From bcb344d744ff203b87c005ecf20d4020a8175c64 Mon Sep 17 00:00:00 2001
From: Jon <jnation@lco.global>
Date: Mon, 20 May 2024 22:50:30 +0000
Subject: [PATCH] Update datasession and dataoperation get permissions to only
 those the user has access to

---
 datalab/datalab_session/viewsets.py | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/datalab/datalab_session/viewsets.py b/datalab/datalab_session/viewsets.py
index 9d0a066..4d742b2 100644
--- a/datalab/datalab_session/viewsets.py
+++ b/datalab/datalab_session/viewsets.py
@@ -13,7 +13,7 @@ class DataOperationViewSet(viewsets.ModelViewSet):
     serializer_class = DataOperationSerializer
     
     def get_queryset(self):
-        return DataOperation.objects.filter(session=self.kwargs['session_pk'])
+        return DataOperation.objects.filter(session=self.kwargs['session_pk'], session__user=self.request.user)
     
     def perform_create(self, serializer):
         operation = available_operations().get(serializer.validated_data['name'])(serializer.validated_data['input_data'])
@@ -30,7 +30,7 @@ class DataSessionViewSet(viewsets.ModelViewSet):
     ordering = ('created',)
     
     def get_queryset(self):
-        return DataSession.objects.all()
+        return DataSession.objects.filter(user=self.request.user).prefetch_related('operations')
 
     def perform_create(self, serializer):
         serializer.save(user=self.request.user)