Merge branch 'tender-monitorings-mask' into 'master'

Fix tender monitorings restricted visibility See merge request cdb/openprocurement.audit.api!51
ProzorroUKR · Mar 19, 2024 · bd663c3 · bd663c3
2 parents 1e3fe47 + 285adda
commit bd663c3
Show file tree

Hide file tree

Showing 6 changed files with 61 additions and 11 deletions.
diff --git a/openprocurement/audit/api/views/base.py b/openprocurement/audit/api/views/base.py
@@ -16,6 +16,9 @@ def __init__(self, request, context):
         self.request = request
         self.LOGGER = getLogger(type(self).__module__)
 
+    def db_fields(self, fields):
+        return fields
+
 
 class MongodbResourceListing(APIResource):
     listing_name = "Items"
@@ -135,9 +138,6 @@ def get_page(self, keys, params):
             "uri": self.request.route_url(self.listing_name, _query=params, **keys)
         }
 
-    def db_fields(self, fields):
-        return fields
-
     def filter_results_fields(self, results, fields):
         all_fields = fields | {"id"}
         for r in results:
@@ -156,7 +156,6 @@ def db_fields(self, fields):
         return fields | {"restricted"}
 
     def filter_results_fields(self, results, fields):
-        print(results)
         for r in results:
             mask_object_data(self.request, r, mask_mapping=self.mask_mapping)
         results = super().filter_results_fields(results, fields)
@@ -208,10 +207,12 @@ def get(self):
         page = int(self.request.params.get('page', DEFAULT_PAGE))
         skip = page * limit - limit
 
+        db_fields = self.db_fields(opt_fields)
+
         results, total = self.db_listing_method(
             skip=skip,
             limit=limit,
-            fields=opt_fields,
+            fields=db_fields,
             sort_by=self.sort_by,
             descending=descending,
             filters=filters,

diff --git a/openprocurement/audit/inspection/tests/test_monitoring_inspections.py b/openprocurement/audit/inspection/tests/test_monitoring_inspections.py
@@ -47,6 +47,29 @@ def test_get_opt_fields(self):
                 }]
             )
 
+    def test_restricted_visibility(self):
+        self.create_inspection(restricted_config=True)
+
+        for uid in self.monitoring_ids:
+            self.app.authorization = ('Basic', (self.broker_name, self.broker_pass))
+            response = self.app.get(f'/monitorings/{uid}/inspections?opt_fields=description')
+            self.assertEqual(response.status, '200 OK')
+            self.assertEqual(response.content_type, 'application/json')
+            self.assertEqual(
+                response.json['data'],
+                [{
+                    'description': 'Приховано',
+                    'dateCreated': '2018-01-01T11:00:00+02:00',
+                    'dateModified': '2018-01-01T11:00:00+02:00',
+                    'inspection_id': self.inspectionId,
+                    'id': self.inspection_id
+                }]
+            )
+            self.app.authorization = ('Basic', (self.sas_name, self.sas_pass))
+            response = self.app.get(f'/monitorings/{uid}/inspections?opt_fields=description')
+            self.assertEqual(response.status, '200 OK')
+            self.assertEqual(response.json['data'][0]['description'], 'Yo-ho-ho')
+
     def test_get_two(self):
         self.create_inspection()
         expected_one = {

diff --git a/openprocurement/audit/inspection/views/monitoring_inspections.py b/openprocurement/audit/inspection/views/monitoring_inspections.py
@@ -1,5 +1,5 @@
 from openprocurement.audit.inspection.utils import op_resource, inspection_serialize
-from openprocurement.audit.api.views.base import APIResourcePaginatedListing
+from openprocurement.audit.api.views.base import APIResourcePaginatedListing, RestrictedResourceListingMixin
 from openprocurement.audit.api.context import get_request
 
 
@@ -10,7 +10,7 @@ def serialize(data, fields):
 
 @op_resource(name='Monitoring inspections',
              path='/monitorings/{monitoring_id}/inspections')
-class MonitoringInspectionsResource(APIResourcePaginatedListing):
+class MonitoringInspectionsResource(RestrictedResourceListingMixin, APIResourcePaginatedListing):
 
     def __init__(self, request, context):
         super(MonitoringInspectionsResource, self).__init__(request, context)

diff --git a/openprocurement/audit/monitoring/tests/test_tender_monitorings.py b/openprocurement/audit/monitoring/tests/test_tender_monitorings.py
@@ -1,6 +1,7 @@
 import unittest
+from datetime import datetime
 
-from openprocurement.audit.api.constants import CANCELLED_STATUS, ACTIVE_STATUS
+from openprocurement.audit.api.constants import CANCELLED_STATUS, ACTIVE_STATUS, TZ
 from openprocurement.audit.monitoring.tests.base import BaseWebTest
 
 
@@ -201,3 +202,28 @@ def test_get_with_pagination_out_of_bounds_page(self):
         self.assertEqual(response.json['limit'], 2)
         self.assertEqual(response.json['page'], 4)
         self.assertEqual(len(response.json['data']), 0)
+
+    def test_restricted_visibility(self):
+        tender_id = "f" * 32
+        self.create_monitoring(tender_id=tender_id, restricted_config=True)
+        self.app.authorization = ('Basic', (self.sas_name, self.sas_pass))
+        self.app.patch_json(
+            '/monitorings/{}'.format(self.monitoring_id),
+            {"data": {
+                "status": "active",
+                "decision": {
+                    "description": "text",
+                    "date": datetime.now(TZ).isoformat()
+                }
+            }}
+        )
+
+        self.app.authorization = ('Basic', (self.broker_name, self.broker_pass))
+        response = self.app.get(f'/tenders/{tender_id}/monitorings?mode=_all&opt_fields=decision')
+        self.assertEqual(response.status, '200 OK')
+        self.assertEqual(response.content_type, 'application/json')
+        self.assertEqual(response.json['data'][0]['decision']['description'], 'Приховано')
+        self.app.authorization = ('Basic', (self.sas_name, self.sas_pass))
+        response = self.app.get(f'/tenders/{tender_id}/monitorings?mode=_all_&opt_fields=decision')
+        self.assertEqual(response.status, '200 OK')
+        self.assertEqual(response.json['data'][0]['decision']['description'], 'text')
diff --git a/openprocurement/audit/monitoring/views/tender.py b/openprocurement/audit/monitoring/views/tender.py
@@ -3,7 +3,7 @@
 from openprocurement.audit.api.utils import forbidden
 from openprocurement.audit.api.context import get_request
 from openprocurement.audit.monitoring.utils import op_resource, monitoring_serialize
-from openprocurement.audit.api.views.base import APIResourcePaginatedListing, json_view
+from openprocurement.audit.api.views.base import APIResourcePaginatedListing, RestrictedResourceListingMixin, json_view
 
 LOGGER = getLogger(__name__)
 
@@ -14,7 +14,7 @@ def serialize(data, fields):
 
 
 @op_resource(name='Tender Monitorings', path='/tenders/{tender_id}/monitorings')
-class TenderMonitoringResource(APIResourcePaginatedListing):
+class TenderMonitoringResource(RestrictedResourceListingMixin, APIResourcePaginatedListing):
     @staticmethod
     def add_mode_filters(filters: dict, mode: str):
         if "draft" not in mode:

diff --git a/setup.py b/setup.py
@@ -1,6 +1,6 @@
 from setuptools import setup, find_packages
 
-version = '1.2.7'
+version = '1.2.8'
 
 requires = [
     'pyramid<1.10.0',