Allow developers to download file attachments (#22726)

* Allow developers to download file attachments * Allow any kind of reviewer, not just addons reviewers
2024-10-07 09:06:03 -04:00 · 2024-10-07 09:06:03 -04:00 · f8a213f9a4
--- a/src/olympia/activity/tests/test_views.py
+++ b/src/olympia/activity/tests/test_views.py
@ -15,6 +15,7 @@ from olympia.activity.models import (
    GENERIC_USER_NAME,
    ActivityLog,
    ActivityLogToken,
+    AddonLog,
    AttachmentLog,
 )
 from olympia.activity.tests.test_serializers import LogMixin
@ -689,17 +690,25 @@ class TestDownloadAttachment(TestCase):
            activity_log=self.log,
            file=ContentFile('Pseudo File', name='attachment.txt'),
        )
+        AddonLog.objects.create(addon=self.addon, activity_log=self.log)

-    def test_download_attachment_success(self):
-        self.client.force_login(self.user)
-        self.grant_permission(self.user, 'Addons:Review', 'Addon Reviewers')
-        url = reverse('activity.attachment', args=[self.log.pk])
-        response = self.client.get(url, follow=True)
-        self.assertEqual(response.status_code, 200)
-        self.assertIn('.txt', response['Content-Disposition'])
-
-    def test_download_attachment_failure(self):
+    def test_download_attachment_developer(self):
        self.client.force_login(self.user)
        url = reverse('activity.attachment', args=[self.log.pk])
        response = self.client.get(url, follow=True)
        self.assertEqual(response.status_code, 404)
+        response = self.client.get(url, follow=True)
+        self.addon.authors.add(self.user)
+        response = self.client.get(url, follow=True)
+        self.assertEqual(response.status_code, 200)
+        self.assertIn('.txt', response['Content-Disposition'])
+
+    def test_download_attachment_reviewer(self):
+        self.client.force_login(self.user)
+        url = reverse('activity.attachment', args=[self.log.pk])
+        response = self.client.get(url, follow=True)
+        self.assertEqual(response.status_code, 404)
+        self.grant_permission(self.user, 'Addons:Review', 'Addon Reviewers')
+        response = self.client.get(url, follow=True)
+        self.assertEqual(response.status_code, 200)
+        self.assertIn('.txt', response['Content-Disposition'])
--- a/src/olympia/activity/views.py
+++ b/src/olympia/activity/views.py
@ -19,7 +19,7 @@ from rest_framework.viewsets import GenericViewSet
 import olympia.core.logger
 from olympia import amo
 from olympia.access import acl
-from olympia.activity.models import ActivityLog
+from olympia.activity.models import ActivityLog, AddonLog
 from olympia.activity.serializers import (
    ActivityLogSerializer,
    ActivityLogSerializerForComments,
@ -182,10 +182,17 @@ def download_attachment(request, log_id):
    Download attachment for a given activity log.
    """
    log = get_object_or_404(ActivityLog, pk=log_id)
+    addon = get_object_or_404(AddonLog, activity_log=log).addon
    attachmentlog = log.attachmentlog

-    is_reviewer = acl.action_allowed_for(request.user, amo.permissions.ADDONS_REVIEW)
-    if not is_reviewer:
+    is_reviewer = acl.is_user_any_kind_of_reviewer(request.user, allow_viewers=True)
+    is_developer = acl.check_addon_ownership(
+        request.user,
+        addon,
+        allow_developer=True,
+    )
+
+    if not (is_reviewer or is_developer):
        raise http.Http404()

    response = HttpResponseXSendFile(request, attachmentlog.file.path)