Merge pull request #1040 from scitran/group-list-fix

Filter list of groups on GET endpoint when user is site admin

Merge pull request #1040 from scitran/group-list-fix
45debf1c · Megan Henning · GitHub · f6e0e4aa · 0f9f1d1d · 45debf1c
Unverified Commit 45debf1c authored 7 years ago by Megan Henning Committed by GitHub 7 years ago
--- a/api/auth/groupauth.py
+++ b/api/auth/groupauth.py
@@ -36,13 +36,10 @@ def list_permission_checker(handler, uid=None):
                projection = projection or {}
                projection['permissions.$'] = 1
            else:
-                if not handler.superuser_request and not handler.user_is_admin:
+                if not handler.superuser_request:
                    query = query or {}
                    projection = projection or {}
-                    if handler.is_true('admin'):
-                        query['permissions'] = {'$elemMatch': {'_id': handler.uid, 'access': 'admin'}}
-                    else:
-                        query['permissions._id'] = handler.uid
+                    query['permissions._id'] = handler.uid

            return exec_op(method, query=query, projection=projection)
        return f

--- a/tests/integration_tests/python/test_groups.py
+++ b/tests/integration_tests/python/test_groups.py
@@ -128,4 +128,4 @@ def test_groups(as_user, as_admin, data_builder):
    project = data_builder.create_project()
    r = as_admin.get('/groups', params={'join': 'projects'})
    assert r.ok
-    assert r.json()[1].get('projects')[0].get('_id') == project
+    assert r.json()[0].get('projects')[0].get('_id') == project