diff --git a/readthedocs/api/v3/tests/test_organizations.py b/readthedocs/api/v3/tests/test_organizations.py index 075d191aa0f..1ce92d1e32c 100644 --- a/readthedocs/api/v3/tests/test_organizations.py +++ b/readthedocs/api/v3/tests/test_organizations.py @@ -1,7 +1,11 @@ +import django_dynamic_fixture as fixture +from django.contrib.contenttypes.models import ContentType from django.test import override_settings from django.urls import reverse from django.urls.exceptions import NoReverseMatch +from readthedocs.notifications.models import Notification +from readthedocs.organizations.models import Organization from readthedocs.subscriptions.constants import TYPE_CONCURRENT_BUILDS from readthedocs.subscriptions.products import RTDProductFeature @@ -51,6 +55,38 @@ def test_organizations_notifications_list(self): self._get_response_dict("organizations-notifications-list"), ) + def test_organizations_notifications_list_only_given_organization(self): + url = reverse( + "organizations-notifications-list", + kwargs={ + "parent_lookup_organization__slug": self.organization.slug, + }, + ) + other_organization = fixture.get( + Organization, + pub_date=self.created, + modified_date=self.modified, + name="other_organization", + slug="other_organization", + owners=[self.me], + ) + + fixture.get( + Notification, + attached_to_content_type=ContentType.objects.get_for_model( + other_organization + ), + attached_to_id=other_organization.pk, + ) + + self.client.credentials(HTTP_AUTHORIZATION=f"Token {self.token.key}") + response = self.client.get(url) + self.assertEqual(response.status_code, 200) + self.assertDictEqual( + response.json(), + self._get_response_dict("organizations-notifications-list"), + ) + def test_organizations_notifications_list_other_user(self): url = reverse( "organizations-notifications-list", @@ -103,6 +139,28 @@ def test_organizations_notifications_detail(self): self._get_response_dict("organizations-notifications-detail"), ) + def test_organizations_notifications_detail_other_organization(self): + other_organization = fixture.get( + Organization, + pub_date=self.created, + modified_date=self.modified, + name="new_org", + slug="new_org", + owners=[self.me], + ) + + url = reverse( + "organizations-notifications-detail", + kwargs={ + "parent_lookup_organization__slug": other_organization.slug, + "notification_pk": self.notification_organization.pk, + }, + ) + + self.client.credentials(HTTP_AUTHORIZATION=f"Token {self.token.key}") + response = self.client.get(url) + self.assertEqual(response.status_code, 404) + def test_organizations_notifications_detail_other(self): url = reverse( "organizations-notifications-detail", diff --git a/readthedocs/api/v3/views.py b/readthedocs/api/v3/views.py index f3934ad0502..fe28b93ebb9 100644 --- a/readthedocs/api/v3/views.py +++ b/readthedocs/api/v3/views.py @@ -24,7 +24,6 @@ from rest_framework_extensions.mixins import NestedViewSetMixin from readthedocs.builds.models import Build, Version -from readthedocs.core.permissions import AdminPermission from readthedocs.core.utils import trigger_build from readthedocs.core.utils.extend import SettingsOverrideObject from readthedocs.notifications.models import Notification @@ -679,10 +678,5 @@ class NotificationsOrganizationViewSet( permission_classes = [IsAuthenticated & IsOrganizationAdmin] def get_queryset(self): - content_type = ContentType.objects.get_for_model(Organization) - return self.queryset.filter( - attached_to_content_type=content_type, - attached_to_id__in=AdminPermission.organizations( - self.request.user, owner=True, member=False - ).values("id"), - ) + organization = self._get_parent_organization() + return organization.notifications.all()