Skip to content

Commit b1f0507

Browse files
🚑 - fix: fix a bug where record manager was unable to access destruction list with status change_requested created by another user
1 parent f9901ce commit b1f0507

File tree

4 files changed

+11
-18
lines changed

4 files changed

+11
-18
lines changed

backend/src/openarchiefbeheer/destruction/api/serializers.py

+1-5
Original file line numberDiff line numberDiff line change
@@ -748,12 +748,8 @@ class Meta:
748748

749749
def validate(self, attrs: dict) -> dict:
750750
destruction_list = attrs["review"].destruction_list
751-
request = self.context["request"]
752751

753-
if not (
754-
request.user == destruction_list.author
755-
and destruction_list.status == ListStatus.changes_requested
756-
):
752+
if not (destruction_list.status == ListStatus.changes_requested):
757753
raise ValidationError(
758754
_(
759755
"This user is either not allowed to update the destruction list or "

backend/src/openarchiefbeheer/destruction/tests/endpoints/test_reviewresponse.py

+2-9
Original file line numberDiff line numberDiff line change
@@ -133,7 +133,7 @@ def test_create_review_response(self):
133133

134134
self.assertEqual(item_response3.action_zaak["archiefactiedatum"], "2030-01-01")
135135

136-
def test_cannot_create_response_if_not_author(self):
136+
def test_can_create_response_if_not_author(self):
137137
record_manager1 = UserFactory.create(post__can_start_destruction=True)
138138
record_manager2 = UserFactory.create(post__can_start_destruction=True)
139139

@@ -156,14 +156,7 @@ def test_cannot_create_response_if_not_author(self):
156156
format="json",
157157
)
158158

159-
self.assertEqual(response.status_code, status.HTTP_400_BAD_REQUEST)
160-
self.assertEqual(
161-
response.json()["nonFieldErrors"][0],
162-
_(
163-
"This user is either not allowed to update the destruction list or "
164-
"the destruction list cannot currently be updated."
165-
),
166-
)
159+
self.assertEqual(response.status_code, status.HTTP_201_CREATED)
167160

168161
def test_cannot_create_response_if_not_changes_requested(self):
169162
record_manager = UserFactory.create(post__can_start_destruction=True)

frontend/src/lib/auth/permissions.test.ts

+7-3
Original file line numberDiff line numberDiff line change
@@ -310,9 +310,13 @@ DESTRUCTION_LIST_STATUSES.forEach((status) => {
310310
expect(canUpdateDestructionList(user, destructionList)).toBe(false);
311311
});
312312

313-
test("should not allow a user to update if they are not the assignee", () => {
314-
destructionList.assignee = anotherUser;
315-
expect(canUpdateDestructionList(user, destructionList)).toBe(false);
313+
test("should allow a user to update if they are not the author", () => {
314+
expect(
315+
canUpdateDestructionList(
316+
user,
317+
destructionListFactory({ status: "changes_requested" }),
318+
),
319+
).toBe(true);
316320
});
317321
});
318322

frontend/src/lib/auth/permissions.ts

+1-1
Original file line numberDiff line numberDiff line change
@@ -97,7 +97,7 @@ export function canUpdateDestructionList(
9797
return false;
9898
}
9999

100-
return user.pk === destructionList.assignee.pk;
100+
return true;
101101
}
102102

103103
export function canViewDestructionList(

0 commit comments

Comments
 (0)