Limit api access of memos

[exalate-issue-sync]

Add committee based access controls to memo text api viewset

Memo text records can be accessed and created with the api regardless of the committee a user is in.

This can be observed by creating a report level memo in one committee, logging into another and querying the api for that memo id

This shouldn’t be possible

QA Notes

null

DEV Notes

Include unit test coverage, and write a failing unit test

The following code does not use the {{CommitteeOwnedViewMixin}}’s get_queryset() so it doesn’t filter by committee

{noformat}class MemoTextViewSet(CommitteeOwnedViewMixin, ReportViewMixin, ModelViewSet):
def get_queryset(self):
memos = MemoText.objects.all(){noformat}

Fixable by getting {{memos}} from super:

{noformat}class MemoTextViewSet(CommitteeOwnedViewMixin, ReportViewMixin, ModelViewSet):
def get_queryset(self):
memos = super().get_queryset(){noformat}

Design

null

See full ticket and images here: FECFILE-1836

[exalate-issue-sync]

Todd Lees commented: Passes cr moving to qa
[~accountid:712020:169a1b29-e3ab-43ca-a22d-7d6f230207bd] visiting this link should give you a {{[]}} rather than actual data
[https://dev-api.fecfile.fec.gov/api/v1/memo-text/?report_id=fa9b6248-b23c-4599-b94f-787225b5d5b0|https://dev-api.fecfile.fec.gov/api/v1/memo-text/?report_id=fa9b6248-b23c-4599-b94f-787225b5d5b0]

!image-20241205-142602.png|width=887,height=182,alt="image-20241205-142602.png"!

[exalate-issue-sync]

Shelly Wise commented: QA review verified when selecting the following link
[https://dev-api.fecfile.fec.gov/api/v1/memo-text/?report_id=fa9b6248-b23c-4599-b94f-787225b5d5b0|https://dev-api.fecfile.fec.gov/api/v1/memo-text/?report_id=fa9b6248-b23c-4599-b94f-787225b5d5b0]

the following is displayed [ ]

!image-20241205-180935.png|width=265,height=121,alt="image-20241205-180935.png"!

QA Review Completed. Moved to Stage Ready.