From 85b18ecbfe9effef952c76d5202fee8e3f72e646 Mon Sep 17 00:00:00 2001
From: Lucas Brandstaetter <lucas@brandstaetter.tech>
Date: Thu, 5 Dec 2024 00:34:28 +0100
Subject: [PATCH] Fix rights to badges from non public assemblies

Badges from non public assemblies should not be accessible by users who
are not part of the assembly.
---
 src/core/models/badges.py | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/src/core/models/badges.py b/src/core/models/badges.py
index 1417a2d3a..f9e62844f 100644
--- a/src/core/models/badges.py
+++ b/src/core/models/badges.py
@@ -67,18 +67,20 @@ def get_badge_filename(instance: 'Badge', filename: str):
 class BadgeManager(ConferenceManagerMixin['Badge']):
     def apply_public_filter(self, queryset: 'QuerySet[Badge]', member: ConferenceMember | None = None) -> 'QuerySet[Badge]':
         if member is None:
-            return queryset.filter(state=Badge.State.PUBLIC)
-        return queryset.filter(Q(state=Badge.State.PUBLIC) | Q(users__user=member.user))
+            return queryset.filter(state=Badge.State.PUBLIC, issuing_assembly__state__in=Assembly.PUBLIC_STATES)
+        return queryset.filter(Q(state=Badge.State.PUBLIC, issuing_assembly__state__in=Assembly.PUBLIC_STATES) | Q(users__user=member.user))
 
     def accessible_by_user(self, user: PlatformUser, conference: Conference, staff_can_manage=True) -> 'QuerySet[Badge]':
         if user is None or not user.is_authenticated:
             user = PlatformUser.get_anonymous_user()
         qs = self.get_queryset()
         if not user.is_authenticated:
-            return qs.filter(state=Badge.State.PUBLIC)
+            return qs.filter(state=Badge.State.PUBLIC, issuing_assembly__state__in=Assembly.PUBLIC_STATES)
 
         manageable = Assembly.objects.manageable_by_user(conference, user=user, staff_can_manage=staff_can_manage)
-        return qs.filter(Q(state=Badge.State.PUBLIC) | Q(users__user=user) | Q(issuing_assembly__in=manageable))
+        return qs.filter(
+            Q(state=Badge.State.PUBLIC, issuing_assembly__state__in=Assembly.PUBLIC_STATES) | Q(users__user=user) | Q(issuing_assembly__in=manageable)
+        )
 
 
 def get_badge_image_help_text() -> str:
-- 
GitLab