From dff0d11c3509ba1612921f84344f519dea9f7705 Mon Sep 17 00:00:00 2001
From: Matthew Elwell <matthew.elwell@flagsmith.com>
Date: Wed, 7 Aug 2024 10:17:04 +0100
Subject: [PATCH] Ensure permission check is performed correctly

---
 api/environments/views.py                     |  5 ++++-
 .../test_unit_environments_views.py           | 21 +++++++++++++++++--
 2 files changed, 23 insertions(+), 3 deletions(-)

diff --git a/api/environments/views.py b/api/environments/views.py
index 4afc0ab52567..085fa6853c10 100644
--- a/api/environments/views.py
+++ b/api/environments/views.py
@@ -225,7 +225,10 @@ def user_permissions(self, request, *args, **kwargs):
     @swagger_auto_schema(responses={200: SDKEnvironmentDocumentModel})
     @action(detail=True, methods=["GET"], url_path="document")
     def get_document(self, request, api_key: str):
-        return Response(Environment.get_environment_document(api_key))
+        environment = (
+            self.get_object()
+        )  # use get_object to ensure permissions check is performed
+        return Response(Environment.get_environment_document(environment.api_key))
 
     @swagger_auto_schema(request_body=no_body, responses={202: ""})
     @action(detail=True, methods=["POST"], url_path="enable-v2-versioning")
diff --git a/api/tests/unit/environments/test_unit_environments_views.py b/api/tests/unit/environments/test_unit_environments_views.py
index 90760acec236..6329efae684b 100644
--- a/api/tests/unit/environments/test_unit_environments_views.py
+++ b/api/tests/unit/environments/test_unit_environments_views.py
@@ -766,11 +766,13 @@ def test_audit_log_entry_created_when_environment_updated(
 def test_get_document(
     environment: Environment,
     project: Project,
-    admin_client_new: APIClient,
+    staff_client: APIClient,
     feature: Feature,
     segment: Segment,
+    with_environment_permissions: WithEnvironmentPermissionsCallable,
 ) -> None:
     # Given
+    with_environment_permissions([VIEW_ENVIRONMENT])
 
     # and some sample data to make sure we're testing all of the document
     segment_rule = SegmentRule.objects.create(
@@ -786,13 +788,28 @@ def test_get_document(
     )
 
     # When
-    response = admin_client_new.get(url)
+    response = staff_client.get(url)
 
     # Then
     assert response.status_code == status.HTTP_200_OK
     assert response.json()
 
 
+def test_cannot_get_environment_document_without_permission(
+    staff_client: APIClient, environment: Environment
+) -> None:
+    # Given
+    url = reverse(
+        "api-v1:environments:environment-get-document", args=[environment.api_key]
+    )
+
+    # When
+    response = staff_client.get(url)
+
+    # Then
+    assert response.status_code == status.HTTP_403_FORBIDDEN
+
+
 def test_get_all_trait_keys_for_environment_only_returns_distinct_keys(
     identity: Identity,
     admin_client_new: APIClient,