API V3: Only return notifications for a given organization (#11112)

API V3: Only return notifications for given organization

---------

Co-authored-by: Santos Gallegos <[email protected]>

Author: saadmk11

readthedocs/api/v3/tests/test_organizations.py

@@ -1,7 +1,11 @@
+import django_dynamic_fixture as fixture
+from django.contrib.contenttypes.models import ContentType
 from django.test import override_settings
 from django.urls import reverse
 from django.urls.exceptions import NoReverseMatch
 
+from readthedocs.notifications.models import Notification
+from readthedocs.organizations.models import Organization
 from readthedocs.subscriptions.constants import TYPE_CONCURRENT_BUILDS
 from readthedocs.subscriptions.products import RTDProductFeature
 
@@ -51,6 +55,38 @@ def test_organizations_notifications_list(self):
             self._get_response_dict("organizations-notifications-list"),
         )
 
+    def test_organizations_notifications_list_only_given_organization(self):
+        url = reverse(
+            "organizations-notifications-list",
+            kwargs={
+                "parent_lookup_organization__slug": self.organization.slug,
+            },
+        )
+        other_organization = fixture.get(
+            Organization,
+            pub_date=self.created,
+            modified_date=self.modified,
+            name="other_organization",
+            slug="other_organization",
+            owners=[self.me],
+        )
+
+        fixture.get(
+            Notification,
+            attached_to_content_type=ContentType.objects.get_for_model(
+                other_organization
+            ),
+            attached_to_id=other_organization.pk,
+        )
+
+        self.client.credentials(HTTP_AUTHORIZATION=f"Token {self.token.key}")
+        response = self.client.get(url)
+        self.assertEqual(response.status_code, 200)
+        self.assertDictEqual(
+            response.json(),
+            self._get_response_dict("organizations-notifications-list"),
+        )
+
     def test_organizations_notifications_list_other_user(self):
         url = reverse(
             "organizations-notifications-list",
@@ -103,6 +139,28 @@ def test_organizations_notifications_detail(self):
             self._get_response_dict("organizations-notifications-detail"),
         )
 
+    def test_organizations_notifications_detail_other_organization(self):
+        other_organization = fixture.get(
+            Organization,
+            pub_date=self.created,
+            modified_date=self.modified,
+            name="new_org",
+            slug="new_org",
+            owners=[self.me],
+        )
+
+        url = reverse(
+            "organizations-notifications-detail",
+            kwargs={
+                "parent_lookup_organization__slug": other_organization.slug,
+                "notification_pk": self.notification_organization.pk,
+            },
+        )
+
+        self.client.credentials(HTTP_AUTHORIZATION=f"Token {self.token.key}")
+        response = self.client.get(url)
+        self.assertEqual(response.status_code, 404)
+
     def test_organizations_notifications_detail_other(self):
         url = reverse(
             "organizations-notifications-detail",

readthedocs/api/v3/views.py

@@ -24,7 +24,6 @@
 from rest_framework_extensions.mixins import NestedViewSetMixin
 
 from readthedocs.builds.models import Build, Version
-from readthedocs.core.permissions import AdminPermission
 from readthedocs.core.utils import trigger_build
 from readthedocs.core.utils.extend import SettingsOverrideObject
 from readthedocs.notifications.models import Notification
@@ -679,10 +678,5 @@ class NotificationsOrganizationViewSet(
     permission_classes = [IsAuthenticated & IsOrganizationAdmin]
 
     def get_queryset(self):
-        content_type = ContentType.objects.get_for_model(Organization)
-        return self.queryset.filter(
-            attached_to_content_type=content_type,
-            attached_to_id__in=AdminPermission.organizations(
-                self.request.user, owner=True, member=False
-            ).values("id"),
-        )
+        organization = self._get_parent_organization()
+        return organization.notifications.all()