From 30dffe89ff072e91eadf3cfc2e2fe1259ecc7260 Mon Sep 17 00:00:00 2001
From: Ostap Zherebetskyi <ozherebetskyi@exoft.net>
Date: Fri, 17 Jan 2025 13:10:31 +0200
Subject: [PATCH 1/2] updated preprint view permissions

---
 api/preprints/views.py |  1 +
 osf/models/preprint.py | 25 +++++++++++++++++++++++++
 2 files changed, 26 insertions(+)

diff --git a/api/preprints/views.py b/api/preprints/views.py
index e83a8b8e412..0b151f51bff 100644
--- a/api/preprints/views.py
+++ b/api/preprints/views.py
@@ -244,6 +244,7 @@ def get_queryset(self):
         # Permissions on the list objects are handled by the query
         public_only = self.metrics_requested
         qs = self.preprints_queryset(qs, auth_user, public_only=public_only)
+        qs = qs.filter(Preprint.objects.preprint_versions_permissions_query(auth_user))
 
         return qs
 
diff --git a/osf/models/preprint.py b/osf/models/preprint.py
index c1109c00c04..815ca437e97 100644
--- a/osf/models/preprint.py
+++ b/osf/models/preprint.py
@@ -110,6 +110,31 @@ def can_view(self, base_queryset=None, user=None, allow_contribs=True, public_on
         # TODO: Remove need for .distinct using correct subqueries
         return ret.distinct('id', 'created') if include_non_public else ret
 
+    def preprint_versions_permissions_query(self, user=None, allow_contribs=True, public_only=False):
+        include_non_public = user and not user.is_anonymous and not public_only
+        if include_non_public:
+            moderator_for = get_objects_for_user(user, 'view_submissions', PreprintProvider, with_superuser=False)
+            admin_user_query = Q(id__in=get_objects_for_user(user, 'admin_preprint', self.filter(Q(preprintcontributor__user_id=user.id)), with_superuser=False))
+            reviews_user_query = Q(is_public=True, provider__in=moderator_for)
+            if allow_contribs:
+                contrib_user_query = ~Q(
+                    machine_state__in=[
+                        DefaultStates.INITIAL.value,
+                        DefaultStates.PENDING.value,
+                        DefaultStates.REJECTED.value
+                    ]
+                ) & Q(id__in=get_objects_for_user(user, 'read_preprint', self.filter(Q(preprintcontributor__user_id=user.id)), with_superuser=False))
+                query = (self.no_user_query | contrib_user_query | admin_user_query | reviews_user_query)
+            else:
+                query = (self.no_user_query | admin_user_query | reviews_user_query)
+        else:
+            moderator_for = PreprintProvider.objects.none()
+            query = self.no_user_query
+
+        if not moderator_for.exists():
+            query = query & Q(Q(date_withdrawn__isnull=True) | Q(ever_public=True))
+        return query
+
 class PublishedPreprintManager(PreprintManager):
     def get_queryset(self):
         return super().get_queryset().filter(is_published=True)

From 5dc938c4eb098d2a863a8d22434515a261717901 Mon Sep 17 00:00:00 2001
From: Ostap Zherebetskyi <ozherebetskyi@exoft.net>
Date: Mon, 20 Jan 2025 13:09:38 +0200
Subject: [PATCH 2/2] updated PreprintVersionsList

---
 api/preprints/views.py | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/api/preprints/views.py b/api/preprints/views.py
index 0b151f51bff..2319e3c446e 100644
--- a/api/preprints/views.py
+++ b/api/preprints/views.py
@@ -243,8 +243,7 @@ def get_queryset(self):
 
         # Permissions on the list objects are handled by the query
         public_only = self.metrics_requested
-        qs = self.preprints_queryset(qs, auth_user, public_only=public_only)
-        qs = qs.filter(Preprint.objects.preprint_versions_permissions_query(auth_user))
+        qs = qs.filter(Preprint.objects.preprint_versions_permissions_query(auth_user, public_only=public_only))
 
         return qs