fix(api): move access check to queryset

This makes the error codes match other API endpoints here.

Author: nijel

docs/changes.rst

@@ -12,6 +12,7 @@ Weblate 2026.6
 
 .. rubric:: Bug fixes
 
+* Hardened :http:post:`/api/screenshots/` access checks against private project enumeration.
 * Searching for strings with content changes without a recorded author now supports ``changed_by:""``.
 
 .. rubric:: Compatibility

weblate/screenshots/tests.py

@@ -193,6 +193,56 @@ def test_view(self) -> None:
         self.assertEqual(response.status_code, 200)
         self.assertEqual(response["content-type"], "image/png")
 
+    def test_private_screenshot_actions_hidden(self) -> None:
+        self.make_manager()
+        self.do_upload()
+        screenshot = Screenshot.objects.get()
+        source = self.component.source_translation.unit_set.all()[0]
+
+        self.project.access_control = Project.ACCESS_PRIVATE
+        self.project.save()
+        self.user.groups.remove(Group.objects.get(name="Managers"))
+        self.project.remove_user(self.user)
+
+        response = self.client.get(screenshot.get_absolute_url())
+        self.assertEqual(response.status_code, 404)
+
+        response = self.client.get(screenshot.get_view_url())
+        self.assertEqual(response.status_code, 404)
+
+        response = self.client.post(
+            reverse("screenshot-delete", kwargs={"pk": screenshot.pk})
+        )
+        self.assertEqual(response.status_code, 404)
+
+        response = self.client.post(
+            reverse("screenshot-js-search", kwargs={"pk": screenshot.pk}),
+            {"q": "hello"},
+        )
+        self.assertEqual(response.status_code, 404)
+
+        response = self.client.post(
+            reverse("screenshot-js-add", kwargs={"pk": screenshot.pk}),
+            {"source": source.pk},
+        )
+        self.assertEqual(response.status_code, 404)
+
+        response = self.client.get(
+            reverse("screenshot-js-get", kwargs={"pk": screenshot.pk})
+        )
+        self.assertEqual(response.status_code, 404)
+
+        response = self.client.post(
+            reverse("screenshot-remove-source", kwargs={"pk": screenshot.pk}),
+            {"source": source.pk},
+        )
+        self.assertEqual(response.status_code, 404)
+
+        response = self.client.post(
+            reverse("screenshot-js-ocr", kwargs={"pk": screenshot.pk})
+        )
+        self.assertEqual(response.status_code, 404)
+
     def test_delete(self) -> None:
         self.make_manager()
         self.do_upload()

weblate/screenshots/views.py

@@ -259,6 +259,9 @@ class ScreenshotBaseView(DetailView):
     model = Screenshot
     request: AuthenticatedHttpRequest
 
+    def get_queryset(self):
+        return Screenshot.objects.filter_access(self.request.user)
+
     def get_object(self, *args, **kwargs):
         obj = super().get_object(*args, **kwargs)
         self.request.user.check_access_component(obj.translation.component)
@@ -316,7 +319,7 @@ def post(self, request: AuthenticatedHttpRequest, *args, **kwargs) -> HttpRespon
 @require_POST
 @login_required
 def delete_screenshot(request: AuthenticatedHttpRequest, pk):
-    obj = get_object_or_404(Screenshot, pk=pk)
+    obj = get_object_or_404(Screenshot.objects.filter_access(request.user), pk=pk)
     component = obj.translation.component
     if not request.user.has_perm("screenshot.delete", obj.translation):
         raise PermissionDenied
@@ -329,7 +332,7 @@ def delete_screenshot(request: AuthenticatedHttpRequest, pk):
 
 
 def get_screenshot(request: AuthenticatedHttpRequest, pk):
-    obj = get_object_or_404(Screenshot, pk=pk)
+    obj = get_object_or_404(Screenshot.objects.filter_access(request.user), pk=pk)
     if not request.user.has_perm("screenshot.edit", obj.translation.component):
         raise PermissionDenied
     return obj