bookwyrm/bookwyrm/models/base_model.py

""" base model with default fields """
import base64
from Crypto import Random

from django.core.exceptions import PermissionDenied, FieldError
from django.db import models
from django.db.models import Q
from django.dispatch import receiver
from django.http import Http404
from django.utils.translation import gettext_lazy as _

from bookwyrm.settings import DOMAIN
from .fields import RemoteIdField


DeactivationReason = [
    ("pending", _("Pending")),
    ("self_deletion", _("Self deletion")),
    ("moderator_suspension", _("Moderator suspension")),
    ("moderator_deletion", _("Moderator deletion")),
    ("domain_block", _("Domain block")),
]


def new_access_code():
    """the identifier for a user invite"""
    return base64.b32encode(Random.get_random_bytes(5)).decode("ascii")


class BookWyrmModel(models.Model):
    """shared fields"""

    created_date = models.DateTimeField(auto_now_add=True)
    updated_date = models.DateTimeField(auto_now=True)
    remote_id = RemoteIdField(null=True, activitypub_field="id")

    def get_remote_id(self):
        """generate a url that resolves to the local object"""
        base_path = f"https://{DOMAIN}"
        if hasattr(self, "user"):
            base_path = f"{base_path}{self.user.local_path}"
        model_name = type(self).__name__.lower()
        return f"{base_path}/{model_name}/{self.id}"

    class Meta:
        """this is just here to provide default fields for other models"""

        abstract = True

    @property
    def local_path(self):
        """how to link to this object in the local app"""
        return self.get_remote_id().replace(f"https://{DOMAIN}", "")

    def raise_visible_to_user(self, viewer):
        """is a user authorized to view an object?"""
        # make sure this is an object with privacy owned by a user
        if not hasattr(self, "user") or not hasattr(self, "privacy"):
            return

        # viewer can't see it if the object's owner blocked them
        if viewer in self.user.blocks.all():
            raise Http404()

        # you can see your own posts and any public or unlisted posts
        if viewer == self.user or self.privacy in ["public", "unlisted"]:
            return

        # you can see the followers only posts of people you follow
        if (
            self.privacy == "followers"
            and self.user.followers.filter(id=viewer.id).first()
        ):
            return

        # you can see dms you are tagged in
        if hasattr(self, "mention_users"):
            if (
                self.privacy == "direct"
                and self.mention_users.filter(id=viewer.id).first()
            ):
                return
        raise Http404()

    def raise_not_editable(self, viewer):
        """does this user have permission to edit this object? liable to be overwritten
        by models that inherit this base model class"""
        if not hasattr(self, "user"):
            return

        # generally moderators shouldn't be able to edit other people's stuff
        if self.user == viewer:
            return

        raise PermissionDenied()

    def raise_not_deletable(self, viewer):
        """does this user have permission to delete this object? liable to be
        overwritten by models that inherit this base model class"""
        if not hasattr(self, "user"):
            return

        # but generally moderators can delete other people's stuff
        if self.user == viewer or viewer.has_perm("moderate_post"):
            return

        raise PermissionDenied()

    @classmethod
    def privacy_filter(cls, viewer, privacy_levels=None, following_only=False):
        """filter objects that have "user" and "privacy" fields"""
        queryset = cls.objects
        if hasattr(queryset, "select_subclasses"):
            queryset = queryset.select_subclasses()

        privacy_levels = privacy_levels or ["public", "unlisted", "followers", "direct"]
        # if there'd a deleted field, exclude deleted items
        try:
            queryset = queryset.filter(deleted=False)
        except FieldError:
            pass

        # exclude blocks from both directions
        if not viewer.is_anonymous:
            queryset = queryset.exclude(
                Q(user__blocked_by=viewer) | Q(user__blocks=viewer)
            )

        # you can't see followers only or direct messages if you're not logged in
        if viewer.is_anonymous:
            privacy_levels = [
                p for p in privacy_levels if not p in ["followers", "direct"]
            ]

        # filter to only privided privacy levels
        queryset = queryset.filter(privacy__in=privacy_levels)

        # only include statuses the user follows
        if following_only:
            queryset = queryset.exclude(
                ~Q(  # remove everythign except
                    Q(user__followers=viewer)
                    | Q(user=viewer)  # user following
                    | Q(mention_users=viewer)  # is self  # mentions user
                ),
            )
        # exclude followers-only statuses the user doesn't follow
        elif "followers" in privacy_levels:
            queryset = cls.followers_filter(queryset, viewer)

        # exclude direct messages not intended for the user
        if "direct" in privacy_levels:
            queryset = cls.direct_filter(queryset, viewer)

        return queryset

    @classmethod
    def followers_filter(cls, queryset, viewer):
        """Override-able filter for "followers" privacy level"""
        return queryset.exclude(
            ~Q(  # user isn't following and it isn't their own status
                Q(user__followers=viewer) | Q(user=viewer)
            ),
            privacy="followers",  # and the status is followers only
        )

