diff --git a/api/preprints/views.py b/api/preprints/views.py index 38bcce4c3f1..27986428958 100644 --- a/api/preprints/views.py +++ b/api/preprints/views.py @@ -135,10 +135,6 @@ def get_preprint(self, check_object_permissions=True, ignore_404=False): sentry.log_message(f'Preprint deleted: [guid={base_guid_id}, version={preprint_version}]') raise NotFound - # May raise a permission denied - if check_object_permissions: - self.check_object_permissions(self.request, preprint) - user = self.request.user if isinstance(user, AnonymousUser): user_is_reviewer = user_is_contributor = False @@ -162,8 +158,15 @@ def get_preprint(self, check_object_permissions=True, ignore_404=False): raise PermissionDenied( detail='This preprint is pending moderation and is not yet publicly available.', ) + # May raise a permission denied + if check_object_permissions: + self.check_object_permissions(self.request, preprint) raise NotFound + # May raise a permission denied + if check_object_permissions: + self.check_object_permissions(self.request, preprint) + return preprint class PreprintList(PreprintMetricsViewMixin, JSONAPIBaseView, generics.ListCreateAPIView, PreprintFilterMixin): diff --git a/api_tests/preprints/views/test_preprint_detail_reviews.py b/api_tests/preprints/views/test_preprint_detail_reviews.py index 474a858d2b9..66d27329a33 100644 --- a/api_tests/preprints/views/test_preprint_detail_reviews.py +++ b/api_tests/preprints/views/test_preprint_detail_reviews.py @@ -120,7 +120,7 @@ def test_reviews_preprint_is_published_detail( # test_unpublished_invisible_to_public res = app.get(unpublished_url, expect_errors=True) - assert res.status_code == 401 + assert res.status_code == 403 def test_reviews_preprint_initial_detail( self, app, admin, write_contrib, non_contrib, @@ -167,4 +167,4 @@ def test_reviews_preprint_is_public_detail( # test_private_invisible_to_public res = app.get(private_url, expect_errors=True) - assert res.status_code == 401 + assert res.status_code == 403 diff --git a/api_tests/preprints/views/test_preprint_list.py b/api_tests/preprints/views/test_preprint_list.py index df180a3ce69..3208c397893 100644 --- a/api_tests/preprints/views/test_preprint_list.py +++ b/api_tests/preprints/views/test_preprint_list.py @@ -998,6 +998,17 @@ def test_unpublished_visible_to_write_contribs( res = app.get(detail_url, auth=user_write_contrib.auth, expect_errors=True) assert res.json['data']['id'] == preprint_unpublished._id + def test_unpublished_invisible_to_public( + self, app, preprint_unpublished, preprint_published, + list_url, detail_url): + res = app.get(list_url) + assert len(res.json['data']) == 1 + assert preprint_unpublished._id not in [ + d['id'] for d in res.json['data']] + + res = app.get(detail_url, expect_errors=True) + assert res.status_code == 403 + class TestPreprintIsValidList(PreprintIsValidListMixin):