915793 - Rocketfuel collections API should filter on permissions

Status: RESOLVED FIXED

(Marketplace Graveyard :: API, defect, P2)

Description

[Matt Basta [:basta]]

- Non-app publishers and non-curators should not be able see hidden collections. Accessing /collection/<id> and /collections/ should not show the hidden collections.
- Curators that are not app publishers should not be able to see collections that they are not the curator of. Accessing /collections/ should not show the collections that the curators cannot see, and accessing /collection/<id> should only show the collection iff the collection at that URI is not hidden.

The second restriction should only apply to the /collections/ API.
The first restriction should apply to both /collections/ and /collection/<id|slug>

Comment 1

[Matt Basta [:basta]]

This is pretty important. We'll need it before we can give rocketfuel access to carriers.

Comment 2

[Chuck Harmston [:chuck]]

Landed: https://github.com/mozilla/zamboni/compare/9834de9e1f0d...fb58f11ddd03

STR: Create a collection that is not public, but has a person without the Collections:Curate permission marked as a curator.

- When logged in as a user with the Collections:Curate permission, that collection should be visible in the Curation Tool.
- When logged in as the user marked as the curator, the collection should be visible in the Curation Tool.
- When logged in as a user without Collections:Curate and not marked as the curator, that collection should not be visible in the Curation Tool.
- When not logged in, the collection should not be visible in the Curation Tool.