Issue/4466/api access/project-specific-access

[lsabor]

addresses main site part of optional feature of #4466
followup to #4488

adds view_forecaster_data to WhitelistUser model
gives reduced_api_restriction_projects in user private serializer.

[coderabbitai]

📝 Walkthrough

Walkthrough

These changes introduce staff author filtering for comments, add forecaster data visibility controls to user whitelists, expand the API access tier system with a bot benchmarking tier, and expose filtered whitelist projects through serialization.

Changes

Cohort / File(s)	Summary
Comment Author Filtering comments/serializers/common.py, comments/services/feed.py	Added optional author_is_staff filter to allow querying staff-authored comments; implements OR-based filtering when both author and author_is_staff parameters are provided.
Whitelist Forecaster Data Visibility misc/migrations/0008_whitelistuser_view_forecaster_data.py, misc/models.py, misc/utils.py	Added view_forecaster_data boolean field to WhitelistUser model to control access to forecaster-level data; updated whitelist utility functions to filter by this field, fixing a bug in project_id handling.
User API Access and Whitelists users/migrations/0016_user_api_access_tier.py, users/models.py, users/serializers.py	Added new bot_benchmarking API access tier choice, created whitelists relation field on User, and introduced reduced_api_restriction_projects serializer field to expose project-specific whitelist data.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related PRs

• Invisible unread comments issue #4467: Concurrently modifies get_comments_feed signature and filtering logic in comments/services/feed.py, potentially requiring coordination or conflict resolution.

Suggested reviewers

• ncarazon
• elisescu
• cemreinanc

Poem

🐰 A staff author filter hops in, forecaster data finds its way,
Bot benchmarks join the API tier—permissions sorted, hooray!
Whitelists now whisper "view or not view," and projects align,
The rabbit's work grows complex, yet the logic stays fine! ✨

🚥 Pre-merge checks | ✅ 1 | ❌ 1

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Title check	❓ Inconclusive	The PR title 'Issue/4466/api access/project-specific-access' is vague and does not clearly convey the main changes, which include multiple distinct features (comment filtering, API access tier, whitelist field, and serializer updates).	Consider revising the title to be more descriptive and specific. For example: 'Add project-specific API access controls with author filtering and bot benchmarking tier' would better summarize the key changes.

✅ Passed checks (1 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch issue/4466/api-access/endpoint-updates

📝 Coding Plan

• Generate coding plan for human review comments

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@comments/services/feed.py`:
- Around line 73-79: The current checks treat author_is_staff as truthy so False
is treated like "not provided"; update the conditional logic to detect presence
and explicit True/False values: use "author_is_staff is not None" to detect a
provided boolean and "author_is_staff is True" / "author_is_staff is False" for
behavior decisions. Concretely, change the branch conditions around author and
author_is_staff (the if that currently reads "if author is not None and
author_is_staff", the "elif author_is_staff", and related qs.filter calls) to
explicitly check for is not None and compare to True/False, and implement the
corresponding filters (author_id, author__is_staff=True, author__is_staff=False,
and parent=None where needed).

In `@users/serializers.py`:
- Around line 138-142: get_reduced_api_restriction_projects is returning
duplicate project IDs and loads full WhitelistUser objects; change the query on
user.whitelists to select only project_id and deduplicate in the DB by using
values_list('project_id', flat=True).distinct() combined with the existing
project_id__isnull=False filter so the method returns a lean, unique list of
project IDs without instantiating full model instances.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 912be90c-bc22-4669-8060-485dd631298d

📥 Commits

Reviewing files that changed from the base of the PR and between ec238b4 and 2e0916b.

📒 Files selected for processing (8)

• comments/serializers/common.py
• comments/services/feed.py
• misc/migrations/0008_whitelistuser_view_forecaster_data.py
• misc/models.py
• misc/utils.py
• users/migrations/0016_user_api_access_tier.py
• users/models.py
• users/serializers.py

[github-actions]

🚀 Preview Environment

Your preview environment is ready!

Resource	Details
🌐 Preview URL	https://metaculus-pr-4487-issue-4466-api-access-endpoint-preview.mtcl.cc
📦 Docker Image	ghcr.io/metaculus/metaculus:issue-4466-api-access-endpoint-updates-7c61770
🗄️ PostgreSQL	NeonDB branch preview/pr-4487-issue-4466-api-access-endpoint
⚡ Redis	Fly Redis mtc-redis-pr-4487-issue-4466-api-access-endpoint

Details

• Commit: 7c617709bd4d236a74d0fa987335bc2f7039eb66
• Branch: issue/4466/api-access/endpoint-updates
• Fly App: metaculus-pr-4487-issue-4466-api-access-endpoint

---

ℹ️ Preview Environment Info

Isolation:

• PostgreSQL and Redis are fully isolated from production
• Each PR gets its own database branch and Redis instance
• Changes pushed to this PR will trigger a new deployment

Limitations:

• Background workers and cron jobs are not deployed in preview environments
• If you need to test background jobs, use Heroku staging environments

Cleanup:

• This preview will be automatically destroyed when the PR is closed