collaborator can access a private competition.

src/apps/api/views/competitions.py

@@ -69,19 +69,25 @@ def get_queryset(self):
             ).values_list('status')[:1]
             qs = qs.annotate(participant_status=Subquery(participant_status_query))
 
-            # new condition for search bar
             # `mine` is true when this is called from "Benchmarks I'm Running"
             # `participating_in` is true when this is called from "Benchmarks I'm in"
-            # `mine` and `participating_in` are none when this is called from Search bar
+            # `mine` and `participating_in` are none when this is called either from Search bar
+            # or from competition detail page
             if (not mine) and (not participating_in):
-                # User is logged in
-                # filter his own competitions
+                # User is logged in then filter
+                # competitions which this user owns
                 # or
-                # filter published competitions by other users
+                # competitions in which this user is collaborator
+                # or
+                # competitions is published and belongs to someone else
+                # or
+                # competitions in which this user is participant and status is approved
                 qs = qs.filter(
                     (Q(created_by=self.request.user)) |
-                    (Q(published=True) & ~Q(created_by=self.request.user))
-                )
+                    (Q(collaborators__in=[self.request.user])) |
+                    (Q(published=True) & ~Q(created_by=self.request.user)) |
+                    (Q(participants__user=self.request.user) & Q(participants__status="approved"))
+                ).distinct()
         else:
             # if user is not authenticated only filter published/public competitions
             qs = qs.filter(Q(published=True))
@@ -111,6 +117,7 @@ def get_queryset(self):
                 )
 
         search_query = self.request.query_params.get('search')
+        # search_query is true when called from searchbar
         if search_query:
             qs = qs.filter(Q(title__icontains=search_query) | Q(description__icontains=search_query))
 

src/apps/competitions/views.py

@@ -28,13 +28,16 @@ class CompetitionDetail(DetailView):
     def get_object(self, *args, **kwargs):
         competition = super().get_object(*args, **kwargs)
 
-        is_creator, is_collaborator, is_participant = False, False, False
+        is_admin, is_creator, is_collaborator, is_participant = False, False, False, False
 
         # check if user is loggedin
         if self.request.user.is_authenticated:
 
+            # check if user is admin
+            is_admin = self.request.user.is_superuser
+
             # check if user is the creator of this competition
-            is_creator = self.request.user.is_superuser or self.request.user == competition.created_by
+            is_creator = self.request.user == competition.created_by
 
             # check if user is collaborator of this competition
             is_collaborator = self.request.user in competition.collaborators.all()
@@ -46,7 +49,14 @@ def get_object(self, *args, **kwargs):
         # check if secret key provided is valid
         valid_secret_key = self.request.GET.get('secret_key') == str(competition.secret_key)
 
-        if is_creator or is_collaborator or competition.published or valid_secret_key or is_participant:
+        if (
+            is_admin or
+            is_creator or
+            is_collaborator or
+            competition.published or
+            valid_secret_key or
+            is_participant
+        ):
             return competition
         raise Http404()