Add permissioning on route-level, change ordering convention for history

pennlabs · Nov 13, 2024 · 0610295 · 0610295
1 parent 8867434
commit 0610295
Show file tree

Hide file tree

Showing 4 changed files with 6 additions and 11 deletions.
diff --git a/backend/clubs/serializers.py b/backend/clubs/serializers.py
@@ -2983,14 +2983,6 @@ class ApprovalHistorySerializer(serializers.ModelSerializer):
     history_date = serializers.DateTimeField()
 
     def get_approved_by(self, obj):
-        user = self.context["request"].user
-        if not user.is_authenticated:
-            return None
-        if not user.has_perm("clubs.see_pending_clubs"):
-            club = Club.objects.get(code=obj.code)
-            membership = Membership.objects.filter(person=user, club=club).first()
-            if membership is None or membership.role < Membership.ROLE_OFFICER:
-                return None
         if obj.approved_by is None:
             return "Unknown"
         return obj.approved_by.get_full_name()

diff --git a/backend/clubs/views.py b/backend/clubs/views.py
@@ -18,6 +18,7 @@
 import pytz
 import qrcode
 import requests
+import rest_framework
 from asgiref.sync import async_to_sync
 from channels.layers import get_channel_layer
 from CyberSource import (
@@ -1278,6 +1279,7 @@ def upload_file(self, request, *args, **kwargs):
         return file_upload_endpoint_helper(request, code=club.code)
 
     @action(detail=True, methods=["get"])
+    @rest_framework.decorators.permission_classes([ClubSensitiveItemPermission])
     def history(self, request, *args, **kwargs):
         """
         Return a simplified approval history for the club.
@@ -1314,7 +1316,7 @@ def history(self, request, *args, **kwargs):
         club = self.get_object()
         return Response(
             ApprovalHistorySerializer(
-                club.history.order_by("history_date"),
+                club.history.order_by("-history_date"),
                 many=True,
                 context={"request": request},
             ).data

diff --git a/backend/tests/clubs/test_views.py b/backend/tests/clubs/test_views.py
@@ -2186,7 +2186,7 @@ def test_club_sensitive_field_renew(self):
         resp = self.client.get(reverse("clubs-history", args=(club.code,)))
         self.assertIn(resp.status_code, [200], resp.content)
         previous_history = json.loads(resp.content.decode("utf-8"))
-        self.assertTrue(previous_history[-1]["approved"])
+        self.assertTrue(previous_history[0]["approved"])
 
         with patch("django.conf.settings.REAPPROVAL_QUEUE_OPEN", True):
             for field in {"name"}:
@@ -2203,7 +2203,7 @@ def test_club_sensitive_field_renew(self):
                 self.assertIn(resp.status_code, [200], resp.content)
                 history = json.loads(resp.content.decode("utf-8"))
                 self.assertEqual(len(history), len(previous_history) + 1)
-                self.assertFalse(history[-1]["approved"])
+                self.assertFalse(history[0]["approved"])
 
                 # ensure club is marked as not approved
                 club.refresh_from_db()

diff --git a/frontend/components/ClubPage/ClubApprovalDialog.tsx b/frontend/components/ClubPage/ClubApprovalDialog.tsx
@@ -181,6 +181,7 @@ const ClubApprovalDialog = ({ club }: Props): ReactElement | null => {
               lastVersions.push(item)
             }
           }
+          lastVersions.reverse() // Avoids O(n^2) of unshift() method
           setHistory(lastVersions)
         })
     }