From 4e0df919fa708e7e81766421896a0609a9f260b8 Mon Sep 17 00:00:00 2001
From: Matthew Elwell <matthew.elwell@flagsmith.com>
Date: Wed, 6 Nov 2024 17:09:58 +0000
Subject: [PATCH] Fix environment view set permissions with VIEW_ENVIRONMENT
 requirement

---
 api/environments/permissions/permissions.py   |  2 +-
 .../test_unit_environments_views.py           | 38 +++++++++++++++++++
 2 files changed, 39 insertions(+), 1 deletion(-)

diff --git a/api/environments/permissions/permissions.py b/api/environments/permissions/permissions.py
index 020b7a065249..52530853f667 100644
--- a/api/environments/permissions/permissions.py
+++ b/api/environments/permissions/permissions.py
@@ -45,7 +45,7 @@ def has_permission(self, request, view):
     def has_object_permission(self, request, view, obj):
         if view.action == "clone":
             return request.user.has_project_permission(CREATE_ENVIRONMENT, obj.project)
-        elif view.action == "get_document":
+        elif view.action in ("get_document", "retrieve", "trait_keys"):
             return request.user.has_environment_permission(VIEW_ENVIRONMENT, obj)
 
         return request.user.is_environment_admin(obj) or view.action in [
diff --git a/api/tests/unit/environments/test_unit_environments_views.py b/api/tests/unit/environments/test_unit_environments_views.py
index ad8bc80aea4f..d3b84a1d2880 100644
--- a/api/tests/unit/environments/test_unit_environments_views.py
+++ b/api/tests/unit/environments/test_unit_environments_views.py
@@ -76,6 +76,23 @@ def test_retrieve_environment(
     )
 
 
+def test_user_with_view_environment_permission_can_retrieve_environment(
+    staff_client: APIClient,
+    environment: Environment,
+    with_environment_permissions: WithEnvironmentPermissionsCallable,
+) -> None:
+    # Given
+    url = reverse("api-v1:environments:environment-detail", args=[environment.api_key])
+
+    with_environment_permissions([VIEW_ENVIRONMENT])
+
+    # When
+    response = staff_client.get(url)
+
+    # Then
+    assert response.status_code == status.HTTP_200_OK
+
+
 def test_can_clone_environment_with_create_environment_permission(
     test_user,
     test_user_client,
@@ -920,6 +937,27 @@ def test_get_all_trait_keys_for_environment_only_returns_distinct_keys(
     assert len(res.json().get("keys")) == 2
 
 
+def test_user_with_view_environment_can_get_trait_keys(
+    identity: Identity,
+    staff_client: APIClient,
+    trait: Trait,
+    environment: Environment,
+    with_environment_permissions: WithEnvironmentPermissionsCallable,
+) -> None:
+    # Given
+    url = reverse(
+        "api-v1:environments:environment-trait-keys", args=[environment.api_key]
+    )
+
+    with_environment_permissions([VIEW_ENVIRONMENT])
+
+    # When
+    res = staff_client.get(url)
+
+    # Then
+    assert res.status_code == status.HTTP_200_OK
+
+
 def test_delete_trait_keys_deletes_traits_matching_provided_key_only(
     identity: Identity,
     admin_client_new: APIClient,