From 7f6b6fe666511d1c10625d5d38b1a781d2e40260 Mon Sep 17 00:00:00 2001
From: francastell <fsophisco@yahoo.com>
Date: Fri, 12 Jul 2024 15:47:35 -0400
Subject: [PATCH] G3-252 api geneset value access correction

---
 pyproject.toml                            |  2 +-
 src/geneweaver/api/controller/genesets.py |  4 +++-
 src/geneweaver/api/controller/message.py  |  2 +-
 src/geneweaver/api/services/geneset.py    | 21 +++++++++++++--------
 tests/services/test_genset.py             | 11 +++++++++--
 5 files changed, 27 insertions(+), 13 deletions(-)

diff --git a/pyproject.toml b/pyproject.toml
index f23e501..4bf7619 100644
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -1,6 +1,6 @@
 [tool.poetry]
 name = "geneweaver-api"
-version = "0.7.0a5"
+version = "0.7.0a6"
 description = "The Geneweaver API"
 authors = [
     "Alexander Berger <alexander.berger@jax.org>",
diff --git a/src/geneweaver/api/controller/genesets.py b/src/geneweaver/api/controller/genesets.py
index 459cba3..b3d958b 100644
--- a/src/geneweaver/api/controller/genesets.py
+++ b/src/geneweaver/api/controller/genesets.py
@@ -173,7 +173,9 @@ def get_geneset_values(
             raise HTTPException(status_code=500, detail=api_message.UNEXPECTED_ERROR)
 
     if response.get("data") is None:
-        raise HTTPException(status_code=404, detail=api_message.RECORD_NOT_FOUND_ERROR)
+        raise HTTPException(
+            status_code=404, detail=api_message.INACCESSIBLE_OR_FORBIDDEN
+        )
 
     return response
 
diff --git a/src/geneweaver/api/controller/message.py b/src/geneweaver/api/controller/message.py
index f9d42ab..d7f51ac 100644
--- a/src/geneweaver/api/controller/message.py
+++ b/src/geneweaver/api/controller/message.py
@@ -2,7 +2,7 @@
 
 ##Errors
 ACCESS_FORBIDDEN = "Forbidden"
-INACCESSIBLE_OR_FORBIDDEN = "Record not found or forbidden"
+INACCESSIBLE_OR_FORBIDDEN = "Record not found or forbidden access"
 UNEXPECTED_ERROR = "Unexpected Error"
 GENE_IDENTIFIER_TYPE_VALUE_ERROR = "Invalid gene identifier type"
 RECORD_NOT_FOUND_ERROR = "Record not found"
diff --git a/src/geneweaver/api/services/geneset.py b/src/geneweaver/api/services/geneset.py
index 41bb098..dc677f5 100644
--- a/src/geneweaver/api/services/geneset.py
+++ b/src/geneweaver/api/services/geneset.py
@@ -191,6 +191,9 @@ def get_geneset(
             gs_id=geneset_id,
             with_publication_info=False,
         )
+        if len(results) <= 0:
+            return {"data": None}
+
         geneset = results[0]
         geneset_values = db_geneset_value.by_geneset_id(
             cursor=cursor, geneset_id=geneset_id, gsv_in_threshold=in_threshold
@@ -223,17 +226,19 @@ def get_geneset_gene_values(
         if user is None or user.id is None:
             return {"error": True, "message": message.ACCESS_FORBIDDEN}
 
+        ## Check genset exists and user can read it
+        results = db_geneset.get(
+            cursor,
+            gs_id=geneset_id,
+            is_readable_by=user.id,
+            with_publication_info=False,
+        )
+        if len(results) <= 0:
+            return {"data": None}
+
         # If gene id type is given, check gene species homology to
         # construct proper gene species mapping
         if gene_id_type is not None:
-            results = db_geneset.get(
-                cursor,
-                gs_id=geneset_id,
-                with_publication_info=False,
-            )
-            if len(results) <= 0:
-                return {"data": None}
-
             geneset = results[0]
             geneset_values = get_gsv_w_gene_homology_update(
                 cursor=cursor,
diff --git a/tests/services/test_genset.py b/tests/services/test_genset.py
index 29ab6cb..e91a4d4 100644
--- a/tests/services/test_genset.py
+++ b/tests/services/test_genset.py
@@ -32,12 +32,17 @@ def test_get_geneset(mock_db_geneset, mock_db_genset_value):
     assert response.get("error") is None
 
 
-def test_get_geneset_no_user_access():
+@patch("geneweaver.api.services.geneset.db_geneset")
+def test_get_geneset_no_user_access(mock_db_geneset):
     """Test get geneset by ID with no user access."""
     response = geneset.get_geneset(None, 1234, None)
     assert response.get("error") is True
     assert response.get("message") == message.ACCESS_FORBIDDEN
 
+    mock_db_geneset.get.return_value = []
+    response = geneset.get_geneset(None, 1234, mock_user)
+    assert response.get("data") is None
+
 
 @patch("geneweaver.api.services.geneset.db_geneset")
 @patch("geneweaver.api.services.geneset.db_geneset_value")
@@ -296,8 +301,10 @@ def test_map_geneset_homology_db_call_error(mock_db_gene):
 
 
 @patch("geneweaver.api.services.geneset.db_geneset_value")
-def test_geneset_gene_value_response(mock_db_geneset_value):
+@patch("geneweaver.api.services.geneset.db_geneset")
+def test_geneset_gene_value_response(mock_db_geneset, mock_db_geneset_value):
     """Test geneset gene value data response."""
+    mock_db_geneset.get.return_value = [geneset_by_id_resp.get("geneset")]
     mock_db_geneset_value.by_geneset_id.return_value = geneset_by_id_resp.get(
         "geneset_values"
     )