Take content_hidden flag into account for foimessage API reads

okfde · Oct 28, 2024 · a0ecf4f · a0ecf4f
1 parent 10c80c4
commit a0ecf4f
Show file tree

Hide file tree

Showing 2 changed files with 29 additions and 10 deletions.
diff --git a/froide/foirequest/api_views.py b/froide/foirequest/api_views.py
@@ -242,8 +242,8 @@ class FoiMessageSerializer(serializers.HyperlinkedModelSerializer):
         read_only=True, view_name="api:publicbody-detail"
     )
 
-    subject = serializers.CharField(source="get_subject")
-    content = serializers.CharField(source="get_content")
+    subject = serializers.SerializerMethodField(source="get_subject")
+    content = serializers.SerializerMethodField(source="get_content")
     redacted_subject = serializers.SerializerMethodField(source="get_redacted_subject")
     redacted_content = serializers.SerializerMethodField(source="get_redacted_content")
     sender = serializers.CharField()
@@ -281,20 +281,33 @@ class Meta:
             "last_modified_at",
         )
 
-    def get_redacted_subject(self, obj):
+    def _is_authenticated_read(self, obj):
         request = self.context["request"]
+        return can_read_foirequest_authenticated(obj.request, request, allow_code=False)
+
+    def get_subject(self, obj):
+        if obj.content_hidden and not self._is_authenticated_read(obj):
+            return ""
+        return obj.get_subject()
 
-        if can_read_foirequest_authenticated(obj.request, request, allow_code=False):
+    def get_content(self, obj):
+        if obj.content_hidden and not self._is_authenticated_read(obj):
+            return ""
+        return obj.get_subject()
+
+    def get_redacted_subject(self, obj):
+        if self._is_authenticated_read(obj):
             show, hide = obj.subject, obj.subject_redacted
         else:
+            if obj.content_hidden:
+                return []
             show, hide = obj.subject_redacted, obj.subject
         return list(get_differences(show, hide))
 
     def get_redacted_content(self, obj):
-        request = self.context["request"]
-        authenticated_read = can_read_foirequest_authenticated(
-            obj.request, request, allow_code=False
-        )
+        authenticated_read = self._is_authenticated_read(obj)
+        if obj.content_hidden and not authenticated_read:
+            return []
         return obj.get_redacted_content(authenticated_read)
 
     def get_attachments(self, obj):

diff --git a/froide/foirequest/tests/test_api.py b/froide/foirequest/tests/test_api.py
@@ -81,7 +81,13 @@ def test_permissions(self):
 
     def test_content_hidden(self):
         marker = "TESTMARKER"
-        mes = factories.FoiMessageFactory.create(content_hidden=True, plaintext=marker)
+        mes = factories.FoiMessageFactory.create(
+            content_hidden=True,
+            plaintext=marker,
+            plaintext_redacted=marker,
+            subject=marker,
+            subject_redacted=marker,
+        )
         response = self.client.get("/api/v1/message/%d/" % mes.pk)
         self.assertEqual(response.status_code, 200)
         self.assertNotContains(response, marker)
@@ -90,7 +96,7 @@ def test_username_hidden(self):
         user = factories.UserFactory.create(first_name="Reinhardt")
         user.private = True
         user.save()
-        mes = factories.FoiMessageFactory.create(content_hidden=True, sender_user=user)
+        mes = factories.FoiMessageFactory.create(sender_user=user)
         response = self.client.get("/api/v1/message/%d/" % mes.pk)
         self.assertEqual(response.status_code, 200)
         self.assertNotContains(response, user.username)