Use logger.view_xform_data perm to filter data

Author: FrankApiyo

onadata/apps/api/permissions.py

@@ -581,19 +581,3 @@ def has_permission(self, request, view):
             return False
 
         return True
-
-
-class ViewXFormDataPermissions(XFormPermissions):
-    """
-    Applies view_(model)_data permissions for GET requests.
-    """
-
-    perms_map = {
-        "GET": ["%(app_label)s.view_%(model_name)s_data"],
-        "OPTIONS": [],
-        "HEAD": [],
-        "POST": ["%(app_label)s.add_%(model_name)s"],
-        "PUT": ["%(app_label)s.change_%(model_name)s"],
-        "PATCH": ["%(app_label)s.change_%(model_name)s"],
-        "DELETE": ["%(app_label)s.delete_%(model_name)s"],
-    }

onadata/apps/api/tests/viewsets/test_data_viewset.py

@@ -1273,6 +1273,30 @@ def test_anon_data_list(self):
         request = self.factory.get("/")
         response = view(request)
         self.assertEqual(response.status_code, 200)
+        self.assertEqual(len(response.data), 0)
+
+        self.xform.shared = True
+        self.xform.shared_data = True
+        self.xform.save()
+        response = view(request)
+        self.assertEqual(response.status_code, 200)
+        self.assertNotEqual(len(response.data), 0)
+
+    def test_authenticated_user_data_list_private_form(self):
+        self._make_submissions()
+        view = DataViewSet.as_view({"get": "list"})
+        self._create_user_and_login("alice", "alice")
+
+        request = self.factory.get("/")
+        request.user = self.user
+        response = view(request, pk=XForm.objects.all().first().id)
+        self.assertEqual(response.status_code, 404)
+
+        request = self.factory.get("/")
+        request.user = self.user
+        response = view(request)
+        self.assertEqual(response.status_code, 200)
+        self.assertEqual(len(response.data), 0)
 
     def test_add_form_tag_propagates_to_data_tags(self):
         """Test that when a tag is applied on an xform,

onadata/apps/api/viewsets/data_viewset.py

@@ -23,10 +23,7 @@
 from rest_framework.settings import api_settings
 from rest_framework.viewsets import ModelViewSet
 
-from onadata.apps.api.permissions import (
-    ConnectViewsetPermissions,
-    ViewXFormDataPermissions,
-)
+from onadata.apps.api.permissions import ConnectViewsetPermissions, XFormPermissions
 from onadata.apps.api.tasks import delete_xform_submissions_async
 from onadata.apps.api.tools import add_tags_to_instance, get_baseviewset_class
 from onadata.apps.logger.models import MergedXForm, OsmData
@@ -144,12 +141,12 @@ class DataViewSet(
     ]
 
     filter_backends = (
-        filters.AnonDjangoObjectPermissionFilter,
+        filters.DataAnonDjangoObjectPermissionFilter,
         filters.XFormOwnerFilter,
         filters.DataFilter,
     )
     serializer_class = DataSerializer
-    permission_classes = (ViewXFormDataPermissions,)
+    permission_classes = (XFormPermissions,)
     lookup_field = "pk"
     lookup_fields = ("pk", "dataid")
     extra_lookup_fields = None
@@ -514,12 +511,12 @@ def _set_pagination_headers(
 
         if (current_page * current_page_size) < num_of_records:
             next_page_url = (
-                f"{base_url}?page={current_page + 1}&" f"page_size={current_page_size}"
+                f"{base_url}?page={current_page + 1}&page_size={current_page_size}"
             )
 
         if current_page > 1:
             prev_page_url = (
-                f"{base_url}?page={current_page - 1}" f"&page_size={current_page_size}"
+                f"{base_url}?page={current_page - 1}&page_size={current_page_size}"
             )
 
         last_page = math.ceil(num_of_records / current_page_size)

onadata/libs/filters.py

@@ -194,6 +194,10 @@ def filter_queryset(self, request, queryset, view):
         return queryset
 
 
+class DataAnonDjangoObjectPermissionFilter(AnonDjangoObjectPermissionFilter):
+    perm_format = "%(app_label)s.view_%(model_name)s_data"
+
+
 class InstanceFilter(django_filter_filters.FilterSet):
     """
     Instance FilterSet implemented using django-filter