From 7d5fde7210b1b674f2a48c901601fee28dbaed83 Mon Sep 17 00:00:00 2001
From: Matthias Dellweg <mdellweg@redhat.com>
Date: Fri, 5 Feb 2021 12:20:26 +0100
Subject: [PATCH] Change queryset filter for ContainerDistribution

The new implementation takes the private flag as well as namespace
permissions into account.

fixes #8206
---
 CHANGES/8206.bugfix            |  1 +
 pulp_container/app/viewsets.py | 18 ++++++++++++++++--
 2 files changed, 17 insertions(+), 2 deletions(-)
 create mode 100644 CHANGES/8206.bugfix

diff --git a/CHANGES/8206.bugfix b/CHANGES/8206.bugfix
new file mode 100644
index 000000000..835916c30
--- /dev/null
+++ b/CHANGES/8206.bugfix
@@ -0,0 +1 @@
+Adjusted the queryset filtering of ``ContainerDistribution`` to include ``private`` and ``Namespace`` permissions.
diff --git a/pulp_container/app/viewsets.py b/pulp_container/app/viewsets.py
index a4882f7dd..2ed78cc22 100644
--- a/pulp_container/app/viewsets.py
+++ b/pulp_container/app/viewsets.py
@@ -637,7 +637,6 @@ class ContainerPushRepositoryViewSet(TagOperationsMixin, ReadOnlyRepositoryViewS
     queryset = models.ContainerPushRepository.objects.all()
     serializer_class = serializers.ContainerPushRepositorySerializer
     permission_classes = (access_policy.NamespaceAccessPolicyFromDB,)
-    queryset_filtering_required_permission = "container.view_containerpushrepository"
 
     DEFAULT_ACCESS_POLICY = {
         "statements": [
@@ -769,7 +768,6 @@ class ContainerDistributionViewSet(BaseDistributionViewSet):
     serializer_class = serializers.ContainerDistributionSerializer
     filterset_class = ContainerDistributionFilter
     permission_classes = (access_policy.NamespaceAccessPolicyFromDB,)
-    queryset_filtering_required_permission = "container.view_containerdistribution"
 
     DEFAULT_ACCESS_POLICY = {
         "statements": [
@@ -918,6 +916,22 @@ class ContainerDistributionViewSet(BaseDistributionViewSet):
         ],
     }
 
+    def get_queryset(self):
+        """
+        Returns a queryset of distributions filtered by namespace permissions and public status.
+        """
+
+        public_qs = models.ContainerDistribution.objects.filter(private=False)
+        obj_perm_qs = get_objects_for_user(
+            self.request.user, "container.view_containerdistribution"
+        )
+        namespaces = get_objects_for_user(self.request.user, "container.view_containernamespace")
+        namespaces |= get_objects_for_user(
+            self.request.user, "container.namespace_view_containerdistribution"
+        )
+        ns_qs = models.ContainerDistribution.objects.filter(namespace__in=namespaces)
+        return public_qs | obj_perm_qs | ns_qs
+
     @extend_schema(
         description="Trigger an asynchronous delete task",
         responses={202: AsyncOperationResponseSerializer},