Fix tests

PostHog · Mar 26, 2024 · 11b4f4a · 11b4f4a
1 parent fdaba0d
commit 11b4f4a
Show file tree

Hide file tree

Showing 3 changed files with 16 additions and 10 deletions.
diff --git a/ee/api/rbac/access_control.py b/ee/api/rbac/access_control.py
@@ -179,14 +179,14 @@ def _update_access_controls(self, request: Request, is_global=False):
 
     @action(methods=["GET", "PUT"], detail=True)
     def access_controls(self, request: Request, *args, **kwargs):
-        if request.method == "GET":
-            return self._get_access_controls(request)
         if request.method == "PUT":
             return self._update_access_controls(request)
 
+        return self._get_access_controls(request)
+
     @action(methods=["GET", "PUT"], detail=True)
     def global_access_controls(self, request: Request, *args, **kwargs):
-        if request.method == "GET":
-            return self._get_access_controls(request, is_global=True)
         if request.method == "PUT":
             return self._update_access_controls(request, is_global=True)
+
+        return self._get_access_controls(request, is_global=True)
diff --git a/posthog/api/insight.py b/posthog/api/insight.py
@@ -596,22 +596,28 @@ def get_serializer_context(self) -> Dict[str, Any]:
         context["is_shared"] = isinstance(self.request.successful_authenticator, SharingAccessTokenAuthentication)
         return context
 
-    def get_queryset(self) -> QuerySet:
-        queryset: QuerySet
+    def filter_queryset(self, queryset):
         if isinstance(self.request.successful_authenticator, SharingAccessTokenAuthentication):
+            # Special case for sharing tokens - we don't use the common filtering
             queryset = Insight.objects.filter(
                 id__in=self.request.successful_authenticator.sharing_configuration.get_connected_insight_ids()
             )
-        elif self.action == "partial_update" and self.request.data.get("deleted") is False:
+            # Disallow access to other teams' insights (this would normally done by the super function)
+            queryset = self.filter_queryset_by_parents_lookups(queryset)
+            return queryset
+
+        return super().filter_queryset(queryset)
+
+    def get_queryset(self) -> QuerySet:
+        queryset: QuerySet
+        if self.action == "partial_update" and self.request.data.get("deleted") is False:
             # an insight can be un-deleted by patching {"deleted": False}
             queryset = Insight.objects_including_soft_deleted.all()
         else:
             queryset = Insight.objects.all()
 
         # Optimize tag retrieval
         queryset = self.prefetch_tagged_items_if_available(queryset)
-        # Disallow access to other teams' insights
-        queryset = self.filter_queryset_by_parents_lookups(queryset)
 
         queryset = queryset.prefetch_related(
             Prefetch(

diff --git a/posthog/rbac/user_access_control.py b/posthog/rbac/user_access_control.py
@@ -315,7 +315,7 @@ def filter_queryset_by_access_level(self, queryset: QuerySet, resource: Optional
 
         model_has_creator = hasattr(model, "created_by")
 
-        filter_args = dict(resource=resource, resource_id__isnull=False)
+        filter_args: dict[str, Any] = dict(resource=resource, resource_id__isnull=False)
 
         if self._team and resource != "project":
             filter_args["team"] = self._team