Merge branch 'release/2.025.43' into dev-1358-erase-anonymous-exports

Author: rajpatel24

jsapp/js/components/formLanding/formLanding.js

@@ -246,6 +246,9 @@ class FormLanding extends React.Component {
                       <bem.FormView__label>
                         <ActionIcon
                           variant='transparent'
+                          onClick={() => {
+                            this.saveCloneAs(item.uid)
+                          }}
                           tooltip={t('Clone this version as a new project')}
                           iconName='duplicate'
                           size='md'

kpi/models/import_export_task.py

@@ -497,6 +497,13 @@ def export_upload_to(self, filename):
     more information, see
     https://docs.djangoproject.com/en/1.8/topics/migrations/#serializing-values
     """
+
+    if hasattr(self, 'asset'):
+        return posixpath.join(self.user.username, 'exports', self.asset.uid, filename)
+
+    if getattr(self, 'asset_uid', None):
+        return posixpath.join(self.user.username, 'exports', self.asset_uid, filename)
+
     return posixpath.join(self.user.username, 'exports', filename)
 
 

kpi/tests/api/v1/test_api_assets.py

@@ -388,7 +388,8 @@ def test_owner_can_create_and_delete_export(self):
                 "inline; filename*=utf-8''", ''
             )
         )
-        file_path = export_upload_to(self, file_name)
+        export = SubmissionExportTask.objects.get(uid=detail_response.data['uid'])
+        file_path = export_upload_to(export, file_name)
 
         detail_url = reverse('submissionexporttask-detail', kwargs={
             'uid': detail_response.data['uid']

kpi/tests/api/v2/test_api_exports.py

@@ -147,6 +147,10 @@ def test_create_export_anon(self):
         download_response = self.client.get(download_url)
         assert download_response.status_code == status.HTTP_200_OK
 
+        self.asset.remove_perm(anon, PERM_VIEW_SUBMISSIONS)
+        download_response = self.client.get(download_url)
+        assert download_response.status_code == status.HTTP_403_FORBIDDEN
+
     def test_export_task_list_anotheruser(self):
         for _type in ['csv', 'xls', 'spss_labels']:
             self._create_export_task(_type=_type)

kpi/utils/private_storage.py

@@ -1,7 +1,11 @@
 # coding: utf-8
+import re
+
 from rest_framework.request import Request as DRFRequest
 from rest_framework.settings import api_settings
 
+from kpi.constants import PERM_VIEW_SUBMISSIONS, PERM_PARTIAL_SUBMISSIONS
+from kpi.models import Asset
 from kpi.utils.object_permission import get_database_user
 
 
@@ -37,9 +41,21 @@ def superuser_or_username_matches_prefix(private_file):
     if user.is_superuser:
         return True
 
-    if private_file.relative_name.startswith(
-        '{}/'.format(user.username)
-    ):
+    if private_file.relative_name.startswith(f'{user.username}/'):
+        filename_regex = rf'{user.username}/exports/(a[^/]*)/.*'
+        match = re.search(filename_regex, private_file.relative_name)
+        if match:
+            uid = match.groups()[0]
+            # Only loads what's needed for a permission check
+            a = (
+                Asset.objects.only('pk', 'owner_id', 'uid')
+                .select_related('owner')
+                .get(uid=uid)
+            )
+            return (
+                a.has_perm(user_obj=user, perm=PERM_VIEW_SUBMISSIONS)
+                or a.has_perm(user_obj=user, perm=PERM_PARTIAL_SUBMISSIONS)
+            )
         return True
 
     return False