fix: filter privacy overview KPIs (#2959)

nas-tabchiche · ab-smith · web-flow · commit b7a958357442 · 2025-11-29T15:34:01.000+01:00
* fix: filter privacy overview KPIs

* restric more gdpr metrics

---------

Co-authored-by: Abderrahmane Smimite &lt;smimite@gmail.com&gt;
diff --git a/backend/privacy/models.py b/backend/privacy/models.py
@@ -251,9 +251,10 @@ def save(self, *args, **kwargs):
             self.processing.save(update_fields=["has_sensitive_personal_data"])
 
     @classmethod
-    def get_categories_count(cls):
+    def get_categories_count(cls, filters: dict = {}):
         categories = (
-            cls.objects.values("category")
+            cls.objects.filter(**filters)
+            .values("category")
             .annotate(count=Count("id"))
             .order_by("-count")
         )
diff --git a/backend/privacy/views.py b/backend/privacy/views.py
@@ -8,6 +8,8 @@
 from itertools import chain
 from collections import defaultdict
 
+from iam.models import Folder, RoleAssignment
+
 from .models import (
     ProcessingNature,
     Purpose,
@@ -149,12 +151,16 @@ def legal_basis(self, request):
         return Response(dict(LEGAL_BASIS_CHOICES))
 
 
-def agg_countries():
-    transfer_countries = DataTransfer.objects.values("country").annotate(
-        count=Count("id")
+def agg_countries(viewable_data_transfers, viewable_data_contractors):
+    transfer_countries = (
+        DataTransfer.objects.filter(id__in=viewable_data_transfers)
+        .values("country")
+        .annotate(count=Count("id"))
     )
-    contractor_countries = DataContractor.objects.values("country").annotate(
-        count=Count("id")
+    contractor_countries = (
+        DataContractor.objects.filter(id__in=viewable_data_contractors)
+        .values("country")
+        .annotate(count=Count("id"))
     )
     country_counts = defaultdict(int)
     for item in chain(transfer_countries, contractor_countries):
@@ -188,40 +194,88 @@ def metrics(self, request, pk=None):
 
     @action(detail=False, name="aggregated metrics")
     def agg_metrics(self, request):
-        pd_categories = PersonalData.get_categories_count()
-        total_categories = len(pd_categories)
-        processings_count = Processing.objects.all().count()
+        (viewable_processings, _, _) = RoleAssignment.get_accessible_object_ids(
+            folder=Folder.get_root_folder(),
+            user=request.user,
+            object_type=Processing,
+        )
+        (viewable_data_contractors, _, _) = RoleAssignment.get_accessible_object_ids(
+            folder=Folder.get_root_folder(),
+            user=request.user,
+            object_type=DataContractor,
+        )
+        (viewable_data_transfers, _, _) = RoleAssignment.get_accessible_object_ids(
+            folder=Folder.get_root_folder(),
+            user=request.user,
+            object_type=DataTransfer,
+        )
+        (viewable_right_requests, _, _) = RoleAssignment.get_accessible_object_ids(
+            folder=Folder.get_root_folder(),
+            user=request.user,
+            object_type=RightRequest,
+        )
+        (viewable_data_breaches, _, _) = RoleAssignment.get_accessible_object_ids(
+            folder=Folder.get_root_folder(),
+            user=request.user,
+            object_type=DataBreach,
+        )
+        (viewable_personal_data, _, _) = RoleAssignment.get_accessible_object_ids(
+            folder=Folder.get_root_folder(),
+            user=request.user,
+            object_type=PersonalData,
+        )
+        processings_count = Processing.objects.filter(
+            id__in=viewable_processings
+        ).count()
 
+        pd_categories = PersonalData.get_categories_count(
+            filters={"id__in": viewable_personal_data}
+        )
+        total_categories = len(pd_categories)
         # Count distinct entities from data contractors and data transfers
         contractor_entities = (
-            DataContractor.objects.filter(entity__isnull=False)
+            DataContractor.objects.filter(
+                id__in=viewable_data_contractors, entity__isnull=False
+            )
             .values_list("entity", flat=True)
             .distinct()
         )
         transfer_entities = (
-            DataTransfer.objects.filter(entity__isnull=False)
+            DataTransfer.objects.filter(
+                id__in=viewable_data_transfers, entity__isnull=False
+            )
             .values_list("entity", flat=True)
             .distinct()
         )
         recipients_count = len(set(list(contractor_entities) + list(transfer_entities)))
 
-        open_right_requests_count = RightRequest.objects.exclude(status="done").count()
-        open_data_breaches_count = DataBreach.objects.exclude(
-            status="privacy_closed"
-        ).count()
+        open_right_requests_count = (
+            RightRequest.objects.filter(id__in=viewable_right_requests)
+            .exclude(status="done")
+            .count()
+        )
+        open_data_breaches_count = (
+            DataBreach.objects.filter(id__in=viewable_data_breaches)
+            .exclude(status="privacy_closed")
+            .count()
+        )
 
         # Aggregate data breaches by breach type
-        breach_types = DataBreach.objects.values("breach_type").annotate(
-            count=Count("id")
+        breach_types = (
+            DataBreach.objects.filter(id__in=viewable_data_breaches)
+            .values("breach_type")
+            .annotate(count=Count("id"))
         )
         breach_type_data = [
             {"name": item["breach_type"], "value": item["count"]}
             for item in breach_types
         ]
 
         # Aggregate right requests by request type
-        request_types = RightRequest.objects.values("request_type").annotate(
-            count=Count("id")
+        request_types = (
+            RightRequest.objects.filter(id__in=viewable_right_requests)
+            .values("request_type")
+            .annotate(count=Count("id"))
         )
         request_type_data = [
             {"name": item["request_type"], "value": item["count"]}
@@ -237,7 +291,7 @@ def agg_metrics(self, request):
         personal_data = (
             PersonalData.objects.select_related("processing")
             .prefetch_related("processing__purposes", "processing__data_transfers")
-            .all()
+            .filter(id__in=viewable_personal_data)
         )
 
         for pd in personal_data:
@@ -322,7 +376,9 @@ def agg_metrics(self, request):
 
         return Response(
             {
-                "countries": agg_countries(),
+                "countries": agg_countries(
+                    viewable_data_transfers, viewable_data_contractors
+                ),
                 "processings_count": processings_count,
                 "recipients_count": recipients_count,
                 "pd_categories": pd_categories,
