From 5619afe5d13fc62efe9008609662ad3581b70d53 Mon Sep 17 00:00:00 2001
From: wlorenzetti <lorenzetti@gis3w.it>
Date: Mon, 24 Feb 2025 15:13:26 +0100
Subject: [PATCH] Add acl check for layers for qploty

---
 g3w-admin/qplotly/receivers.py      |  5 +++++
 g3w-admin/qplotly/tests/test_api.py | 29 ++++++++++++++++++++++++++++-
 2 files changed, 33 insertions(+), 1 deletion(-)

diff --git a/g3w-admin/qplotly/receivers.py b/g3w-admin/qplotly/receivers.py
index 0df03c027..949fdbfe4 100644
--- a/g3w-admin/qplotly/receivers.py
+++ b/g3w-admin/qplotly/receivers.py
@@ -135,6 +135,11 @@ def set_initconfig_value(sender, **kwargs):
     layers = project.layer_set.all()
 
     for layer in layers:
+
+        # Add check ACL for user
+        if not hasattr(sender, 'request') or not sender.request.user.has_perm('view_layer', layer):
+            continue
+
         qplotly_widgets = layer.qplotlywidget_set.all()
 
         for qplotly_widget in qplotly_widgets:
diff --git a/g3w-admin/qplotly/tests/test_api.py b/g3w-admin/qplotly/tests/test_api.py
index f17621b8b..4c9512488 100644
--- a/g3w-admin/qplotly/tests/test_api.py
+++ b/g3w-admin/qplotly/tests/test_api.py
@@ -23,7 +23,7 @@
     GeoConstraint, \
     GeoConstraintRule
 from rest_framework.test import APIClient
-from guardian.shortcuts import assign_perm
+from guardian.shortcuts import assign_perm, remove_perm
 from qplotly.utils import get_qplotlywidget_for_project
 from qplotly.models import QplotlyWidget
 from qplotly.utils.models import get_qplotlywidgets4layer
@@ -173,6 +173,33 @@ def test_initconfig_plugin_start(self):
         self.assertTrue('layout' in plugin_plot['plot'])
         self.assertEqual(plugin_plot['plot']['layout']['title'], {'text': ''})
 
+        # Test for users wit not permisions
+        # ---------------------------------
+        assign_perm('view_project', self.test_viewer1, self.project.instance)
+
+        response = self._testApiCall('group-map-config',
+                                     args=[self.project_group.slug, 'qdjango', self.project.instance.pk],
+                                     username=self.test_viewer1.username)
+
+        jcontent = json.loads(response.content)
+
+        self.assertEqual(plugin['plots'][0]['qgs_layer_id'], 'countries_d53dfb9a_98e1_4196_a601_eed9a33f47c3')
+
+
+        # Remove permisssion to layer for viewer1 user
+        layer = self.project.instance.layer_set.get(qgs_layer_id='countries_d53dfb9a_98e1_4196_a601_eed9a33f47c3')
+
+        remove_perm('view_layer', self.test_viewer1, layer)
+
+        response = self._testApiCall('group-map-config',
+                                     args=[self.project_group.slug, 'qdjango', self.project.instance.pk],
+                                     username=self.test_viewer1.username)
+
+        jcontent = json.loads(response.content)
+
+        self.assertFalse('qplotly' in jcontent['plugins'])
+
+
     def test_trace_api(self):
         """/qplotly/api/trace API"""