From 1966bbf570ee18cd5b29b79e0b93d5a3154908a5 Mon Sep 17 00:00:00 2001
From: Ryan Johnson <rjohnson@mozilla.com>
Date: Tue, 20 Feb 2024 11:18:45 -0800
Subject: [PATCH] extend visiblity restrictions to translations in readouts.py

---
 kitsune/dashboards/readouts.py            |  9 +++++---
 kitsune/dashboards/tests/test_readouts.py | 25 +++++++++++++++++++----
 2 files changed, 27 insertions(+), 7 deletions(-)

diff --git a/kitsune/dashboards/readouts.py b/kitsune/dashboards/readouts.py
index 9b34e3f51..4ef0874ba 100644
--- a/kitsune/dashboards/readouts.py
+++ b/kitsune/dashboards/readouts.py
@@ -683,7 +683,8 @@ class MostVisitedTranslationsReadout(MostVisitedDefaultLanguageReadout):
                 # The product does not have a forum for this locale.
                 ignore_categories.append(CANNED_RESPONSES_CATEGORY)
 
-        transdoc_subquery = Document.objects.filter(
+        transdoc_subquery = Document.objects.visible(
+            self.user,
             locale=self.locale,
             parent=OuterRef("pk"),
         ).filter(
@@ -784,7 +785,8 @@ class TemplateTranslationsReadout(Readout):
         if self.product:
             qs = qs.filter(products=self.product)
 
-        transdoc_subquery = Document.objects.filter(
+        transdoc_subquery = Document.objects.visible(
+            self.user,
             locale=self.locale,
             parent=OuterRef("pk"),
         )
@@ -1109,7 +1111,8 @@ class CannedResponsesReadout(Readout):
         if self.product:
             qs = qs.filter(products=self.product)
 
-        transdoc_subquery = Document.objects.filter(
+        transdoc_subquery = Document.objects.visible(
+            self.user,
             locale=self.locale,
             parent=OuterRef("pk"),
         )
diff --git a/kitsune/dashboards/tests/test_readouts.py b/kitsune/dashboards/tests/test_readouts.py
index 1456d91e1..d3fba5e97 100644
--- a/kitsune/dashboards/tests/test_readouts.py
+++ b/kitsune/dashboards/tests/test_readouts.py
@@ -20,7 +20,7 @@ from kitsune.dashboards.readouts import (
 from kitsune.products.tests import ProductFactory
 from kitsune.sumo.models import ModelBase
 from kitsune.sumo.tests import TestCase
-from kitsune.users.tests import GroupFactory, UserFactory
+from kitsune.users.tests import GroupFactory, UserFactory, add_permission
 from kitsune.wiki.config import (
     ADMINISTRATION_CATEGORY,
     CANNED_RESPONSES_CATEGORY,
@@ -31,6 +31,7 @@ from kitsune.wiki.config import (
     TEMPLATES_CATEGORY,
     TYPO_SIGNIFICANCE,
 )
+from kitsune.wiki.models import Revision
 from kitsune.wiki.tests import (
     ApprovedRevisionFactory,
     DocumentFactory,
@@ -55,9 +56,9 @@ class ReadoutTestCase(TestCase):
             request.user = user
         return self.readout(request, locale=locale, product=product).rows()
 
-    def row(self, locale=None, product=None):
+    def row(self, locale=None, product=None, user=None):
         """Return first row shown by the readout this class tests."""
-        return self.rows(locale=locale, product=product)[0]
+        return self.rows(locale=locale, product=product, user=user)[0]
 
     def titles(self, locale=None, product=None):
         """Return the titles shown by the Unreviewed Changes readout."""
@@ -606,7 +607,17 @@ class MostVisitedTranslationsTests(ReadoutTestCase):
         unreviewed = TranslatedRevisionFactory(
             document__locale="de", reviewed=None, is_approved=False
         )
+
+        # Anonymous users can only see the English document. They can't see the
+        # localized document because it doesn't yet have an approved revision.
         row = self.row()
+        self.assertEqual(row["title"], unreviewed.document.parent.title)
+        self.assertEqual(row["status"], "Translation Needed")
+
+        # However, reviewers can see the unreviewed translation.
+        reviewer = UserFactory()
+        add_permission(reviewer, Revision, "review_revision")
+        row = self.row(user=reviewer)
         self.assertEqual(row["title"], unreviewed.document.title)
         self.assertEqual(row["status"], "Review Needed")
 
@@ -888,7 +899,13 @@ class CannedResponsesTests(ReadoutTestCase):
             document=de_doc, based_on=eng_rev, is_approved=False, reviewed=None
         )
 
-        self.assertEqual("review", self.row()["status_class"])
+        # Anonymous users can't see a document without an approved revision.
+        self.assertEqual("untranslated", self.row()["status_class"])
+
+        # However, reviewers can.
+        reviewer = UserFactory()
+        add_permission(reviewer, Revision, "review_revision")
+        self.assertEqual("review", self.row(user=reviewer)["status_class"])
 
         # Approve it, so now every this is ok.
         de_rev.is_approved = True