From c7fb77d93b49a29f8f9dd61ede95ce1e677095fa Mon Sep 17 00:00:00 2001 From: mkovalua Date: Wed, 28 Jan 2026 18:05:16 +0200 Subject: [PATCH 1/5] if preprint is pending moderation show it for not contributors/moderators/Logged-out users using /pending-moderation redirection on access --- api/preprints/views.py | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/api/preprints/views.py b/api/preprints/views.py index 38bcce4c3f1..42a2125f64d 100644 --- a/api/preprints/views.py +++ b/api/preprints/views.py @@ -135,10 +135,6 @@ def get_preprint(self, check_object_permissions=True, ignore_404=False): sentry.log_message(f'Preprint deleted: [guid={base_guid_id}, version={preprint_version}]') raise NotFound - # May raise a permission denied - if check_object_permissions: - self.check_object_permissions(self.request, preprint) - user = self.request.user if isinstance(user, AnonymousUser): user_is_reviewer = user_is_contributor = False @@ -164,6 +160,10 @@ def get_preprint(self, check_object_permissions=True, ignore_404=False): ) raise NotFound + # May raise a permission denied + if check_object_permissions: + self.check_object_permissions(self.request, preprint) + return preprint class PreprintList(PreprintMetricsViewMixin, JSONAPIBaseView, generics.ListCreateAPIView, PreprintFilterMixin): From c6ff21c4bc22b511552a05faf7b693d7ba90f7ae Mon Sep 17 00:00:00 2001 From: mkovalua Date: Thu, 29 Jan 2026 11:21:42 +0200 Subject: [PATCH 2/5] update testcases to be it compatable with 'This preprint is pending moderation and is not yet publicly available.' logic --- api/preprints/views.py | 3 +++ api_tests/preprints/views/test_preprint_detail_reviews.py | 4 ++-- 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/api/preprints/views.py b/api/preprints/views.py index 42a2125f64d..27986428958 100644 --- a/api/preprints/views.py +++ b/api/preprints/views.py @@ -158,6 +158,9 @@ def get_preprint(self, check_object_permissions=True, ignore_404=False): raise PermissionDenied( detail='This preprint is pending moderation and is not yet publicly available.', ) + # May raise a permission denied + if check_object_permissions: + self.check_object_permissions(self.request, preprint) raise NotFound # May raise a permission denied diff --git a/api_tests/preprints/views/test_preprint_detail_reviews.py b/api_tests/preprints/views/test_preprint_detail_reviews.py index 474a858d2b9..66d27329a33 100644 --- a/api_tests/preprints/views/test_preprint_detail_reviews.py +++ b/api_tests/preprints/views/test_preprint_detail_reviews.py @@ -120,7 +120,7 @@ def test_reviews_preprint_is_published_detail( # test_unpublished_invisible_to_public res = app.get(unpublished_url, expect_errors=True) - assert res.status_code == 401 + assert res.status_code == 403 def test_reviews_preprint_initial_detail( self, app, admin, write_contrib, non_contrib, @@ -167,4 +167,4 @@ def test_reviews_preprint_is_public_detail( # test_private_invisible_to_public res = app.get(private_url, expect_errors=True) - assert res.status_code == 401 + assert res.status_code == 403 From d98f5f6063fab9697dae63be4b37914eefcf9f79 Mon Sep 17 00:00:00 2001 From: mkovalua Date: Thu, 29 Jan 2026 12:04:52 +0200 Subject: [PATCH 3/5] test update --- api_tests/preprints/views/test_preprint_list_mixin.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/api_tests/preprints/views/test_preprint_list_mixin.py b/api_tests/preprints/views/test_preprint_list_mixin.py index df11d3d0c30..47bd3d2ef15 100644 --- a/api_tests/preprints/views/test_preprint_list_mixin.py +++ b/api_tests/preprints/views/test_preprint_list_mixin.py @@ -106,7 +106,7 @@ def test_unpublished_invisible_to_public( d['id'] for d in res.json['data']] res = app.get(detail_url, expect_errors=True) - assert res.status_code == 401 + assert res.status_code == 403 @pytest.mark.django_db From 54f54dc3fd61a9b0b75ffd513dc971ad36b62c3b Mon Sep 17 00:00:00 2001 From: mkovalua Date: Thu, 29 Jan 2026 12:44:24 +0200 Subject: [PATCH 4/5] test update --- api_tests/preprints/views/test_preprint_list_mixin.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/api_tests/preprints/views/test_preprint_list_mixin.py b/api_tests/preprints/views/test_preprint_list_mixin.py index 47bd3d2ef15..df11d3d0c30 100644 --- a/api_tests/preprints/views/test_preprint_list_mixin.py +++ b/api_tests/preprints/views/test_preprint_list_mixin.py @@ -106,7 +106,7 @@ def test_unpublished_invisible_to_public( d['id'] for d in res.json['data']] res = app.get(detail_url, expect_errors=True) - assert res.status_code == 403 + assert res.status_code == 401 @pytest.mark.django_db From 11302eafd0f3b1e9ecb286e5118b72c11ed22fe7 Mon Sep 17 00:00:00 2001 From: mkovalua Date: Thu, 29 Jan 2026 17:24:40 +0200 Subject: [PATCH 5/5] test update --- api_tests/preprints/views/test_preprint_list.py | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/api_tests/preprints/views/test_preprint_list.py b/api_tests/preprints/views/test_preprint_list.py index df180a3ce69..3208c397893 100644 --- a/api_tests/preprints/views/test_preprint_list.py +++ b/api_tests/preprints/views/test_preprint_list.py @@ -998,6 +998,17 @@ def test_unpublished_visible_to_write_contribs( res = app.get(detail_url, auth=user_write_contrib.auth, expect_errors=True) assert res.json['data']['id'] == preprint_unpublished._id + def test_unpublished_invisible_to_public( + self, app, preprint_unpublished, preprint_published, + list_url, detail_url): + res = app.get(list_url) + assert len(res.json['data']) == 1 + assert preprint_unpublished._id not in [ + d['id'] for d in res.json['data']] + + res = app.get(detail_url, expect_errors=True) + assert res.status_code == 403 + class TestPreprintIsValidList(PreprintIsValidListMixin):