From 6a84ff3f8e31014ca1e498d9e3fad607f0603048 Mon Sep 17 00:00:00 2001
From: Ihsan Ullah <ihsan2131@gmail.com>
Date: Mon, 13 Nov 2023 17:47:58 +0500
Subject: [PATCH] super users can access private competitions without secret
 key and can edit them

---
 src/apps/api/views/competitions.py | 50 ++++++++++++++++--------------
 1 file changed, 26 insertions(+), 24 deletions(-)

diff --git a/src/apps/api/views/competitions.py b/src/apps/api/views/competitions.py
index fa34b4d55..f5193b8b6 100644
--- a/src/apps/api/views/competitions.py
+++ b/src/apps/api/views/competitions.py
@@ -112,32 +112,34 @@ def get_queryset(self):
             # not called from search bar
             # not called with a valid secret key
             if (not mine) and (not participating_in) and (not secret_key) and (not search_query):
-
-                # Return the following ---
-                # All competitions which belongs to you (private or public)
-                # And competitions where you are admin
-                # And public competitions
-                # And competitions where you are approved participant
-                # this filters out all private compettions from other users
-                base_qs = qs.filter(
-                    (Q(created_by=self.request.user)) |
-                    (Q(collaborators__in=[self.request.user])) |
-                    (Q(published=True) & ~Q(created_by=self.request.user)) |
-                    (Q(participants__user=self.request.user) & Q(participants__status="approved"))
-                )
-
-                # Additional condition of action
-                # allow private competition when action is register and has valid secret key
-                if self.request.method == 'POST' and self.action == 'register':
-                    # get secret_key from request data
-                    register_secret_key = self.request.data.get('secret_key', None)
-                    # use secret key if available
-                    if register_secret_key:
-                        qs = base_qs | qs.filter(Q(secret_key=register_secret_key))
+                # If authenticated user is not super user
+                if not self.request.user.is_superuser:
+                    # Return the following ---
+                    # All competitions which belongs to you (private or public)
+                    # And competitions where you are admin
+                    # And public competitions
+                    # And competitions where you are approved participant
+                    # this filters out all private compettions from other users
+                    base_qs = qs.filter(
+                        (Q(created_by=self.request.user)) |
+                        (Q(collaborators__in=[self.request.user])) |
+                        (Q(published=True) & ~Q(created_by=self.request.user)) |
+                        (Q(participants__user=self.request.user) & Q(participants__status="approved"))
+                    )
+
+                    # Additional condition of action
+                    # allow private competition when action is register and has valid secret key
+                    if self.request.method == 'POST' and self.action == 'register':
+                        # get secret_key from request data
+                        register_secret_key = self.request.data.get('secret_key', None)
+                        # use secret key if available
+                        if register_secret_key:
+                            qs = base_qs | qs.filter(Q(secret_key=register_secret_key))
+                        else:
+                            qs = base_qs
                     else:
                         qs = base_qs
-                else:
-                    qs = base_qs
+
                 # select distinct competitions
                 qs = qs.distinct()