Respect site_read role in View Data view. Fixes #355.

datameta/api/ui/view.py

@@ -95,10 +95,12 @@ def post(request: Request):
     and_filters = [
             # This clause joins the EXISTS subquery with the main query
             MetaDataSet.id==MetaDataSetFilter.id,
-            # This clause restricts the results to submissions of the user's group
-            Submission.group_id == auth_user.group_id
             ]
 
+    # This clause restricts the results to submissions of the user's group
+    if not authz.view_mset_any(auth_user):
+        and_filters.append(Submission.group_id == auth_user.group_id)
+
     # Additionally, if a search pattern was requested, we create a clause
     # implementing the the search and add it to the AND clause
     if searches:

datameta/security/authz.py

@@ -30,9 +30,6 @@ def has_data_access(user, data_user_id, data_group_id=None, was_submitted=False)
         (not was_submitted and data_user_id and data_user_id == user.id)
     ))
 
-def view_mset_any(user):
-    return user.site_read
-
 def view_apikey(user, target_user):
     return user_is_target(user, target_user)
 
@@ -78,6 +75,9 @@ def submit_mset(user, mds_obj):
 def delete_mset(user, mdata_set):
     return user.id == mdata_set.user_id
 
+def view_mset_any(user):
+    return user.site_read
+
 def view_mset(user, mds_obj):
     was_submitted = bool(mds_obj.submission_id is not None)
     group_id = mds_obj.submission.group_id if was_submitted else None