🩹 Do not send link users can't read in problem report resolution

okfde · Jan 22, 2025 · 6925ef2 · 6925ef2
1 parent 355b5f6
commit 6925ef2
Show file tree

Hide file tree

Showing 3 changed files with 18 additions and 0 deletions.
diff --git a/froide/foirequest/auth.py b/froide/foirequest/auth.py
@@ -4,6 +4,7 @@
 from django.conf import settings
 from django.db.models import Q
 from django.http import HttpRequest
+from django.test import RequestFactory
 from django.urls import reverse
 from django.utils.crypto import constant_time_compare, salted_hmac
 from django.utils.translation import override
@@ -25,6 +26,13 @@
 from .models import FoiAttachment, FoiMessage, FoiProject, FoiRequest
 
 
+def get_request_for_user(user, path: str):
+    request_factory = RequestFactory()
+    request = request_factory.get(path)
+    request.user = user
+    return request
+
+
 def get_campaign_auth_foirequests_filter(request: HttpRequest, fk_path=None):
     if not request.user.is_staff:
         return None

diff --git a/froide/problem/templates/problem/email_problem_resolved.txt b/froide/problem/templates/problem/email_problem_resolved.txt
@@ -5,10 +5,12 @@
 {% blocktrans with title=title %}We have resolved the problem you reported on the request “{{ title }}”.{% endblocktrans %}
 {% endif %}
 {% if report.resolution %}{{ report.resolution }}{% endif %}
+{% if can_read_request %}
 
 {% trans "You can go to the request here:" %}
 
 {{ url }}
+{% endif %}
 {% blocktrans with site_name=site_name %}
 Cheers,
 {{ site_name }}{% endblocktrans %}

diff --git a/froide/problem/utils.py b/froide/problem/utils.py
@@ -4,6 +4,8 @@
 from django.urls import reverse
 from django.utils.translation import gettext_lazy as _
 
+from froide.foirequest.auth import can_read_foirequest, get_request_for_user
+
 
 def inform_managers(report):
     admin_url = settings.SITE_URL + reverse(
@@ -23,6 +25,11 @@ def inform_managers(report):
     )
 
 
+def can_read(user, foirequest):
+    request = get_request_for_user(user, foirequest.get_absolute_url())
+    return can_read_foirequest(foirequest, request)
+
+
 def inform_user_problem_resolved(report):
     if report.auto_submitted or not report.user:
         return False
@@ -39,6 +46,7 @@ def inform_user_problem_resolved(report):
                 report.message.get_absolute_short_url()
             ),
             "site_name": settings.SITE_NAME,
+            "can_read_request": can_read(report.user, foirequest),
         },
     )