job_seekers_views: hide job seekers' name from filter as orienteur

itou/www/job_seekers_views/forms.py

@@ -11,6 +11,7 @@
 from itou.users.models import JobSeekerProfile, User
 from itou.utils import constants as global_constants
 from itou.utils.emails import redact_email_address
+from itou.utils.templatetags.str_filters import mask_unless
 from itou.utils.validators import validate_nir
 from itou.utils.widgets import DuetDatePickerWidget
 
@@ -26,10 +27,15 @@ class FilterForm(forms.Form):
         ),
     )
 
-    def __init__(self, job_seeker_qs, data, *args, **kwargs):
+    def __init__(self, job_seeker_qs, data, *args, request_user, **kwargs):
         super().__init__(data, *args, **kwargs)
         self.fields["job_seeker"].choices = [
-            (job_seeker.pk, job_seeker.get_full_name())
+            (
+                job_seeker.pk,
+                mask_unless(
+                    job_seeker.get_full_name(), predicate=request_user.can_view_personal_information(job_seeker)
+                ),
+            )
             for job_seeker in job_seeker_qs.order_by("first_name", "last_name")
             if job_seeker.get_full_name()
         ]

itou/www/job_seekers_views/views.py

@@ -126,6 +126,7 @@ def setup(self, request, *args, **kwargs):
             self.form = FilterForm(
                 User.objects.filter(kind=UserKind.JOB_SEEKER).filter(Exists(self._get_user_job_applications())),
                 self.request.GET or None,
+                request_user=request.user,
             )
 
     def test_func(self):

tests/www/job_seekers_views/__snapshots__/test_list.ambr

@@ -257,6 +257,26 @@
                    "users_user"."last_name" ASC
         ''',
       }),
+      dict({
+        'origin': list([
+          'User.is_prescriber_with_authorized_org[users/models.py]',
+          'User.can_edit_personal_information[users/models.py]',
+          'User.can_view_personal_information[users/models.py]',
+          'FilterForm.__init__[www/job_seekers_views/forms.py]',
+          'JobSeekerListView.setup[www/job_seekers_views/views.py]',
+        ]),
+        'sql': '''
+          SELECT %s AS "a"
+          FROM "prescribers_prescribermembership"
+          INNER JOIN "users_user" ON ("prescribers_prescribermembership"."user_id" = "users_user"."id")
+          INNER JOIN "prescribers_prescriberorganization" ON ("prescribers_prescribermembership"."organization_id" = "prescribers_prescriberorganization"."id")
+          WHERE ("prescribers_prescribermembership"."user_id" = %s
+                 AND "prescribers_prescribermembership"."is_active"
+                 AND "prescribers_prescriberorganization"."is_authorized"
+                 AND "users_user"."is_active")
+          LIMIT 1
+        ''',
+      }),
       dict({
         'origin': list([
           'ItouPaginator.count[<site-packages>/django/core/paginator.py]',
@@ -385,25 +405,6 @@
           ORDER BY "approvals_approval"."created_at" DESC
         ''',
       }),
-      dict({
-        'origin': list([
-          'User.is_prescriber_with_authorized_org[users/models.py]',
-          'User.can_edit_personal_information[users/models.py]',
-          'User.can_view_personal_information[users/models.py]',
-          'JobSeekerListView.get_context_data[www/job_seekers_views/views.py]',
-        ]),
-        'sql': '''
-          SELECT %s AS "a"
-          FROM "prescribers_prescribermembership"
-          INNER JOIN "users_user" ON ("prescribers_prescribermembership"."user_id" = "users_user"."id")
-          INNER JOIN "prescribers_prescriberorganization" ON ("prescribers_prescribermembership"."organization_id" = "prescribers_prescriberorganization"."id")
-          WHERE ("prescribers_prescribermembership"."user_id" = %s
-                 AND "prescribers_prescribermembership"."is_active"
-                 AND "prescribers_prescriberorganization"."is_authorized"
-                 AND "users_user"."is_active")
-          LIMIT 1
-        ''',
-      }),
       dict({
         'origin': list([
           'Atomic.__exit__[<site-packages>/django/db/transaction.py]',

tests/www/job_seekers_views/test_list.py

@@ -187,3 +187,40 @@ def test_htmx_job_seeker_filter(client):
     assertContains(response, "1 résultat")
     fresh_page = parse_response_to_soup(response)
     assertSoupEqual(simulated_page, fresh_page)
+
+
+def test_filtered_by_job_seeker_for_unauthorized_prescriber(client):
+    prescriber = PrescriberFactory()
+    a_b_job_seeker = JobApplicationFactory(
+        sender=prescriber, job_seeker__first_name="A_something", job_seeker__last_name="B_something"
+    ).job_seeker
+    created_job_seeker = JobApplicationFactory(
+        sender=prescriber,
+        job_seeker__created_by=prescriber,
+        job_seeker__first_name="Zorro",
+        job_seeker__last_name="Martin",
+    ).job_seeker
+    c_d_job_seeker = JobApplicationFactory(
+        sender=prescriber,
+        job_seeker__created_by=prescriber,
+        job_seeker__last_login=timezone.now(),
+        job_seeker__first_name="C_something",
+        job_seeker__last_name="D_something",
+    ).job_seeker
+    client.force_login(prescriber)
+
+    url = reverse("job_seekers_views:list")
+    response = client.get(url, {"job_seeker": created_job_seeker.pk})
+    job_seekers = response.context["page_obj"].object_list
+    assert len(job_seekers) == 1
+    assert job_seekers[0].pk == created_job_seeker.pk
+
+    response = client.get(url)
+    job_seekers = response.context["page_obj"].object_list
+    assert len(job_seekers) == 3
+    filters_form = response.context["filters_form"]
+    assert filters_form.fields["job_seeker"].choices == [
+        (a_b_job_seeker.pk, "A… B…"),
+        (c_d_job_seeker.pk, "C… D…"),
+        (created_job_seeker.pk, "Zorro MARTIN"),
+    ]