    @classmethod
    def direct_filter(cls, queryset, viewer):
        """Override-able filter for "direct" privacy level"""
        return queryset.exclude(~Q(user=viewer), privacy="direct")


@receiver(models.signals.post_save)
# pylint: disable=unused-argument
def set_remote_id(sender, instance, created, *args, **kwargs):
    """set the remote_id after save (when the id is available)"""
    if not created or not hasattr(instance, "get_remote_id"):
        return
    if not instance.remote_id:
        instance.remote_id = instance.get_remote_id()
        try:
            instance.save(broadcast=False)
        except TypeError:
            instance.save()
Runs black 2021-03-08 16:49:10 +00:00			`""" base model with default fields """`
Adds email confirmation code field 2021-08-06 21:42:18 +00:00			`import base64`
			`from Crypto import Random`
Adds model function to check perms 2021-09-27 21:02:34 +00:00
Moves privacy filter to model class 2021-10-06 16:48:11 +00:00			`from django.core.exceptions import PermissionDenied, FieldError`
Forgot to add the migration and models helper 2020-02-18 00:50:44 +00:00			`from django.db import models`
Moves privacy filter to model class 2021-10-06 16:48:11 +00:00			`from django.db.models import Q`
Unify concept of absolute_id and remote_id 2020-05-13 01:56:28 +00:00			`from django.dispatch import receiver`
Changes visiblity function to raise 2021-09-27 22:54:58 +00:00			`from django.http import Http404`
Use readable/translatable strings for db choices 2021-09-11 21:16:52 +00:00			`from django.utils.translation import gettext_lazy as _`
Forgot to add the migration and models helper 2020-02-18 00:50:44 +00:00
Moves activitypub mixin to its own file 2021-02-04 18:47:03 +00:00			`from bookwyrm.settings import DOMAIN`
			`from .fields import RemoteIdField`
Forgot to add the migration and models helper 2020-02-18 00:50:44 +00:00
Allow users to set privacy on imported reviews or not import them at all. Fixes #252 2020-10-30 18:21:02 +00:00
Use readable/translatable strings for db choices 2021-09-11 21:16:52 +00:00			`DeactivationReason = [`
			`("pending", _("Pending")),`
			`("self_deletion", _("Self deletion")),`
			`("moderator_suspension", _("Moderator suspension")),`
			`("moderator_deletion", _("Moderator deletion")),`
			`("domain_block", _("Domain block")),`
			`]`
Deactivate connectors related to blocked federated servers 2021-05-11 18:31:02 +00:00

Adds email confirmation code field 2021-08-06 21:42:18 +00:00			`def new_access_code():`
			`"""the identifier for a user invite"""`
			`return base64.b32encode(Random.get_random_bytes(5)).decode("ascii")`


