From cbd3d8ac71a86a55d68a8c2f8b312e1aad84beb6 Mon Sep 17 00:00:00 2001
From: Tobias Megies <megies@geophysik.uni-muenchen.de>
Date: Wed, 6 Sep 2017 10:51:58 +0200
Subject: [PATCH 1/2] implement filtering by permissions for /rest/documents

does not cover the case of multiple indices for a single document yet,
and also misses tests so far (but confirmed to work locally, for the
case of one index entry per quakeml document)
---
 src/jane/documents/models.py | 39 ++++++++++++++++++++++++++++++++++++
 1 file changed, 39 insertions(+)

diff --git a/src/jane/documents/models.py b/src/jane/documents/models.py
index a2f3b04..ee20ffa 100644
--- a/src/jane/documents/models.py
+++ b/src/jane/documents/models.py
@@ -78,6 +78,45 @@ def get_queryset(self):
         queryset = queryset.defer('data')
         return queryset
 
+    def get_filtered_queryset(self, document_type, queryset=None, negate=False,
+                              **kwargs):
+        """
+        Returns a queryset filtered on the items in the JSON index field.
+
+        For all args/kwargs see
+        :meth:`DocumentIndexManager.+get_filtered_queryset`.
+        """
+        # Only create if necessary.
+        if queryset is None:
+            queryset = Document.objects
+
+        # filter by document type
+        res_type = get_object_or_404(DocumentType, name=document_type)
+        queryset = queryset.filter(document_type=res_type)
+
+        # Nothing to do.
+        if not kwargs:
+            return queryset
+
+        # now do the respective filtering on the document indices and get
+        # a list of document ids that match
+        # XXX not sure if this is safe, need to check what happens if database
+        # XXX gets changed while evaluating the request (e.g. table row gets
+        # XXX deleted during request == ids of rows change??)
+        indices_queryset = DocumentIndex.objects.get_filtered_queryset(
+            document_type=document_type, queryset=None, negate=negate,
+            **kwargs)
+
+        # XXX TODO this does not cover the case of multiple indices for one
+        # XXX TODO single document yet!
+        document_indices = [doc_ind.document.id
+                            for doc_ind in indices_queryset]
+
+        # now restrict document query to respective document ids
+        queryset = queryset.filter(id__in=document_indices)
+
+        return queryset
+
     def delete_document(self, document_type, name, user):
         """
         For convenience reasons, offer that method here, including

From 7a935b07c9ee6296c018609e5044e0b51d5dc605 Mon Sep 17 00:00:00 2001
From: Tobias Megies <megies@geophysik.uni-muenchen.de>
Date: Wed, 6 Sep 2017 10:53:32 +0200
Subject: [PATCH 2/2] use permission filtering for /rest/documents for privat
 events

(not tested so far)
---
 src/jane/quakeml/plugins.py | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/src/jane/quakeml/plugins.py b/src/jane/quakeml/plugins.py
index 4a4d95e..1090cab 100644
--- a/src/jane/quakeml/plugins.py
+++ b/src/jane/quakeml/plugins.py
@@ -70,8 +70,9 @@ def filter_queryset_user_does_not_have_permission(self, queryset,
                                                       model_type, user):
         # model_type can be document or document index.
         if model_type == "document":
-            # XXX: Find a good way to do this.
-            pass
+            queryset = queryset.model.objects.get_filtered_queryset(
+                document_type="quakeml",
+                queryset=queryset, public=True)
         elif model_type == "index":
             # Modify the queryset to only contain indices that are public.
             # Events that have null for public are considered to be private