only moderator and admin can access moderation tabs (#11343)

Author: ihorsokhanexoft

api/providers/permissions.py

@@ -1,4 +1,3 @@
-from guardian.shortcuts import get_perms
 from rest_framework import permissions as drf_permissions
 
 from api.base.utils import get_user_auth
@@ -36,4 +35,7 @@ def has_permission(self, request, view):
 class MustBeModerator(drf_permissions.BasePermission):
     def has_permission(self, request, view):
         auth = get_user_auth(request)
-        return bool(get_perms(auth.user, view.get_provider()))
+        provider = view.get_provider()
+        is_admin = provider.get_group('admin').user_set.filter(id=auth.user.id).exists()
+        is_moderator = provider.get_group('moderator').user_set.filter(id=auth.user.id).exists()
+        return is_moderator or is_admin

api/registrations/permissions.py

@@ -7,10 +7,10 @@ class ContributorOrModerator(permissions.BasePermission):
 
     def has_object_permission(self, request, view, obj):
         auth = get_user_auth(request)
+        is_admin = obj.provider.get_group('admin').user_set.filter(id=auth.user.id).exists()
+        is_moderator = obj.provider.get_group('moderator').user_set.filter(id=auth.user.id).exists()
 
-        # If a user has perms on the provider, they must be a moderator or admin
-        is_moderator = bool(get_perms(auth.user, obj.provider))
-        return obj.is_admin_contributor(auth.user) or is_moderator
+        return obj.is_admin_contributor(auth.user) or is_moderator or is_admin
 
 
 class ContributorOrModeratorOrPublic(permissions.BasePermission):

api_tests/providers/collections/views/test_permissions.py

@@ -0,0 +1,22 @@
+import pytest
+
+from api.base.settings.defaults import API_BASE
+from api_tests.providers.mixins import OnlyModeratorOrAdminPermissionsMixin
+
+from osf_tests.factories import CollectionProviderFactory
+
+
+@pytest.mark.django_db
+class TestOnlyModeratorOrAdmin(OnlyModeratorOrAdminPermissionsMixin):
+
+    @pytest.fixture()
+    def urls(self, provider, moderator, admin):
+        return [
+            f'/{API_BASE}providers/collections/{provider._id}/moderators/',
+            f'/{API_BASE}providers/collections/{provider._id}/moderators/{moderator._id}/',
+            f'/{API_BASE}providers/collections/{provider._id}/moderators/{admin._id}/',
+        ]
+
+    @pytest.fixture()
+    def provider(self):
+        return CollectionProviderFactory()

api_tests/providers/mixins.py

@@ -1038,3 +1038,42 @@ def test_provider_has_both_acceptable_and_default_licenses(self, app, provider,
         assert license_one._id in license_ids
         assert license_three._id in license_ids
         assert license_two._id not in license_ids
+
+
+@pytest.mark.django_db
+class OnlyModeratorOrAdminPermissionsMixin:
+
+    @pytest.fixture()
+    def provider(self):
+        raise NotImplementedError
+
+    @pytest.fixture()
+    def user(self):
+        return AuthUserFactory()
+
+    @pytest.fixture()
+    def moderator(self, provider):
+        mod = AuthUserFactory()
+        provider.get_group('moderator').user_set.add(mod)
+        return mod
+
+    @pytest.fixture()
+    def admin(self, provider):
+        adm = AuthUserFactory()
+        provider.get_group('admin').user_set.add(adm)
+        return adm
+
+    @pytest.fixture()
+    def urls(self):
+        raise NotImplementedError
+
+    def test_moderator_or_admin_have_access_to_provider(self, app, provider, user, moderator, admin, urls):
+        for url in urls:
+            user_res = app.get(url, auth=user.auth, expect_errors=True)
+            assert user_res.status_code == 403
+
+            moderator_res = app.get(url, auth=moderator.auth)
+            assert moderator_res.status_code == 200
+
+            admin_res = app.get(url, auth=admin.auth)
+            assert admin_res.status_code == 200

api_tests/providers/preprints/views/test_permissions.py

@@ -0,0 +1,23 @@
+import pytest
+
+from api.base.settings.defaults import API_BASE
+from api_tests.providers.mixins import OnlyModeratorOrAdminPermissionsMixin
+
+from osf_tests.factories import PreprintProviderFactory
+
+
+@pytest.mark.django_db
+class TestOnlyModeratorOrAdmin(OnlyModeratorOrAdminPermissionsMixin):
+
+    @pytest.fixture()
+    def urls(self, provider, moderator, admin):
+        return [
+            f'/{API_BASE}providers/preprints/{provider._id}/withdraw_requests/',
+            f'/{API_BASE}providers/preprints/{provider._id}/moderators/',
+            f'/{API_BASE}providers/preprints/{provider._id}/moderators/{moderator._id}/',
+            f'/{API_BASE}providers/preprints/{provider._id}/moderators/{admin._id}/',
+        ]
+
+    @pytest.fixture()
+    def provider(self):
+        return PreprintProviderFactory()

api_tests/providers/registrations/views/test_permissions.py

@@ -0,0 +1,25 @@
+import pytest
+
+from api.base.settings.defaults import API_BASE
+from api_tests.providers.mixins import OnlyModeratorOrAdminPermissionsMixin
+
+from osf_tests.factories import RegistrationProviderFactory
+
+
+@pytest.mark.django_db
+class TestOnlyModeratorOrAdmin(OnlyModeratorOrAdminPermissionsMixin):
+
+    @pytest.fixture()
+    def urls(self, provider, moderator, admin):
+        return [
+            f'/{API_BASE}providers/registrations/{provider._id}/requests/',
+            f'/{API_BASE}providers/registrations/{provider._id}/registrations/',
+            f'/{API_BASE}providers/registrations/{provider._id}/actions/',
+            f'/{API_BASE}providers/registrations/{provider._id}/moderators/',
+            f'/{API_BASE}providers/registrations/{provider._id}/moderators/{moderator._id}/',
+            f'/{API_BASE}providers/registrations/{provider._id}/moderators/{admin._id}/',
+        ]
+
+    @pytest.fixture()
+    def provider(self):
+        return RegistrationProviderFactory()