From d2ae1965e61a7d2349e57a787678c564369c5355 Mon Sep 17 00:00:00 2001
From: Drew Winstel <drew@defna.org>
Date: Wed, 17 May 2023 08:33:43 -0500
Subject: [PATCH] =?UTF-8?q?=F0=9F=94=A7=20Prevent=20users=20from=20seeing?=
 =?UTF-8?q?=20their=20own=20OG=20submissions?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

If their email address matches the one on the request, don't show
it to them.

Fixes #6.
---
 grants/views/program.py | 14 +++++++++++---
 1 file changed, 11 insertions(+), 3 deletions(-)

diff --git a/grants/views/program.py b/grants/views/program.py
index 77e1976..f6df1f4 100644
--- a/grants/views/program.py
+++ b/grants/views/program.py
@@ -3,6 +3,7 @@
 import collections
 
 from django import forms
+from django.db.models import Q
 from django.http import Http404
 from django.shortcuts import redirect, render
 from django.utils import timezone
@@ -176,8 +177,11 @@ def get_queryset(self):
         else:
             self.sort = "applied"
         # Fetch applicants
+        # but don't let a user see their own request
         applicants = list(
-            self.program.applicants.prefetch_related("scores").order_by("-applied")
+            self.program.applicants.exclude(email=self.request.user.email)
+            .prefetch_related("scores")
+            .order_by("-applied")
         )
         for applicant in applicants:
             applicant.has_scored = applicant.scores.filter(
@@ -205,7 +209,9 @@ class ProgramApplicantView(ProgramMixin, TemplateView):
     template_name = "applicant-view.html"
 
     def get(self, request, applicant_id):
-        applicant = self.program.applicants.get(pk=applicant_id)
+        applicant = self.program.applicants.exclude(
+            email=self.request.user.email,
+        ).get(pk=applicant_id)
         questions = list(self.program.questions.order_by("order"))
         for question in questions:
             question.answer = question.answers.filter(applicant=applicant).first()
@@ -261,7 +267,9 @@ class RandomUnscoredApplicant(ProgramMixin, View):
 
     def get(self, request):
         applicant = (
-            self.program.applicants.exclude(scores__user=self.request.user)
+            self.program.applicants.exclude(
+                Q(scores__user=self.request.user) | Q(email=self.request.user.email)
+            )
             .order_by("?")
             .first()
         )