3 files changed, 197 insertions, 5 deletions

diff --git a/archaeological_finds/models_finds.py b/archaeological_finds/models_finds.py
index 9ba25cc83..ece7d08b8 100644
--- a/archaeological_finds/models_finds.py
+++ b/archaeological_finds/models_finds.py
@@ -37,6 +37,7 @@ from ishtar_common.utils import (
     m2m_historization_changed,
     pgettext_lazy,
     post_save_geo,
+    SearchAltName,
     ugettext_lazy as _
 )
 
@@ -67,7 +68,6 @@ from ishtar_common.models import (
     Person,
     post_save_cache,
     QuickAction,
-    SearchAltName,
     SearchVectorConfig,
     ValueGetter,
 )
@@ -2006,6 +2006,12 @@ class Find(
         "excavation_ids",
         "weight_string",
     ]
+    UPPER_PERMISSIONS = [
+        (Operation, "base_finds__context_record__operation_id"),
+        (ContextRecord, "base_finds__context_record_id"),
+        (("archaeological_warehouse", "Warehouse"), "container__location_id"),
+        (("archaeological_warehouse", "Warehouse"), "container_ref__responsibility_id"),
+    ]
     SHEET_ALTERNATIVES = [("museum", "museum_find")]
     objects = UUIDModelManager()
 
@@ -2991,6 +2997,10 @@ class Find(
         return new
 
     @classmethod
+    def get_limit_to_area_query(cls, town_ids):
+        return Q(base_finds__context_record__operation__towns__pk__in=town_ids)
+
+    @classmethod
     def _get_query_owns(cls, ishtaruser, prefix=""):
         q = (
             cls._construct_query_own(
diff --git a/archaeological_finds/models_treatments.py b/archaeological_finds/models_treatments.py
index 5ba50728b..45dc26c16 100644
--- a/archaeological_finds/models_treatments.py
+++ b/archaeological_finds/models_treatments.py
@@ -49,7 +49,6 @@ from ishtar_common.models import (
     document_attached_changed,
     MainItem,
     HistoryModel,
-    SearchAltName,
     SearchVectorConfig,
     DocumentItem,
 )
@@ -57,8 +56,9 @@ from ishtar_common.models_common import CompleteIdentifierItem, HistoricalRecord
 from ishtar_common.utils import (
     cached_label_changed,
     get_current_year,
-    update_data,
     m2m_historization_changed,
+    SearchAltName,
+    update_data,
 )
 
 
@@ -91,6 +91,7 @@ class TreatmentState(GeneralType):
                 'available': True})
         return treat_state
 
+
 post_save.connect(post_save_cache, sender=TreatmentState)
 post_delete.connect(post_save_cache, sender=TreatmentState)
 
diff --git a/archaeological_finds/tests.py b/archaeological_finds/tests.py
index 5df18cf64..e0532effc 100644
--- a/archaeological_finds/tests.py
+++ b/archaeological_finds/tests.py
@@ -95,7 +95,7 @@ from ishtar_common.tests import (
     SearchText,
 )
 from archaeological_operations.tests import ImportTest, create_operation, \
-                                            create_administrativact
+                                            create_administrativact, TestPermissionRequest
 from archaeological_context_records.tests import ContextRecordInit
 
 from archaeological_operations.serializers import operation_serialization
@@ -1918,11 +1918,12 @@ class FindAutocompleteTest(FindInit, TestCase):
         self.assertEqual(res[2]["id"], find4.pk)  # 12 - contains
 
 
-class FindPermissionTest(FindInit, TestCase):
+class FindOldPermissionTest(FindInit, TestCase):
     fixtures = FIND_FIXTURES
     model = models.Find
 
     def setUp(self):
+        print("Theses tests should fail on v5")
         profile_type = ProfileType.objects.create(
             label="xxCollaborateur",
             txt_idx="xxcollaborator",
@@ -2021,6 +2022,186 @@ class FindPermissionTest(FindInit, TestCase):
         self.assertEqual(json.loads(content)["recordsTotal"], 1)
 
