Allow developers to download file attachments (#22726)

* Allow developers to download file attachments

* Allow any kind of reviewer, not just addons reviewers

src/olympia/activity/tests/test_views.py

@@ -15,6 +15,7 @@ from olympia.activity.models import (
     GENERIC_USER_NAME,
     ActivityLog,
     ActivityLogToken,
+    AddonLog,
     AttachmentLog,
 )
 from olympia.activity.tests.test_serializers import LogMixin
@@ -689,17 +690,25 @@ class TestDownloadAttachment(TestCase):
             activity_log=self.log,
             file=ContentFile('Pseudo File', name='attachment.txt'),
         )
+        AddonLog.objects.create(addon=self.addon, activity_log=self.log)
 
-    def test_download_attachment_success(self):
+    def test_download_attachment_developer(self):
-        self.client.force_login(self.user)
-        self.grant_permission(self.user, 'Addons:Review', 'Addon Reviewers')
-        url = reverse('activity.attachment', args=[self.log.pk])
-        response = self.client.get(url, follow=True)
-        self.assertEqual(response.status_code, 200)
-        self.assertIn('.txt', response['Content-Disposition'])
-
-    def test_download_attachment_failure(self):
         self.client.force_login(self.user)
         url = reverse('activity.attachment', args=[self.log.pk])
         response = self.client.get(url, follow=True)
         self.assertEqual(response.status_code, 404)
+        response = self.client.get(url, follow=True)
+        self.addon.authors.add(self.user)
+        response = self.client.get(url, follow=True)
+        self.assertEqual(response.status_code, 200)
+        self.assertIn('.txt', response['Content-Disposition'])
+
+    def test_download_attachment_reviewer(self):
+        self.client.force_login(self.user)
+        url = reverse('activity.attachment', args=[self.log.pk])
+        response = self.client.get(url, follow=True)
+        self.assertEqual(response.status_code, 404)
+        self.grant_permission(self.user, 'Addons:Review', 'Addon Reviewers')
+        response = self.client.get(url, follow=True)
+        self.assertEqual(response.status_code, 200)
+        self.assertIn('.txt', response['Content-Disposition'])

src/olympia/activity/views.py

@@ -19,7 +19,7 @@ from rest_framework.viewsets import GenericViewSet
 import olympia.core.logger
 from olympia import amo
 from olympia.access import acl
-from olympia.activity.models import ActivityLog
+from olympia.activity.models import ActivityLog, AddonLog
 from olympia.activity.serializers import (
     ActivityLogSerializer,
     ActivityLogSerializerForComments,
@@ -182,10 +182,17 @@ def download_attachment(request, log_id):
     Download attachment for a given activity log.
     """
     log = get_object_or_404(ActivityLog, pk=log_id)
+    addon = get_object_or_404(AddonLog, activity_log=log).addon
     attachmentlog = log.attachmentlog
 
-    is_reviewer = acl.action_allowed_for(request.user, amo.permissions.ADDONS_REVIEW)
+    is_reviewer = acl.is_user_any_kind_of_reviewer(request.user, allow_viewers=True)
-    if not is_reviewer:
+    is_developer = acl.check_addon_ownership(
+        request.user,
+        addon,
+        allow_developer=True,
+    )
+
+    if not (is_reviewer or is_developer):
         raise http.Http404()
 
     response = HttpResponseXSendFile(request, attachmentlog.file.path)