quickfix/hide-non-showing-entries

[lsabor]

if user is not staff, don't even serialize hidden entries

Summary by CodeRabbit

Release Notes

• Bug Fixes
  • Updated project leaderboard visibility to properly restrict entries for non-staff users, ensuring only appropriate entries are displayed.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

📝 Walkthrough

Walkthrough

The pull request restricts leaderboard entries for non-staff users to exclude those marked as excluded, unless explicitly flagged to show when excluded. This access control is applied before serializing entries, consistent with existing restriction patterns in the codebase.

Changes

Cohort / File(s)	Summary
Leaderboard Access Control scoring/views.py	Added entry filtering in project_leaderboard_view to restrict non-staff users from viewing excluded entries, unless marked to show when excluded.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Poem

🐰 The leaderboard hops with care and grace,
Non-staff users see a filtered space,
Excluded entries hidden from their sight,
Unless they're marked to shine so bright! ✨

🚥 Pre-merge checks | ✅ 2

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'quickfix/hide-non-showing-entries' accurately reflects the main change: preventing non-staff users from seeing hidden entries by filtering them before serialization.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch quickfix/hide-non-showing-entries

---

📜 Recent review details

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 8040205 and 1ae1597.

📒 Files selected for processing (1)

• scoring/views.py

🧰 Additional context used

🧠 Learnings (1)

📚 Learning: 2026-01-15T19:29:58.940Z

Learnt from: hlbmtc
Repo: Metaculus/metaculus PR: 4075
File: authentication/urls.py:24-26
Timestamp: 2026-01-15T19:29:58.940Z
Learning: In this codebase, DRF is configured to use IsAuthenticated as the default in REST_FRAMEWORK['DEFAULT_PERMISSION_CLASSES'] within metaculus_web/settings.py. Therefore, explicit permission_classes([IsAuthenticated]) decorators are unnecessary on DRF views unless a view needs to override the default. When reviewing Python files, verify that views relying on the default are not redundantly decorated, and flag cases where permissions are being over-specified or when a non-default permission is explicitly required.

Applied to files:

• scoring/views.py

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (4)

• GitHub Check: Build Docker Image / Build Docker Image
• GitHub Check: Backend Checks
• GitHub Check: Frontend Checks
• GitHub Check: integration-tests

🔇 Additional comments (1)

scoring/views.py (1)

145-146: Looks good — non-staff filtering matches the visibility rule.

This keeps excluded entries out of serialization unless explicitly allowed.

_{✏️ Tip: You can disable this entire section by setting review_details to false in your review settings.}

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}