 
+class FindPermissionTest(FindInit, TestPermissionRequest, TestCase):
+    fixtures = FIND_FIXTURES
+    model = models.Find
+
+    def setUp(self):
+        self.setup_permission_requests(
+            "find",
+            "find",
+            permissions=["view_own_find", "change_own_find"],
+            perm_requests=['id="new-*"', 'excavator="{USER}"']
+        )
+
+        self.users = {}
+        username, password, user = create_superuser()
+        self.users["superuser"] = (username, password, user)
+
+        upstream_username, upstream_password, upstream_user = create_user(
+            username="up", password="up"
+        )
+        UserProfile.objects.create(
+            profile_type=self.profile_types["find_upstream"],
+            person=upstream_user.ishtaruser.person,
+            current=True,
+        )
+        self.users["upstream"] = (upstream_username, upstream_password, upstream_user)
+
+        # nosec: hard coded password for test purposes
+        areas_username, areas_password, areas_user = create_user(  # nosec
+            username="luke", password="iamyourfather"
+        )
+        profile = UserProfile.objects.create(
+            profile_type=self.profile_types["find_areas"],
+            person=areas_user.ishtaruser.person,
+            current=True,
+        )
+        self.users["areas"] = (
+            areas_username, areas_password, areas_user
+        )
+
+        town = Town.objects.create(name="Tatouine", numero_insee="66000")
+        area = Area.objects.create(label="Galaxie", txt_idx="galaxie")
+        area.towns.add(town)
+        profile.areas.add(area)
+
+        self.orgas = self.create_orgas(user)
+        self.create_operation(user, self.orgas[0])
+        self.create_operation(areas_user, self.orgas[0])
+
+        self.create_context_record(
+            user=user, data={"label": "CR 1", "operation": self.operations[0]}
+        )
+        self.create_context_record(
+            user=areas_user, data={"label": "CR 2", "operation": self.operations[1]}
+        )
+        self.cr_1 = self.context_records[-2]
+        self.cr_2 = self.context_records[-1]
+
+        self.create_finds(
+            data_base={"context_record": self.cr_1}, user=user, force=True
+        )
+        self.create_finds(
+            data_base={"context_record": self.cr_2}, user=areas_user, force=True
+        )
+
+        self.find_1 = self.finds[-2]
+        self.find_2 = self.finds[-1]
+        self.operations[-1].towns.add(town)
+
+        self.operations[-1].context_record.all()[0].ishtar_users.add(
+            upstream_user.ishtaruser
+        )
+
+        associated_username, associated_password, associated_user = create_user(
+            username="as", password="as"
+        )
+        UserProfile.objects.create(
+            profile_type=self.profile_types["find_associated_items"],
+            person=associated_user.ishtaruser.person,
+            current=True,
+        )
+        self.users["associated"] = (
+            associated_username, associated_password, associated_user
+        )
+
+        # read permission
+        self.basket = models.FindBasket.objects.create(
+            label="My basket",
+            user=IshtarUser.objects.get(pk=user.pk),
+        )
+        self.basket.items.add(self.find_1)
+        self.basket.shared_with.add(associated_user.ishtaruser)
+
+        upstream_user.ishtaruser.generate_permission()
+        areas_user.ishtaruser.generate_permission()
+        associated_user.ishtaruser.generate_permission()
+
+    def test_own_search(self):
+        # no result when no authentification
+        c = Client()
+        response = c.get(reverse("get-find"))
+        self.assertTrue(not response.content or not json.loads(response.content))
+
+        url = reverse("get-find")
+
+        # possession of associated operation
+        # only one "own" context record available
+        self._test_search(
+            url,
+            'possession',
+            self.users["upstream"],
+            1
+        )
+
+        # area filter
+        # only one "own" operation available
+        self._test_search(
+            url,
+            'areas filter',
+            self.users["areas"],
+            1
+        )
+
+        # filter associated by basket
+        self._test_search(
+            url,
+            'associated basket filter',
+            self.users["associated"],
+            1
+        )
+
+    def test_own_modify(self):
+        # no result when no authentification
+        c = Client()
+        response = c.get(reverse("find_modify", args=[self.cr_2.pk]))
+        self.assertRedirects(response, "/")
+
+        modif_url = "/find_modification/find-find_modification"
+
+        # upstream
+        c = Client()
+        upstream_username, upstream_password, upstream_user = self.users["upstream"]
+        c.login(username=upstream_username, password=upstream_password)
+        response = c.get(reverse("find_modify", args=[self.find_2.pk]), follow=True)
+        self.assertRedirects(response, modif_url)
+        response = c.get(modif_url)
+
+        self.assertEqual(response.status_code, 200)
+        response = c.get(reverse("find_modify", args=[self.find_1.pk]), follow=True)
+        self.assertRedirects(response, "/")
+
+        # area filter
+        c = Client()
+        areas_username, areas_password, areas_user = self.users["areas"]
+        c.login(username=areas_username, password=areas_password)
+        response = c.get(reverse("find_modify", args=[self.find_2.pk]), follow=True)
+        self.assertRedirects(response, modif_url)
+        response = c.get(modif_url)
+        self.assertEqual(response.status_code, 200)
+        response = c.get(reverse("find_modify", args=[self.find_1.pk]), follow=True)
+        self.assertRedirects(response, "/")
+
+        # basket filter
+        c = Client()
+        basket_username, basket_password, basket_user = self.users["associated"]
+        c.login(username=basket_username, password=basket_password)
+        response = c.get(reverse("find_modify", args=[self.find_1.pk]), follow=True)
+        self.assertRedirects(response, "/")
+
+        self.basket.shared_write_with.add(basket_user.ishtaruser)
+        basket_user.ishtaruser.generate_permission()
+
+        response = c.get(reverse("find_modify", args=[self.find_1.pk]), follow=True)
+        self.assertRedirects(response, modif_url)
+        response = c.get(modif_url)
+        self.assertEqual(response.status_code, 200)
+
+        response = c.get(reverse("find_modify", args=[self.find_2.pk]), follow=True)
+        self.assertRedirects(response, "/")
+
+
 class FindQATest(FindInit, TestCase):
     fixtures = WAREHOUSE_FIXTURES
     model = models.Find