API V3: Allow other users to see build notifications from public proj…

…ects

Fixes #11333

readthedocs/api/v3/permissions.py

@@ -63,13 +63,9 @@ def has_permission(self, request, view):
         if view.detail and view.action in ("list", "retrieve", "superproject"):
             # detail view is only allowed on list/retrieve actions (not
             # ``update`` or ``partial_update``).
-            if view.basename not in (
-                "projects-notifications",
-                "projects-builds-notifications",
-            ):
-                # We don't want to give detail access to resources'
-                # notifications to users that don't have access to those
-                # resources.
+            if view.basename != "projects-notifications":
+                # We don't want to give detail access to projects'
+                # notifications to users that don't have access to the project.
                 return True
 
         if view.basename.startswith("projects"):

readthedocs/api/v3/views.py

@@ -2,6 +2,7 @@
 from django.contrib.auth.models import User
 from django.contrib.contenttypes.models import ContentType
 from django.db.models import Exists, OuterRef
+from django.shortcuts import get_object_or_404
 from rest_flex_fields import is_expanded
 from rest_flex_fields.views import FlexFieldsMixin
 from rest_framework import status
@@ -477,6 +478,14 @@ class NotificationsBuildViewSet(
     serializer_class = NotificationSerializer
     queryset = Notification.objects.all()
     filterset_class = NotificationFilter
+    # Permissions are checked at the queryset level.
+    # We need to show build notifications to anonymous
+    # users on public builds.
+    permission_classes = ()
+
+    def _get_parent_build(self):
+        pk = self._get_parent_object_lookup(self.BUILD_LOOKUP_NAMES)
+        return get_object_or_404(Build.objects.api(user=self.request.user), pk=pk)
 
     def get_queryset(self):
         build = self._get_parent_build()