Merge 901626c into 157f758

alan-turing-institute · Jan 23, 2024 · 11e1e6e · 11e1e6e
2 parents 157f758 + 901626c
commit 11e1e6e
Show file tree

Hide file tree

Showing 2 changed files with 12 additions and 0 deletions.
diff --git a/eap_backend/eap_api/views.py b/eap_backend/eap_api/views.py
@@ -561,6 +561,10 @@ def comment_list(request, assurance_case_id):
     """
     List all comments for an assurance case, or create a new comment.
     """
+    permissions = get_case_permissions(assurance_case_id, request.user)
+    if not permissions:
+        return HttpResponse(status=403)
+
     if request.method == "GET":
         comments = Comment.objects.filter(assurance_case_id=assurance_case_id)
         serializer = CommentSerializer(comments, many=True)
@@ -583,8 +587,13 @@ def reply_to_comment(request, comment_id):
     """
     try:
         parent_comment = Comment.objects.get(pk=comment_id)
+        assurance_case_id = parent_comment.assurance_case_id
     except Comment.DoesNotExist:
         return HttpResponse(status=status.HTTP_404_NOT_FOUND)
+
+    permissions = get_case_permissions(assurance_case_id, request.user)
+    if not permissions:
+        return HttpResponse(status=403)
 
     if request.method == "POST":
         data = JSONParser().parse(request)

diff --git a/frontend/src/components/caseApi.js b/frontend/src/components/caseApi.js
@@ -15,6 +15,9 @@ export async function getCase(token, id) {
     return await res.json();
   } else if (res.status === 401) {
     unauthorized();
+  } else if (res.status === 403) {
+    // forbidden (eg. attempts to access cases without required permissions)
+    window.location.replace("/not-found");
   } else if (res.status === 404) {
     window.location.replace("/not-found");
   }