From 98a48497c59a44bd85cef8c59876a6326fc697cf Mon Sep 17 00:00:00 2001
From: Terje Kvernes <terje@kvernes.no>
Date: Mon, 25 Nov 2024 12:03:40 +0100
Subject: [PATCH] Resolve issue with UserInfo crashing on permissions.

  - JSON-ifying network addresses caused an exception. Casting it to str works.
 - Also fixes permission logic for the UserInfo endpoint.
 - Added testing of said endpoint with permissions.
---
 mreg/api/v1/tests/tests.py | 23 ++++++++++++++++++++++-
 mreg/api/views.py          |  4 ++--
 2 files changed, 24 insertions(+), 3 deletions(-)

diff --git a/mreg/api/v1/tests/tests.py b/mreg/api/v1/tests/tests.py
index c9024a2b..452f0b64 100644
--- a/mreg/api/v1/tests/tests.py
+++ b/mreg/api/v1/tests/tests.py
@@ -11,7 +11,7 @@
 from rest_framework.test import APIClient, APITestCase
 
 from mreg.models.base import ExpiringToken
-from mreg.models.network import Network
+from mreg.models.network import Network, NetGroupRegexPermission
 from mreg.models.host import Host, Ipaddress, PtrOverride
 from mreg.models.zone import ForwardZone, ReverseZone
 from mreg.models.resource_records import Txt
@@ -316,6 +316,27 @@ def test_meta_user_info_admin_other_target_200_ok(self):
         response = self.assert_get("/api/meta/user?username=superuser")
         self.assertTrue('username' in response.data)
 
+    def test_meta_user_info_admin_other_target_with_permissions_200_ok(self):        
+        groupname = 'permission_group_testing'
+        username = 'permission_user_testing'
+        user, _ = get_user_model().objects.get_or_create(username=username, password='test')
+        group, _ = Group.objects.get_or_create(name=groupname)
+        user.groups.add(group)
+        permission, _ = NetGroupRegexPermission.objects.get_or_create(
+            group=group, range="10.0.0.0/24", regex='.*\\.example\\.org')
+
+        response = self.assert_get(f"/api/meta/user?username={username}")
+        self.assertTrue('username' in response.data)
+        self.assertTrue('permissions' in response.data)
+        self.assertEqual(len(response.data['permissions']), 1)
+        self.assertEqual(response.data['permissions'][0]['group'], groupname)
+        self.assertEqual(response.data['permissions'][0]['range'], "10.0.0.0/24")
+        self.assertEqual(response.data['permissions'][0]['regex'], '.*\\.example\\.org')
+
+        permission.delete()
+        group.delete()
+        user.delete()
+        
     def test_meta_user_info_user_other_target_403_forbidden(self):
         self.client = self.get_token_client(superuser=False)
         self.assert_get_and_403("/api/meta/user?username=superuser")
diff --git a/mreg/api/views.py b/mreg/api/views.py
index 81290a38..87311109 100644
--- a/mreg/api/views.py
+++ b/mreg/api/views.py
@@ -118,7 +118,7 @@ def get(self, request: Request):
 
         if username and username != user.username:
             # Only allow access to other user data if the requester is an mreg superuser
-            if not req_is_mreg_superuser or req_is_mreg_admin or req_is_mreg_group_admin or req_is_mreg_network_admin:
+            if not (req_is_mreg_superuser or req_is_mreg_admin or req_is_mreg_group_admin or req_is_mreg_network_admin):
                 raise PermissionDenied("You do not have permission to view other users' details.")
             try:
                 target_user = User.objects.get(username=username)
@@ -159,7 +159,7 @@ def get(self, request: Request):
             "permissions": [
                 {
                     "group": permission.group,
-                    "range": permission.range,
+                    "range": str(permission.range),
                     "regex": permission.regex,
                     "labels": [label.name for label in permission.labels.all()],
                 }