Merge pull request #1104 from vantage6/change/allow-get-study-by-coll…

…aboration-for-org-scope Allow getting studies for certain collaboration with only organizatio…
vantage6 · Mar 18, 2024 · 99a543c · 99a543c
2 parents 10d28e7 + d2f4a9b
commit 99a543c
Showing 1 changed file with 6 additions and 1 deletion.
diff --git a/vantage6-server/vantage6/server/resource/study.py b/vantage6-server/vantage6/server/resource/study.py
@@ -296,9 +296,14 @@ def get(self):
                     "organization!"
                 }, HTTPStatus.UNAUTHORIZED
 
+        # Note that the collaboration_id filter is not allowed in most endpoints if the
+        # user only has organization permission - in those cases they will often
+        # unknowingly miss part of the resources. Here it is allowed because there is a
+        # clear use case: the user wants to see all their studies
         if "collaboration_id" in args:
             if self.r.v_glo.can() or (
-                self.r.v_col.can() and args["collaboration_id"] in auth_collab_ids
+                (self.r.v_col.can() or self.r.v_org.can())
+                and int(args["collaboration_id"]) in auth_collab_ids
             ):
                 q = q.filter(db.Study.collaboration_id == args["collaboration_id"])
             else: