[code,common] Do not require user to be logged in to see diffs

beat/web/code/api.py

@@ -58,7 +58,6 @@ class ShareCodeView(ShareView):
 
 class DiffView(generics.RetrieveAPIView):
     model = Code
-    permission_classes = [permissions.IsAuthenticated]
     serializer_class = DiffSerializer
 
     def get(self, request, author1, name1, version1, author2, name2, version2):
@@ -79,13 +78,15 @@ class DiffView(generics.RetrieveAPIView):
 
 
         # Check that the user can access them
-        accessibility = object1.accessibility_for(request.user)
-        if not accessibility[1]:
-            return ForbiddenResponse(object1.fullname())
-
-        accessibility = object2.accessibility_for(request.user)
-        if not accessibility[1]:
-            return ForbiddenResponse(object2.fullname())
+        has_access, open_source, _ = object1.accessibility_for(request.user)
+        if not ((request.user == object1.author) or \
+            (has_access and open_source)):
+            return ForbiddenResponse("You cannot access the source-code of \"%s\"" % object1.fullname())
+
+        has_access, open_source, _ = object2.accessibility_for(request.user)
+        if not ((request.user == object2.author) or \
+            (has_access and open_source)):
+            return ForbiddenResponse("You cannot access the source-code of \"%s\"" % object2.fullname())
 
         # Compute the diff
         serializer = self.get_serializer({'object1': object1,

beat/web/common/api.py

@@ -178,7 +178,6 @@ class ListCreateContributionView(IsAuthorOrReadOnlyMixin, ListCreateBaseView):
 
 class DiffView(generics.RetrieveAPIView):
     model = Versionable
-    permission_classes = [permissions.IsAuthenticated]
     serializer_class = DiffSerializer
 
     def get(self, request, author1, name1, version1, author2, name2, version2):