diff --git a/isic/core/tests/test_image_identifier.py b/isic/core/tests/test_image_identifier.py index 295ddceb..08a61369 100644 --- a/isic/core/tests/test_image_identifier.py +++ b/isic/core/tests/test_image_identifier.py @@ -1,6 +1,8 @@ from django.urls import reverse import pytest +from isic.core.services.image import image_share + @pytest.mark.django_db def test_resolve_isic_id(client, image_factory): @@ -23,3 +25,21 @@ def test_resolve_pk(client, image_factory): response = client.get(f"/images/{image.pk}/") assert response.status_code == 301 assert response.url == reverse("core/image-detail", kwargs={"image_identifier": image.isic_id}) + + +@pytest.mark.django_db +def test_resolve_pk_private_image_unauthenticated(client, image_factory): + image = image_factory(public=False) + response = client.get(f"/images/{image.pk}/") + assert response.status_code == 404 + + +@pytest.mark.django_db +def test_resolve_pk_private_image_authorized(client, user_factory, staff_user, image_factory): + user = user_factory() + image = image_factory(public=False) + image_share(image=image, grantor=staff_user, grantee=user) + client.force_login(user) + response = client.get(f"/images/{image.pk}/") + assert response.status_code == 301 + assert response.url == reverse("core/image-detail", kwargs={"image_identifier": image.isic_id}) diff --git a/isic/core/views/images.py b/isic/core/views/images.py index 4ab87ee7..ff5a777d 100644 --- a/isic/core/views/images.py +++ b/isic/core/views/images.py @@ -38,7 +38,9 @@ def wrapper(request, image_identifier): else Q(accession__girder_id=image_identifier) ) - image = Image.objects.filter(filter_).order_by().first() + image = get_visible_objects( + request.user, "core.view_image", Image.objects.filter(filter_) + ).first() if image: redirect_url = reverse("core/image-detail", kwargs={"image_identifier": image.isic_id}) return HttpResponsePermanentRedirect(redirect_url)