Merge branch 'main' into book-format-choices

2021-09-29 11:30:23 -07:00
parent bc87856c2e e308ca2511
commit 2f93e6d723
149 changed files with 6807 additions and 5952 deletions
--- a/bookwyrm/models/base_model.py
+++ b/bookwyrm/models/base_model.py
@ -1,8 +1,11 @@
 """ base model with default fields """
 import base64
 from Crypto import Random
+
+from django.core.exceptions import PermissionDenied
 from django.db import models
 from django.dispatch import receiver
+from django.http import Http404
 from django.utils.translation import gettext_lazy as _

 from bookwyrm.settings import DOMAIN
@ -48,26 +51,26 @@ class BookWyrmModel(models.Model):
        """how to link to this object in the local app"""
        return self.get_remote_id().replace(f"https://{DOMAIN}", "")

-    def visible_to_user(self, viewer):
+    def raise_visible_to_user(self, viewer):
        """is a user authorized to view an object?"""
        # make sure this is an object with privacy owned by a user
        if not hasattr(self, "user") or not hasattr(self, "privacy"):
-            return None
+            return

        # viewer can't see it if the object's owner blocked them
        if viewer in self.user.blocks.all():
-            return False
+            raise Http404()

        # you can see your own posts and any public or unlisted posts
        if viewer == self.user or self.privacy in ["public", "unlisted"]:
-            return True
+            return

        # you can see the followers only posts of people you follow
        if (
            self.privacy == "followers"
            and self.user.followers.filter(id=viewer.id).first()
        ):
-            return True
+            return

        # you can see dms you are tagged in
        if hasattr(self, "mention_users"):
@ -75,8 +78,32 @@ class BookWyrmModel(models.Model):
                self.privacy == "direct"
                and self.mention_users.filter(id=viewer.id).first()
            ):
-                return True
-        return False
+                return
+        raise Http404()
+
+    def raise_not_editable(self, viewer):
+        """does this user have permission to edit this object? liable to be overwritten
+        by models that inherit this base model class"""
+        if not hasattr(self, "user"):
+            return
+
+        # generally moderators shouldn't be able to edit other people's stuff
+        if self.user == viewer:
+            return
+
+        raise PermissionDenied()
+
+    def raise_not_deletable(self, viewer):
+        """does this user have permission to delete this object? liable to be
+        overwritten by models that inherit this base model class"""
+        if not hasattr(self, "user"):
+            return
+
+        # but generally moderators can delete other people's stuff
+        if self.user == viewer or viewer.has_perm("moderate_post"):
+            return
+
+        raise PermissionDenied()


@receiver(models.signals.post_save)
--- a/bookwyrm/models/book.py
+++ b/bookwyrm/models/book.py
@ -3,8 +3,8 @@ import re

 from django.contrib.postgres.search import SearchVectorField
 from django.contrib.postgres.indexes import GinIndex
-from django.db import models
-from django.db import transaction
+from django.db import models, transaction
+from django.db.models import Prefetch
 from django.dispatch import receiver
 from django.utils.translation import gettext_lazy as _
 from model_utils import FieldTracker
@ -321,6 +321,27 @@ class Edition(Book):

        return super().save(*args, **kwargs)

+    @classmethod
+    def viewer_aware_objects(cls, viewer):
+        """annotate a book query with metadata related to the user"""
+        queryset = cls.objects
+        if not viewer or not viewer.is_authenticated:
+            return queryset
+
+        queryset = queryset.prefetch_related(
+            Prefetch(
+                "shelfbook_set",
+                queryset=viewer.shelfbook_set.all(),
+                to_attr="current_shelves",
+            ),
+            Prefetch(
+                "readthrough_set",
+                queryset=viewer.readthrough_set.filter(is_active=True).all(),
+                to_attr="active_readthroughs",
+            ),
+        )
+        return queryset
+

 def isbn_10_to_13(isbn_10):
    """convert an isbn 10 into an isbn 13"""
--- a/bookwyrm/models/list.py
+++ b/bookwyrm/models/list.py
@ -92,6 +92,12 @@ class ListItem(CollectionItemMixin, BookWyrmModel):
                notification_type="ADD",
            )

+    def raise_not_deletable(self, viewer):
+        """the associated user OR the list owner can delete"""
+        if self.book_list.user == viewer:
+            return
+        super().raise_not_deletable(viewer)
+
    class Meta:
        """A book may only be placed into a list once,
        and each order in the list may be used only once"""
--- a/bookwyrm/models/readthrough.py
+++ b/bookwyrm/models/readthrough.py
@ -26,10 +26,14 @@ class ReadThrough(BookWyrmModel):
    )
    start_date = models.DateTimeField(blank=True, null=True)
    finish_date = models.DateTimeField(blank=True, null=True)
+    is_active = models.BooleanField(default=True)

    def save(self, *args, **kwargs):
        """update user active time"""
        self.user.update_active_date()
+        # an active readthrough must have an unset finish date
+        if self.finish_date:
+            self.is_active = False
        super().save(*args, **kwargs)

    def create_update(self):
--- a/bookwyrm/models/shelf.py
+++ b/bookwyrm/models/shelf.py
@ -1,5 +1,6 @@
 """ puttin' books on shelves """
 import re
+from django.core.exceptions import PermissionDenied
 from django.db import models
 from django.utils import timezone

@ -20,6 +21,7 @@ class Shelf(OrderedCollectionMixin, BookWyrmModel):

    name = fields.CharField(max_length=100)
    identifier = models.CharField(max_length=100)
+    description = models.TextField(blank=True, null=True, max_length=500)
    user = fields.ForeignKey(
        "User", on_delete=models.PROTECT, activitypub_field="owner"
    )
@ -51,12 +53,23 @@ class Shelf(OrderedCollectionMixin, BookWyrmModel):
        """list of books for this shelf, overrides OrderedCollectionMixin"""
        return self.books.order_by("shelfbook")

+    @property
+    def deletable(self):
+        """can the shelf be safely deleted?"""
+        return self.editable and not self.shelfbook_set.exists()
+
    def get_remote_id(self):
        """shelf identifier instead of id"""
        base_path = self.user.remote_id
        identifier = self.identifier or self.get_identifier()
        return f"{base_path}/books/{identifier}"

+    def raise_not_deletable(self, viewer):
+        """don't let anyone delete a default shelf"""
+        super().raise_not_deletable(viewer)
+        if not self.deletable:
+            raise PermissionDenied()
+
    class Meta:
        """user/shelf unqiueness"""

--- a/bookwyrm/models/status.py
+++ b/bookwyrm/models/status.py
@ -3,6 +3,7 @@ from dataclasses import MISSING
 import re

 from django.apps import apps
+from django.core.exceptions import PermissionDenied
 from django.core.validators import MaxValueValidator, MinValueValidator
 from django.db import models
 from django.dispatch import receiver
@ -187,6 +188,13 @@ class Status(OrderedCollectionPageMixin, BookWyrmModel):
        """json serialized activitypub class"""
        return self.to_activity_dataclass(pure=pure).serialize()

+    def raise_not_editable(self, viewer):
+        """certain types of status aren't editable"""
+        # first, the standard raise
+        super().raise_not_editable(viewer)
+        if isinstance(self, (GeneratedNote, ReviewRating)):
+            raise PermissionDenied()
+

 class GeneratedNote(Status):
    """these are app-generated messages about user activity"""