Reservation only_with_permission show RESERVER's own reservation

City-of-Helsinki · Sep 5, 2024 · 64968c3 · 64968c3
1 parent 4940b85
commit 64968c3
Show file tree

Hide file tree

Showing 2 changed files with 39 additions and 0 deletions.
diff --git a/api/graphql/types/reservation/filtersets.py b/api/graphql/types/reservation/filtersets.py
@@ -91,15 +91,29 @@ def filter_by_only_with_permission(self, qs: QuerySet, name: str, value: bool) -
             return qs
 
         roles = UserRoleChoice.can_view_reservations()
+        reserver_roles = UserRoleChoice.can_create_staff_reservations()
+
         if user.permissions.has_general_role(role_choices=roles):
             return qs
 
         u_ids = user.permissions.unit_ids_where_has_role(role_choices=roles)
         g_ids = user.permissions.unit_group_ids_where_has_role(role_choices=roles)
 
+        reserver_u_ids = user.permissions.unit_ids_where_has_role(role_choices=reserver_roles)
+        reserver_g_ids = user.permissions.unit_group_ids_where_has_role(role_choices=reserver_roles)
+
         return qs.filter(
+            # Either has "can_view_reservations" permissions
             Q(reservation_unit__unit__in=u_ids)  #
             | Q(reservation_unit__unit__unit_groups__in=g_ids)
+            # ...or is the owner of the reservation, and has "can_create_staff_reservations" permissions to it
+            | (
+                Q(user=user)
+                & (
+                    Q(reservation_unit__unit__in=reserver_u_ids)  #
+                    | Q(reservation_unit__unit__unit_groups__in=reserver_g_ids)
+                )
+            )
         )
 
     def filter_by_only_with_handling_permission(self, qs: QuerySet, name: str, value: bool) -> QuerySet:

diff --git a/tests/test_graphql_api/test_reservation/test_filtering.py b/tests/test_graphql_api/test_reservation/test_filtering.py
@@ -189,6 +189,31 @@ def test_reservation__filter__by_only_with_permission__unit_admin(graphql):
     assert response.node(0) == {"pk": reservation.pk}
 
 
+def test_reservation__filter__by_only_with_permission__unit_admin__reserver(graphql):
+    unit = UnitFactory.create()
+
+    reservation_unit = ReservationUnitFactory.create(unit=unit)
+
+    admin = UserFactory.create_with_unit_role(role=UserRoleChoice.RESERVER, units=[unit])
+
+    # Own reservation, own unit
+    reservation = ReservationFactory.create(user=admin, reservation_unit=[reservation_unit])
+    # Own reservation, different unit
+    ReservationFactory.create(user=admin)
+    # Other user's reservation, own unit
+    ReservationFactory.create(reservation_unit=[reservation_unit])
+    # Other user's reservation, different unit
+    ReservationFactory.create()
+
+    graphql.force_login(admin)
+    query = reservations_query(only_with_permission=True)
+    response = graphql(query)
+
+    assert response.has_errors is False, response
+    assert len(response.edges) == 1
+    assert response.node(0) == {"pk": reservation.pk}
+
+
 def test_reservation__filter__by_only_with_permission__unit_group_admin(graphql):
     unit_group = UnitGroupFactory.create()
     unit = UnitFactory.create(unit_groups=[unit_group])