return Issue.objects.exclude(Q(is_hidden=True) & ~Q(user_id=user_id))
+
     def get_issue_info(self,request,issue):
 
         if issue == None:

diff --git a/website/test_api.py b/website/test_api.py
@@ -124,3 +124,24 @@ def test_get_bug_hunt(self):
         self.assertEqual(response.status_code, status.HTTP_200_OK)
         if len(response.data):
             self.assertGreater(response.data[0]["starts_on"], datetime.datetime.now(), "Invalid Response")
+
+    def test_get_issues(self):
+
+        url = "/api/v1/issues/"
+        response = self.client.get(url)
+        self.assertEqual(response.status_code , status.HTTP_200_OK)
+        if len(response.data):
+            count = response.data["count"]
+            for n in range(0,count) :
+                message = "Test is failed"
+                self.assertTrue(response.data["results"][n].is_hidden , message)
+
+    def test_get_userissues(self):
+        url = "/api/v1/userissues/"
+        response = self.client.get(url)
+        self.assertEqual(response.status_code , status.HTTP_200_OK)
+        if len(response.data):
+            count = response.data["count"]
+            for n in range(0,count) :
+                message = "Test is failed"
+                self.assertTrue(response.data["results"][n].is_hidden , message)
diff --git a/website/views.py b/website/views.py
@@ -132,7 +132,11 @@ def index(request, template="index.html"):
 
     top_companies = Issue.objects.values("domain__name").annotate(count=Count('domain__name')).order_by("-count")[:10]
     top_testers = Issue.objects.values("user__id","user__username").filter(user__isnull=False).annotate(count=Count('user__username')).order_by("-count")[:10]
-    activities = Issue.objects.exclude(Q(is_hidden=True) & ~Q(user_id=request.user.id))[0:10]
+
+    if request.user.is_anonymous:
+        activities = Issue.objects.exclude(Q(is_hidden=True))[0:10]
+    else :
+        activities = Issue.objects.exclude(Q(is_hidden=True) & ~Q(user_id=request.user.id))[0:10]
 
     top_hunts = Hunt.objects.values(
         'id',
@@ -1649,13 +1653,17 @@ def search_issues(request, template="search.html"):
         stype = "label"
         query = query[6:]
     if stype == "issue" or stype is None:
+        if request.user.is_anonymous:
+            issues = Issue.objects.filter(Q(description__icontains=query),
+            hunt=None).exclude(Q(is_hidden=True))[0:20]
+        else :
+            issues = Issue.objects.filter(Q(description__icontains=query),
+            hunt=None).exclude(Q(is_hidden=True) & ~Q(user_id=request.user.id))[0:20]
+
         context = {
             "query": query,
             "type": stype,
-            "issues": Issue.objects.filter(Q(description__icontains=query),
-            hunt=None).exclude(Q(is_hidden=True) & ~Q(user_id=request.user.id))[
-                0:20
-            ],
+            "issues": issues,
         }
     if request.user.is_authenticated:
         context["wallet"] = Wallet.objects.get(user=request.user)