collaborator can access a private competition. #860
Conversation
|
A codabench user Now I guess this is because by becoming collaborator, Now participant of this competition can also access along with the collaborators Note: comp_1 is private competition |
|
The last commit fails in CircleCI: ERROR django.request:log.py:222 Internal Server Error: /api/competitions/31/
Traceback (most recent call last):
File "/usr/local/lib/python3.8/site-packages/django/core/handlers/exception.py", line 34, in inner
response = get_response(request)
File "/usr/local/lib/python3.8/site-packages/django/core/handlers/base.py", line 115, in _get_response
response = self.process_exception_by_middleware(e, request)
File "/usr/local/lib/python3.8/site-packages/django/core/handlers/base.py", line 113, in _get_response
response = wrapped_callback(request, *callback_args, **callback_kwargs)
File "/usr/local/lib/python3.8/site-packages/django/views/decorators/csrf.py", line 54, in wrapped_view
return view_func(*args, **kwargs)
File "/usr/local/lib/python3.8/site-packages/rest_framework/viewsets.py", line 116, in view
return self.dispatch(request, *args, **kwargs)
File "/usr/local/lib/python3.8/site-packages/rest_framework/views.py", line 495, in dispatch
response = self.handle_exception(exc)
File "/usr/local/lib/python3.8/site-packages/rest_framework/views.py", line 455, in handle_exception
self.raise_uncaught_exception(exc)
File "/usr/local/lib/python3.8/site-packages/rest_framework/views.py", line 492, in dispatch
response = handler(request, *args, **kwargs)
File "/app/src/apps/api/views/competitions.py", line 171, in update
instance = self.get_object()
File "/usr/local/lib/python3.8/site-packages/rest_framework/generics.py", line 98, in get_object
obj = get_object_or_404(queryset, **filter_kwargs)
File "/usr/local/lib/python3.8/site-packages/rest_framework/generics.py", line 21, in get_object_or_404
return _get_object_or_404(queryset, *filter_args, **filter_kwargs)
File "/usr/local/lib/python3.8/site-packages/django/shortcuts.py", line 93, in get_object_or_404
return queryset.get(*args, **kwargs)
File "/usr/local/lib/python3.8/site-packages/django/db/models/query.py", line 410, in get
raise self.model.MultipleObjectsReturned(
competitions.models.Competition.MultipleObjectsReturned: get() returned more than one Competition -- it returned 2!
_______ CompetitionParticipantTests.test_cant_participate_multiple_times _______ |
|
I've merged this but actually we have again this problem: 
When accessing a private competition |
|
I think you are not loggedin Edit: This fix should allow loggedin users to do the following
For NOT loggedIn users, they can only access public competitions |
|
I've identified the problem. When the user is not logged in, we ends here: else:
# if user is not authenticated only filter published/public competitions
qs = qs.filter(Q(published=True))But this filter is the same for the search bar and for accessing the competition... |
|
@ihsaan-ullah Yes, exactly. I don't know what we can do for not logged users that access private competitions through the secret URL |
|
Yes, but this is right filter because if you are using search or accessing competition detail page when you are NOT logged in then only published competitions should be shown. I agree that the view shown with error is not good when a competition is accessed through a URL and it is private then the error is shown. It should be discussed if for such case, 404 or any other good looking error should be shown |
|
Maybe a redirection to login page |
|
OK I'll open an issue to keep track of this problem |
@ mention of reviewers
@Didayolo
A brief description of the purpose of the changes contained in this PR.
Collaborators were not able to access the competitions they were added in
Now they can access it in search and the detail page
Issues this PR resolves
#858
Checklist