Merge pull request #1226 from codalab/admin_private_comp

Admins can now access private comp without secret_key
codalab · Nov 15, 2023 · ab17fbc · ab17fbc
2 parents e38b1e3 + 6a84ff3
commit ab17fbc
Showing 1 changed file with 26 additions and 24 deletions.
diff --git a/src/apps/api/views/competitions.py b/src/apps/api/views/competitions.py
@@ -112,32 +112,34 @@ def get_queryset(self):
             # not called from search bar
             # not called with a valid secret key
             if (not mine) and (not participating_in) and (not secret_key) and (not search_query):
-
-                # Return the following ---
-                # All competitions which belongs to you (private or public)
-                # And competitions where you are admin
-                # And public competitions
-                # And competitions where you are approved participant
-                # this filters out all private compettions from other users
-                base_qs = qs.filter(
-                    (Q(created_by=self.request.user)) |
-                    (Q(collaborators__in=[self.request.user])) |
-                    (Q(published=True) & ~Q(created_by=self.request.user)) |
-                    (Q(participants__user=self.request.user) & Q(participants__status="approved"))
-                )
-
-                # Additional condition of action
-                # allow private competition when action is register and has valid secret key
-                if self.request.method == 'POST' and self.action == 'register':
-                    # get secret_key from request data
-                    register_secret_key = self.request.data.get('secret_key', None)
-                    # use secret key if available
-                    if register_secret_key:
-                        qs = base_qs | qs.filter(Q(secret_key=register_secret_key))
+                # If authenticated user is not super user
+                if not self.request.user.is_superuser:
+                    # Return the following ---
+                    # All competitions which belongs to you (private or public)
+                    # And competitions where you are admin
+                    # And public competitions
+                    # And competitions where you are approved participant
+                    # this filters out all private compettions from other users
+                    base_qs = qs.filter(
+                        (Q(created_by=self.request.user)) |
+                        (Q(collaborators__in=[self.request.user])) |
+                        (Q(published=True) & ~Q(created_by=self.request.user)) |
+                        (Q(participants__user=self.request.user) & Q(participants__status="approved"))
+                    )
+
+                    # Additional condition of action
+                    # allow private competition when action is register and has valid secret key
+                    if self.request.method == 'POST' and self.action == 'register':
+                        # get secret_key from request data
+                        register_secret_key = self.request.data.get('secret_key', None)
+                        # use secret key if available
+                        if register_secret_key:
+                            qs = base_qs | qs.filter(Q(secret_key=register_secret_key))
+                        else:
+                            qs = base_qs
                     else:
                         qs = base_qs
-                else:
-                    qs = base_qs
+
                 # select distinct competitions
                 qs = qs.distinct()