Skip to content

fix: activities on private object not visible by owner#3567

Merged
ThibaudDauce merged 3 commits intomainfrom
fix_activities_not_visible_by_owner
Dec 18, 2025
Merged

fix: activities on private object not visible by owner#3567
ThibaudDauce merged 3 commits intomainfrom
fix_activities_not_visible_by_owner

Conversation

@ThibaudDauce
Copy link
Copy Markdown
Contributor

@ThibaudDauce ThibaudDauce commented Dec 10, 2025
edited
Loading

👋 je vois que l'API ne renvoie les activités d'un objet private que pour les super-admin

udata/udata/core/activity/api.py

Lines 112 to 117 in 5313356

if hasattr(item.related_to, "private") and (
current_user.is_anonymous or not current_user.sysadmin
):
if item.related_to.private:
continue
safe_items.append(item)

Est-ce que ce serait envisageable d'introduire un check de type visible_by_user plutôt ?

⚠️ need fixing if merged before or after #3566

@ThibaudDauce ThibaudDauce force-pushed the fix_activities_not_visible_by_owner branch from 453aae9 to 915f81c Compare December 10, 2025 14:38
@ThibaudDauce ThibaudDauce requested review from abulte and maudetes and removed request for abulte December 10, 2025 14:45
@ThibaudDauce ThibaudDauce force-pushed the fix_activities_not_visible_by_owner branch from 915f81c to 0817897 Compare December 10, 2025 14:46
@abulte abulte mentioned this pull request Dec 10, 2025
Closed
maudetes
maudetes approved these changes Dec 12, 2025
View reviewed changes
Copy link
Copy Markdown
Contributor

@maudetes maudetes left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you for taking a go a it!

I think the existing activity logic filtering quite terrible 😢, but it should probably be investigated in a different iteration

Comment thread udata/core/owned.py Outdated
Comment on lines +124 to +125
if not getattr(self, "private", False):
return True
Copy link
Copy Markdown
Contributor

@maudetes maudetes Dec 12, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think it may be confusing with the is_visible computed properties that exist on multiple objects and that also takes other properties into account (deleted, archived, etc.), not behaving the same as this.

Copy link
Copy Markdown
Contributor Author

@ThibaudDauce ThibaudDauce Dec 15, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What do you think of ea1cf23?

@ThibaudDauce ThibaudDauce merged commit 51257b4 into main Dec 18, 2025
1 check passed
@ThibaudDauce ThibaudDauce deleted the fix_activities_not_visible_by_owner branch December 18, 2025 10:02
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@nicolaskempf57 nicolaskempf57 nicolaskempf57 approved these changes

@maudetes maudetes Awaiting requested review from maudetes

+1 more reviewer

@abulte abulte abulte approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@ThibaudDauce @abulte @nicolaskempf57 @maudetes