Filter courses based on orgs for user (#2657)

Co-authored-by: pre-commit-ci[bot] <66853113+pre-commit-ci[bot]@users.noreply.github.com>

Author: cp-at-mit

courses/views/v2/__init__.py

@@ -73,16 +73,21 @@ class CourseFilterSet(django_filters.FilterSet):
 
     def filter_queryset(self, queryset):
         request = self.request
-        user = request.user if request else None
+        user = getattr(request, "user", None)
         org_id = request.query_params.get("org_id") if request else None
 
-        if not user or user.is_anonymous:
-            queryset = queryset.filter(courseruns__b2b_contract__isnull=True)
-        elif org_id:
-            queryset = queryset.filter(
-                courseruns__b2b_contract__organization__id=org_id,
-                courseruns__b2b_contract__active=True,
-            )
+        if org_id:
+            if (
+                user
+                and user.is_authenticated
+                and user.b2b_organizations.filter(id=org_id).exists()
+            ):
+                queryset = queryset.filter(
+                    courseruns__b2b_contract__organization_id=org_id,
+                    courseruns__b2b_contract__active=True,
+                )
+            else:
+                return queryset.none()
         else:
             queryset = queryset.filter(courseruns__b2b_contract__isnull=True)
 

courses/views/v2/views_test.py

@@ -12,6 +12,7 @@
 from django.urls import reverse
 from rest_framework import status
 from rest_framework.request import Request
+from rest_framework.test import APIClient
 
 from b2b.api import create_contract_run
 from b2b.factories import ContractPageFactory, OrganizationPageFactory
@@ -29,6 +30,7 @@
 )
 from courses.views.v2 import CourseFilterSet, Pagination
 from main.test_utils import assert_drf_json_equal, duplicate_queries_check
+from users.factories import UserFactory
 
 pytestmark = [pytest.mark.django_db, pytest.mark.usefixtures("raise_nplusone")]
 
@@ -259,23 +261,50 @@ def test_get_course(
 
 
 @pytest.mark.django_db
-def test_filter_with_org_id_returns_contracted_course(user_drf_client):
+def test_filter_with_org_id_returns_contracted_course():
     org = OrganizationPageFactory(name="Test Org")
     contract = ContractPageFactory(organization=org, active=True)
+    user = UserFactory()
+    user.b2b_contracts.add(contract)
     course = CourseFactory(title="Contracted Course")
     create_contract_run(contract, course)
 
+    client = APIClient()
+    client.force_authenticate(user=user)
+
     unrelated_course = Course.objects.create(title="Other Course")
     CourseRunFactory(course=unrelated_course)
 
     url = reverse("v2:courses_api-list")
-    response = user_drf_client.get(url, {"org_id": org.id})
+    response = client.get(url, {"org_id": org.id})
 
     titles = [result["title"] for result in response.data["results"]]
     assert course.title in titles
     assert unrelated_course.title not in titles
 
 
+@pytest.mark.django_db
+def test_filter_with_org_id_user_not_associated_with_org_returns_no_courses():
+    org = OrganizationPageFactory(name="Test Org")
+    user = UserFactory()
+    contract = ContractPageFactory(organization=org, active=True)
+    course = CourseFactory(title="Contracted Course")
+    create_contract_run(contract, course)
+
+    client = APIClient()
+    client.force_authenticate(user=user)
+
+    unrelated_course = Course.objects.create(title="Other Course")
+    CourseRunFactory(course=unrelated_course)
+
+    url = reverse("v2:courses_api-list")
+    response = client.get(url, {"org_id": org.id})
+
+    titles = [result["title"] for result in response.data["results"]]
+    assert course.title not in titles
+    assert unrelated_course.title not in titles
+
+
 @pytest.mark.django_db
 def test_filter_without_org_id_authenticated_user(user_drf_client):
     course_with_contract = CourseFactory(title="Contract Course")