Merge pull request CenterForOpenScience#10921 from Ostap-Zherebetskyi…

…/fix/preprint_view_permissions [ENG-6930] Pre-moderation Unpublished (i.e. Rejected or Pending) versions should be hidden for non-admin users
cslzchen · Jan 20, 2025 · fb705cc · fb705cc
2 parents e2f02f9 + 5dc938c
commit fb705cc
Show file tree

Hide file tree

Showing 2 changed files with 26 additions and 1 deletion.
diff --git a/api/preprints/views.py b/api/preprints/views.py
@@ -243,7 +243,7 @@ def get_queryset(self):
 
         # Permissions on the list objects are handled by the query
         public_only = self.metrics_requested
-        qs = self.preprints_queryset(qs, auth_user, public_only=public_only)
+        qs = qs.filter(Preprint.objects.preprint_versions_permissions_query(auth_user, public_only=public_only))
 
         return qs
 

diff --git a/osf/models/preprint.py b/osf/models/preprint.py
@@ -110,6 +110,31 @@ def can_view(self, base_queryset=None, user=None, allow_contribs=True, public_on
         # TODO: Remove need for .distinct using correct subqueries
         return ret.distinct('id', 'created') if include_non_public else ret
 
+    def preprint_versions_permissions_query(self, user=None, allow_contribs=True, public_only=False):
+        include_non_public = user and not user.is_anonymous and not public_only
+        if include_non_public:
+            moderator_for = get_objects_for_user(user, 'view_submissions', PreprintProvider, with_superuser=False)
+            admin_user_query = Q(id__in=get_objects_for_user(user, 'admin_preprint', self.filter(Q(preprintcontributor__user_id=user.id)), with_superuser=False))
+            reviews_user_query = Q(is_public=True, provider__in=moderator_for)
+            if allow_contribs:
+                contrib_user_query = ~Q(
+                    machine_state__in=[
+                        DefaultStates.INITIAL.value,
+                        DefaultStates.PENDING.value,
+                        DefaultStates.REJECTED.value
+                    ]
+                ) & Q(id__in=get_objects_for_user(user, 'read_preprint', self.filter(Q(preprintcontributor__user_id=user.id)), with_superuser=False))
+                query = (self.no_user_query | contrib_user_query | admin_user_query | reviews_user_query)
+            else:
+                query = (self.no_user_query | admin_user_query | reviews_user_query)
+        else:
+            moderator_for = PreprintProvider.objects.none()
+            query = self.no_user_query
+
+        if not moderator_for.exists():
+            query = query & Q(Q(date_withdrawn__isnull=True) | Q(ever_public=True))
+        return query
+
 class PublishedPreprintManager(PreprintManager):
     def get_queryset(self):
         return super().get_queryset().filter(is_published=True)