From b5992b5210fe8143341e56997dc9438dd62542f5 Mon Sep 17 00:00:00 2001
From: Andre Anjos <andre.anjos@idiap.ch>
Date: Fri, 1 Jul 2016 16:35:24 +0200
Subject: [PATCH] [code,common] Do not require user to be logged in to see
 diffs

---
 beat/web/code/api.py   | 17 +++++++++--------
 beat/web/common/api.py |  1 -
 2 files changed, 9 insertions(+), 9 deletions(-)

diff --git a/beat/web/code/api.py b/beat/web/code/api.py
index 1a0fdd037..7046ce6d4 100644
--- a/beat/web/code/api.py
+++ b/beat/web/code/api.py
@@ -58,7 +58,6 @@ class ShareCodeView(ShareView):
 
 class DiffView(generics.RetrieveAPIView):
     model = Code
-    permission_classes = [permissions.IsAuthenticated]
     serializer_class = DiffSerializer
 
     def get(self, request, author1, name1, version1, author2, name2, version2):
@@ -79,13 +78,15 @@ class DiffView(generics.RetrieveAPIView):
 
 
         # Check that the user can access them
-        accessibility = object1.accessibility_for(request.user)
-        if not accessibility[1]:
-            return ForbiddenResponse(object1.fullname())
-
-        accessibility = object2.accessibility_for(request.user)
-        if not accessibility[1]:
-            return ForbiddenResponse(object2.fullname())
+        has_access, open_source, _ = object1.accessibility_for(request.user)
+        if not ((request.user == object1.author) or \
+            (has_access and open_source)):
+            return ForbiddenResponse("You cannot access the source-code of \"%s\"" % object1.fullname())
+
+        has_access, open_source, _ = object2.accessibility_for(request.user)
+        if not ((request.user == object2.author) or \
+            (has_access and open_source)):
+            return ForbiddenResponse("You cannot access the source-code of \"%s\"" % object2.fullname())
 
         # Compute the diff
         serializer = self.get_serializer({'object1': object1,
diff --git a/beat/web/common/api.py b/beat/web/common/api.py
index 8ae0a0f0f..bc5cad89a 100644
--- a/beat/web/common/api.py
+++ b/beat/web/common/api.py
@@ -178,7 +178,6 @@ class ListCreateContributionView(IsAuthorOrReadOnlyMixin, ListCreateBaseView):
 
 class DiffView(generics.RetrieveAPIView):
     model = Versionable
-    permission_classes = [permissions.IsAuthenticated]
     serializer_class = DiffSerializer
 
     def get(self, request, author1, name1, version1, author2, name2, version2):
-- 
GitLab