kobotoolbox · jnm · Mar 26, 2021 · Mar 25, 2021 · Mar 25, 2021 · Mar 25, 2021
diff --git a/jsapp/js/components/projectDownloads/projectExportsList.es6 b/jsapp/js/components/projectDownloads/projectExportsList.es6
@@ -219,7 +219,7 @@ export default class ProjectExportsList extends React.Component {
             <span className='animate-processing'>{t('Processing…')}</span>
           }
 
-          {mixins.permissions.userCan(PERMISSIONS_CODENAMES.manage_asset, this.props.asset) &&
+          {mixins.permissions.userCan(PERMISSIONS_CODENAMES.view_submissions, this.props.asset) &&
             <bem.KoboLightButton
               m={['red', 'icon-only']}
               onClick={this.deleteExport.bind(this, exportData.uid)}

diff --git a/jsapp/js/constants.es6 b/jsapp/js/constants.es6
@@ -19,9 +19,14 @@ export const ROOT_URL = (() => {
 export const ANON_USERNAME = 'AnonymousUser';
 
 /**
- * A hardcoded list of permissions codenames.
- * All of them are really defined on backend, but we need it here to be able to
- * build UI for handling them.
+ * BAD CODE™ A hardcoded list of permissions codenames.
+ *
+ * All of them are really defined on backend, and we get them through the
+ * permissions config endpoint, but as we need these names to reference them in
+ * the code to build the UI it's a necessary evil.
+ *
+ * NOTE: to know what these permissions permit see `kpi/permissions.py` file,
+ * where you have to match the classes with endpoints and their HTTP methods.
  */
 export const PERMISSIONS_CODENAMES = {};
 new Set([

diff --git a/kpi/permissions.py b/kpi/permissions.py
@@ -274,7 +274,7 @@ class SubmissionValidationStatusPermission(SubmissionPermission):
     }
 
 
-class AssetExportSettingsPermission(AssetNestedObjectPermission):
+class AssetExportSettingsPermission(SubmissionPermission):
     perms_map = {
         'GET': ['%(app_label)s.view_submissions'],
         'POST': ['%(app_label)s.manage_asset'],
@@ -286,7 +286,7 @@ class AssetExportSettingsPermission(AssetNestedObjectPermission):
     perms_map['PATCH'] = perms_map['POST']
     perms_map['DELETE'] = perms_map['POST']
 
-class ExportTaskPermission(AssetNestedObjectPermission):
+class ExportTaskPermission(SubmissionPermission):
     perms_map = {
         'GET': ['%(app_label)s.view_submissions'],
     }

diff --git a/kpi/tests/api/v2/test_api_exports.py b/kpi/tests/api/v2/test_api_exports.py
@@ -2,9 +2,14 @@
 import json
 from collections import defaultdict
 
+from django.contrib.auth.models import User
 from rest_framework import status
 from rest_framework.reverse import reverse
 
+from kpi.constants import (
+    PERM_PARTIAL_SUBMISSIONS,
+    PERM_VIEW_SUBMISSIONS,
+)
 from kpi.models import Asset, ExportTask
 from kpi.models.object_permission import get_anonymous_user
 from kpi.tests.base_test_case import BaseTestCase
@@ -82,14 +87,33 @@ def test_export_task_list_anotheruser(self):
             self._create_export_task(_type=_type)
 
         self.client.logout()
-        self.client.login(username='anotheruser', passwork='anotheruser')
+        self.client.login(username='anotheruser', password='anotheruser')
         list_url = reverse(
             self._get_endpoint('asset-export-list'),
             kwargs={'format': 'json', 'parent_lookup_asset': self.asset.uid},
         )
         response = self.client.get(list_url)
         assert response.status_code == status.HTTP_404_NOT_FOUND
 
+    def test_export_task_list_partial_permissions(self):
+        self.client.logout()
+        self.client.login(username='anotheruser', password='anotheruser')
+        partial_perms = {
+            PERM_VIEW_SUBMISSIONS: [{'_submitted_by': 'someuser'}]
+        }
+        list_url = reverse(
+            self._get_endpoint('asset-export-list'),
+            kwargs={'format': 'json', 'parent_lookup_asset': self.asset.uid},
+        )
+        response = self.client.get(list_url)
+        assert response.status_code == status.HTTP_404_NOT_FOUND
+
+        anotheruser = User.objects.get(username='anotheruser')
+        self.asset.assign_perm(anotheruser, PERM_PARTIAL_SUBMISSIONS,
+                               partial_perms=partial_perms)
+        response = self.client.get(list_url)
+        assert response.status_code == status.HTTP_200_OK
+
     def test_export_task_list_filtered(self):
         for _type in ['csv', 'csv', 'xls']:
             self._create_export_task(_type=_type)