fixed collection stats permissions issue

2012-03-07 14:30:36 -08:00 · 2012-03-07 14:30:36 -08:00 · 80be66aa6a
--- a/apps/bandwagon/models.py
+++ b/apps/bandwagon/models.py
@ -333,6 +333,13 @@ class Collection(CollectionBase, amo.models.ModelBase):
    def owned_by(self, user):
        return (user.id == self.author_id)

+    def can_view_stats(self, request):
+        from access import acl
+        if (request and request.amo_user):
+            return (request.amo_user.id == self.author_id or
+                    acl.action_allowed(request, 'CollectionStats', 'View'))
+        return False
+
    @caching.cached_method
    def publishable_by(self, user):
        return bool(self.owned_by(user) or self.users.filter(pk=user.id))
--- a/apps/bandwagon/templates/bandwagon/collection_widgets.html
+++ b/apps/bandwagon/templates/bandwagon/collection_widgets.html
@ -1,13 +1,15 @@
 <div class="collection_widgets{{ ' condensed' if condensed }} widgets">
-{% if request.user.is_authenticated() %}
+{% set authenticated = request.user.is_authenticated() %}
+{% if authenticated %}
  {% set is_watching = c.id in request.amo_user.watching %}
-  {% set watch_msg = _('Stop Following') if is_watching else _('Follow this Collection') %}
+  {% set watch_msg = _('Stop Following') if is_watching else
+                     _('Follow this Collection') %}
      <a title="{{ (_('Stop Following') if is_watching else _('Follow this Collection')) if condensed }}"
         class="widget tooltip watch{{ ' watching' if is_watching }}{{ ' condensed' if condensed }}"
         href="{{ c.watch_url() }}">{{ watch_msg if not condensed }}</a>
 {% endif %}
        {{ sharing_widget(c, condensed=condensed) }}
-{% if request.user.is_authenticated() %}
+{% if authenticated %}
      {#
      <a title="{{ _('Copy this Collection') }}" class="copy" href="#"></a>
      #}
@ -15,7 +17,7 @@
        <a title="{{ _('Edit this Collection') }}"
           class="widget edit tooltip condensed" href="{{ c.edit_url() }}"></a>
      {% endif %}
-      {% if waffle.switch('collection-stats') %}
+      {% if waffle.switch('collection-stats') and c.can_view_stats(request) %}
        <a href="{{ c.stats_url() }}" title="{{ _('Statistics') }}"
          class="widget stats{{ ' tooltip' if condensed }}">
          {{ _('Statistics') if not condensed }}
--- a/apps/bandwagon/tests/test_models.py
+++ b/apps/bandwagon/tests/test_models.py
@ -159,6 +159,20 @@ class TestCollections(amo.tests.TestCase):
        CollectionWatcher.objects.create(collection_id=512, user=self.user)
        check(1)

+    def test_can_view_stats(self):
+        c = Collection.objects.create(author=self.user, slug='boom')
+
+        fake_request = mock.Mock()
+        fake_request.groups = ()
+        fake_request.user.is_authenticated.return_value = True
+
+        fake_request.amo_user = self.user
+        eq_(c.can_view_stats(fake_request), True)
+
+        fake_request.amo_user = UserProfile.objects.create(
+                                    username='scrub', email='ez@dee')
+        eq_(c.can_view_stats(fake_request), False)
+

 class TestRecommendations(amo.tests.TestCase):
    fixtures = ['base/addon-recs']
--- a/apps/stats/views.py
+++ b/apps/stats/views.py
@ -551,9 +551,7 @@ def collection(request, uuid, format):
    stats_addons_collections_counts table.
    """
    collection = get_object_or_404(Collection, uuid=uuid)
-    if (not acl.action_allowed(request, 'CollectionStats', 'View') and
-        not (request.amo_user and collection.author and
-             collection.author.id == request.amo_user.pk)):
+    if not collection.can_view_stats(request):
        return http.HttpResponseForbidden()

    start = date.today() - timedelta(days=365)