From 1a02af145016b79fe2b14c6a93536b88e82d5b7c Mon Sep 17 00:00:00 2001 From: Hugh Rundle Date: Mon, 27 Sep 2021 20:24:25 +1000 Subject: [PATCH] allow members to see groups and their lists - add additional logic to visible_to_user, for groups and their objects - cleans up some queries in Group view NOTE: I can't work out how to make group lists only visible to users who should be able to see them, on user group listings. They still can't access the actual group, but can see it on user pages. This is potentialy problematic. --- bookwyrm/models/base_model.py | 13 +++++++++++-- bookwyrm/views/group.py | 13 ++++--------- 2 files changed, 15 insertions(+), 11 deletions(-) diff --git a/bookwyrm/models/base_model.py b/bookwyrm/models/base_model.py index 3a2d758b..1b4bae1a 100644 --- a/bookwyrm/models/base_model.py +++ b/bookwyrm/models/base_model.py @@ -77,8 +77,17 @@ class BookWyrmModel(models.Model): ): return True -# TODO: if privacy is direct and the object is a group and viewer is a member of the group -# then return True + # you can see groups of which you are a member + if hasattr(self, "members") and viewer in self.members.all(): + return True + + # you can see objects which have a group of which you are a member + if hasattr(self, "group"): + if ( + hasattr(self.group, "members") + and viewer in self.group.members.all() + ): + return True return False diff --git a/bookwyrm/views/group.py b/bookwyrm/views/group.py index dfb44a4c..b28aabeb 100644 --- a/bookwyrm/views/group.py +++ b/bookwyrm/views/group.py @@ -13,7 +13,7 @@ from django.db.models.functions import Greatest from bookwyrm import forms, models from bookwyrm.suggested_users import suggested_users -from .helpers import privacy_filter # TODO: +from .helpers import privacy_filter from .helpers import get_user_from_username from bookwyrm.settings import DOMAIN @@ -23,10 +23,7 @@ class Group(View): def get(self, request, group_id): """display a group""" - # TODO: use get_or_404? - # TODO: what is the difference between privacy filter and visible to user? - # get_object_or_404(models.Group, id=group_id) - group = models.Group.objects.get(id=group_id) + group = get_object_or_404(models.Group, id=group_id) lists = models.List.objects.filter(group=group).order_by("-updated_date") lists = privacy_filter(request.user, lists) @@ -43,7 +40,6 @@ class Group(View): return TemplateResponse(request, "groups/group.html", data) @method_decorator(login_required, name="dispatch") - # pylint: disable=unused-argument def post(self, request, group_id): """edit a group""" user_group = get_object_or_404(models.Group, id=group_id) @@ -61,7 +57,7 @@ class UserGroups(View): """display a group""" user = get_user_from_username(request.user, username) groups = models.Group.objects.filter(members=user).order_by("-updated_date") - groups = privacy_filter(request.user, groups) + # groups = privacy_filter(request.user, groups) paginated = Paginator(groups, 12) data = { @@ -127,8 +123,7 @@ def add_member(request): """add a member to the group""" # TODO: if groups become AP values we need something like get_group_from_group_fullname - # group = get_object_or_404(models.Group, id=request.POST.get("group")) - group = models.Group.objects.get(id=request.POST["group"]) + group = get_object_or_404(models.Group, id=request.POST.get("group")) if not group: return HttpResponseBadRequest()