tjcsl · ElijahFeldman7 · Dec 25, 2025
@@ -26,6 +26,9 @@ def visible_to_user(self, user):
 
         """
 
+        if not user.is_authenticated:
+            return Announcement.objects.filter(Q(groups__isnull=True) & Q(activity__isnull=True) | Q(public=True) & Q(activity__restricted=False))
+
         if user.is_restricted:  # Restricted users are not authorized to view announcements
             return Announcement.objects.none()
 

@@ -225,11 +225,12 @@ def fetch_activity_list_with_metadata(self, block):
         # Find all scheduled activities that don't correspond to deleted activities.
         # Also move administrative activities to the end of the list. It appears that it is not possible to sort on "activity__administrative OR
         # administrative", so we just sort by each in turn. The exact order of administrative activities does not matter *too* much.
-        scheduled_activities = (
-            block.eighthscheduledactivity_set.exclude(activity__deleted=True)
-            .select_related("activity")
-            .order_by("activity__administrative", "administrative", "activity__name")
-        )
+        scheduled_activities = block.eighthscheduledactivity_set.exclude(activity__deleted=True).select_related("activity")
+
+        if user is None or not user.is_authenticated or not user.is_eighth_admin:
+            scheduled_activities = scheduled_activities.exclude(activity__administrative=True).exclude(administrative=True)
+
+        scheduled_activities = scheduled_activities.order_by("activity__administrative", "administrative", "activity__name")
 
         for scheduled_activity in scheduled_activities:
             # Avoid re-fetching scheduled_activity.

@@ -304,6 +304,9 @@ def stats_global_view(request):
     if request.method == "POST" and request.POST.get("year", False):
         year = int(request.POST.get("year"))
         do_csv = request.POST.get("generate", "csv") == "csv"
+        activities = EighthActivity.objects.all()
+        if not request.user.is_eighth_admin:
+            activities = activities.exclude(administrative=True)
         if do_csv:
             response = HttpResponse(content_type="text/csv")
             response["Content-Disposition"] = 'attachment; filename="eighth.csv"'

@@ -201,9 +201,12 @@ def get_search_results(q, admin=False):
     return False, users
 
 
-def do_activities_search(q):
+def do_activities_search(q, admin=False):
     filter_query = get_query(q, ["name", "description"])
-    entries = EighthActivity.objects.filter(filter_query).order_by("name")
+    entries = EighthActivity.objects.filter(filter_query)
+    if not admin:
+        entries = entries.exclude(administrative=True)
+    entries = entries.order_by("name")
     final_entries = []
     for e in entries:
         if e.is_active:
@@ -260,7 +263,7 @@ def do_enrichment_search(q):
 @deny_restricted
 def search_view(request):
     q = request.GET.get("q", "").strip()
-    is_admin = not request.user.is_student and request.user.is_eighthoffice
+    is_admin = request.user.is_eighth_admin
 
     if q:
         """User search."""
@@ -270,14 +273,14 @@ def search_view(request):
             if u is not None:
                 return profile_view(request, user_id=u.id)
 
-        query_error, users = get_search_results(q, request.user.is_eighthoffice)
+        query_error, users = get_search_results(q, is_admin)
         if query_error:
             users = []
 
         if is_admin:
             users = sorted(users, key=lambda u: (u.last_name, u.first_name))
 
-        activities = do_activities_search(q)
+        activities = do_activities_search(q, is_admin)
         announcements, club_announcements = do_announcements_search(q, request.user)
         events = do_events_search(q)
         enrichments = do_enrichment_search(q) if settings.ENABLE_ENRICHMENT_APP else []

@@ -34,11 +34,12 @@ def retrieve(self, request, *args, **kwargs):
         else:
             user = request.user
 
-        if not request.user.oauth_and_api_access and user != request.user:
-            return Response({"detail": "You do not have permission to perform this action."}, status=403)
+        if request.user.is_authenticated:
+            if not request.user.oauth_and_api_access and user != request.user:
+                return Response({"detail": "You do not have permission to perform this action."}, status=403)
 
-        if request.user.is_restricted and user != request.user:
-            raise get_user_model().DoesNotExist
+            if request.user.is_restricted and user != request.user:
+                raise get_user_model().DoesNotExist
 
         # Remove sensitive information
         data = self.get_serializer(user).data
@@ -51,7 +52,7 @@ def retrieve(self, request, *args, **kwargs):
             "websites",
             "is_announcements_admin",
         ]
-        if not (request.user.is_teacher or request.user.is_eighth_admin):
+        if request.user.is_authenticated and not (request.user.is_teacher or request.user.is_eighth_admin):
             fields_to_remove.append("student_id")
 
         for field in fields_to_remove: