fix: Jobn execution now checks project membership

Alan Christie · Alan Christie · commit 2ade6b568d0f · 2024-02-01T10:15:17.000Z
diff --git a/viewer/squonk2_agent.py b/viewer/squonk2_agent.py
@@ -746,11 +746,11 @@ def _verify_access(self, c_params: CommonParams) -> Squonk2AgentRv:
         target_access_string = self._get_target_access_string(access_id)
         assert target_access_string
         proposal_list: List[str] = self.__ispyb_safe_query_set.get_proposals_for_user(
-            user
+            user, restrict_to_membership=True
         )
         if not target_access_string in proposal_list:
             msg = (
-                f'The user ({user.username}) cannot access "{target_access_string}"'
+                f'The user ({user.username}) cannot modify "{target_access_string}"'
                 f' (access_id={access_id}). Only {proposal_list})'
             )
             _LOGGER.warning(msg)
diff --git a/viewer/views.py b/viewer/views.py
@@ -1561,7 +1561,7 @@ def create(self, request, *args, **kwargs):
                                 f"You are not authorized to upload data to {target_access_string}"
                             ]
                         },
-                        status=status.HTTP_400_BAD_REQUEST,
+                        status=status.HTTP_403_FORBIDDEN,
                     )
 
         # memo to self: cannot use TemporaryDirectory here because task

Original file line number	Diff line number	Diff line change
`@@ -746,11 +746,11 @@ def _verify_access(self, c_params: CommonParams) -> Squonk2AgentRv:`
`746`	`746`	`target_access_string = self._get_target_access_string(access_id)`
`747`	`747`	`assert target_access_string`
`748`	`748`	`proposal_list: List[str] = self.__ispyb_safe_query_set.get_proposals_for_user(`
`749`		`- user`
	`749`	`+ user, restrict_to_membership=True`
`750`	`750`	`)`
`751`	`751`	`if not target_access_string in proposal_list:`
`752`	`752`	`msg = (`
`753`		`- f'The user ({user.username}) cannot access "{target_access_string}"'`
	`753`	`+ f'The user ({user.username}) cannot modify "{target_access_string}"'`
`754`	`754`	`f' (access_id={access_id}). Only {proposal_list})'`
`755`	`755`	`)`
`756`	`756`	`_LOGGER.warning(msg)`
Original file line number	Diff line number	Diff line change
`@@ -1561,7 +1561,7 @@ def create(self, request, args, *kwargs):`
`1561`	`1561`	`f"You are not authorized to upload data to {target_access_string}"`
`1562`	`1562`	`]`
`1563`	`1563`	`},`
`1564`		`- status=status.HTTP_400_BAD_REQUEST,`
	`1564`	`+ status=status.HTTP_403_FORBIDDEN,`
`1565`	`1565`	`)`
`1566`	`1566`
`1567`	`1567`	`# memo to self: cannot use TemporaryDirectory here because task`