From 08f20796a746dffafd232a5953ad8a9a5ad821d6 Mon Sep 17 00:00:00 2001
From: NaNoMelo <nathan.lamey68@orange.fr>
Date: Sat, 5 Oct 2024 20:53:52 +0200
Subject: [PATCH 1/2] access rights fix

---
 core/models.py | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/core/models.py b/core/models.py
index 41087c51..646cbca8 100644
--- a/core/models.py
+++ b/core/models.py
@@ -991,8 +991,8 @@ class SithFile(models.Model):
             return user.is_board_member
         if user.is_com_admin:
             return True
-        if self.is_in_sas:
-            return user.is_in_group(pk=settings.SITH_GROUP_SAS_ADMIN_ID)
+        if self.is_in_sas and user.is_in_group(pk=settings.SITH_GROUP_SAS_ADMIN_ID):
+            return True
         return user.id == self.owner_id
 
     def can_be_viewed_by(self, user):

From 5ee0ee8efbff6eaa214e30a6e7d7866efb105c02 Mon Sep 17 00:00:00 2001
From: NaNoMelo <nathan.lamey68@orange.fr>
Date: Sat, 5 Oct 2024 21:02:19 +0200
Subject: [PATCH 2/2] tests for picture ownership

---
 core/tests/test_files.py | 53 ++++++++++++++++++++++++++++++++++++++--
 1 file changed, 51 insertions(+), 2 deletions(-)

diff --git a/core/tests/test_files.py b/core/tests/test_files.py
index a887b93c..da301b96 100644
--- a/core/tests/test_files.py
+++ b/core/tests/test_files.py
@@ -13,8 +13,57 @@ from model_bakery.recipe import Recipe, foreign_key
 from PIL import Image
 from pytest_django.asserts import assertNumQueries
 
-from core.baker_recipes import board_user, subscriber_user
-from core.models import Group, SithFile, User
+from core.baker_recipes import board_user, old_subscriber_user, subscriber_user
+from core.models import Group, RealGroup, SithFile, User
+from sas.models import Picture
+from sith import settings
+
+
+@pytest.mark.django_db
+class TestImageAccess:
+    @pytest.mark.parametrize(
+        "user_factory",
+        [
+            lambda: baker.make(User, is_superuser=True),
+            lambda: baker.make(
+                User,
+                groups=[RealGroup.objects.get(pk=settings.SITH_GROUP_SAS_ADMIN_ID)],
+            ),
+            lambda: baker.make(
+                User,
+                groups=[RealGroup.objects.get(pk=settings.SITH_GROUP_COM_ADMIN_ID)],
+            ),
+        ],
+    )
+    def test_sas_image_access(self, user_factory: Callable[[], User]):
+        """Test that only authorized users can access the sas image."""
+        user = user_factory()
+        picture: SithFile = baker.make(
+            Picture, parent=SithFile.objects.get(pk=settings.SITH_SAS_ROOT_DIR_ID)
+        )
+        assert picture.is_owned_by(user)
+
+    def test_sas_image_access_owner(self):
+        """Test that the owner of the image can access it."""
+        user = baker.make(User)
+        picture: Picture = baker.make(Picture, owner=user)
+        assert picture.is_owned_by(user)
+
+    @pytest.mark.parametrize(
+        "user_factory",
+        [
+            lambda: baker.make(User),
+            subscriber_user.make,
+            old_subscriber_user.make,
+            board_user.make,
+        ],
+    )
+    def test_sas_image_access_forbidden(self, user_factory: Callable[[], User]):
+        cache.clear()
+        user = user_factory()
+        owner = baker.make(User)
+        picture: Picture = baker.make(Picture, owner=owner)
+        assert not picture.is_owned_by(user)
 
 
 @pytest.mark.django_db