Renames bookwyrm base model 2020-09-21 15:16:34 +00:00			`class BookWyrmModel(models.Model):`
New version of black, new whitespace 2021-04-26 16:15:42 +00:00			`"""shared fields"""`
Runs black 2021-03-08 16:49:10 +00:00
Forgot to add the migration and models helper 2020-02-18 00:50:44 +00:00			`created_date = models.DateTimeField(auto_now_add=True)`
Fixes mistake in parent model definition 2020-02-21 01:33:50 +00:00			`updated_date = models.DateTimeField(auto_now=True)`
Runs black 2021-03-08 16:49:10 +00:00			`remote_id = RemoteIdField(null=True, activitypub_field="id")`
Forgot to add the migration and models helper 2020-02-18 00:50:44 +00:00
Unify concept of absolute_id and remote_id 2020-05-13 01:56:28 +00:00			`def get_remote_id(self):`
New version of black, new whitespace 2021-04-26 16:15:42 +00:00			`"""generate a url that resolves to the local object"""`
Updating string format synatx part 2 2021-09-18 18:32:00 +00:00			`base_path = f"https://{DOMAIN}"`
Runs black 2021-03-08 16:49:10 +00:00			`if hasattr(self, "user"):`
Updating string format synatx part 2 2021-09-18 18:32:00 +00:00			`base_path = f"{base_path}{self.user.local_path}"`
Bug fixes and absolute ids 2020-02-18 01:53:40 +00:00			`model_name = type(self).__name__.lower()`
Updating string format synatx part 2 2021-09-18 18:32:00 +00:00			`return f"{base_path}/{model_name}/{self.id}"`
Forgot to add the migration and models helper 2020-02-18 00:50:44 +00:00
			`class Meta:`
New version of black, new whitespace 2021-04-26 16:15:42 +00:00			`"""this is just here to provide default fields for other models"""`
Runs black 2021-03-08 16:49:10 +00:00
Forgot to add the migration and models helper 2020-02-18 00:50:44 +00:00			`abstract = True`
Unify concept of absolute_id and remote_id 2020-05-13 01:56:28 +00:00
User generated local paths 2020-12-31 01:36:35 +00:00			`@property`
			`def local_path(self):`
New version of black, new whitespace 2021-04-26 16:15:42 +00:00			`"""how to link to this object in the local app"""`
Updating string format synatx part 2 2021-09-18 18:32:00 +00:00			`return self.get_remote_id().replace(f"https://{DOMAIN}", "")`
User generated local paths 2020-12-31 01:36:35 +00:00
Changes visiblity function to raise 2021-09-27 22:54:58 +00:00			`def raise_visible_to_user(self, viewer):`
New version of black, new whitespace 2021-04-26 16:15:42 +00:00			`"""is a user authorized to view an object?"""`
Fixes visible_to_user check for non-federated objs why did this cause a problem _now_?? 2021-04-11 17:45:08 +00:00			`# make sure this is an object with privacy owned by a user`
			`if not hasattr(self, "user") or not hasattr(self, "privacy"):`
Changes visiblity function to raise 2021-09-27 22:54:58 +00:00			`return`
Fixes visible_to_user check for non-federated objs why did this cause a problem _now_?? 2021-04-11 17:45:08 +00:00
			`# viewer can't see it if the object's owner blocked them`
			`if viewer in self.user.blocks.all():`
Changes visiblity function to raise 2021-09-27 22:54:58 +00:00			`raise Http404()`
Fixes visible_to_user check for non-federated objs why did this cause a problem _now_?? 2021-04-11 17:45:08 +00:00
			`# you can see your own posts and any public or unlisted posts`
			`if viewer == self.user or self.privacy in ["public", "unlisted"]:`
Changes visiblity function to raise 2021-09-27 22:54:58 +00:00			`return`
Fixes visible_to_user check for non-federated objs why did this cause a problem _now_?? 2021-04-11 17:45:08 +00:00
			`# you can see the followers only posts of people you follow`
			`if (`
			`self.privacy == "followers"`
			`and self.user.followers.filter(id=viewer.id).first()`
			`):`
Changes visiblity function to raise 2021-09-27 22:54:58 +00:00			`return`
Fixes visible_to_user check for non-federated objs why did this cause a problem _now_?? 2021-04-11 17:45:08 +00:00
			`# you can see dms you are tagged in`
			`if hasattr(self, "mention_users"):`
			`if (`
			`self.privacy == "direct"`
			`and self.mention_users.filter(id=viewer.id).first()`
			`):`
Changes visiblity function to raise 2021-09-27 22:54:58 +00:00			`return`
			`raise Http404()`
Fixes visible_to_user check for non-federated objs why did this cause a problem _now_?? 2021-04-11 17:45:08 +00:00
Adds model function to check perms 2021-09-27 21:02:34 +00:00			`def raise_not_editable(self, viewer):`
			`"""does this user have permission to edit this object? liable to be overwritten`
			`by models that inherit this base model class"""`
			`if not hasattr(self, "user"):`
			`return`

			`# generally moderators shouldn't be able to edit other people's stuff`
			`if self.user == viewer:`
			`return`

Changes visiblity function to raise 2021-09-27 22:54:58 +00:00			`raise PermissionDenied()`
Adds model function to check perms 2021-09-27 21:02:34 +00:00
			`def raise_not_deletable(self, viewer):`
			`"""does this user have permission to delete this object? liable to be`
			`overwritten by models that inherit this base model class"""`
			`if not hasattr(self, "user"):`
			`return`

			`# but generally moderators can delete other people's stuff`
			`if self.user == viewer or viewer.has_perm("moderate_post"):`
			`return`

Changes visiblity function to raise 2021-09-27 22:54:58 +00:00			`raise PermissionDenied()`
Adds model function to check perms 2021-09-27 21:02:34 +00:00
Moves privacy filter to model class 2021-10-06 16:48:11 +00:00			`@classmethod`
Updates calls to privacy_filter 2021-10-06 17:37:09 +00:00			`def privacy_filter(cls, viewer, privacy_levels=None, following_only=False):`
Moves privacy filter to model class 2021-10-06 16:48:11 +00:00			`"""filter objects that have "user" and "privacy" fields"""`
			`queryset = cls.objects`
			`if hasattr(queryset, "select_subclasses"):`
			`queryset = queryset.select_subclasses()`

			`privacy_levels = privacy_levels or ["public", "unlisted", "followers", "direct"]`
			`# if there'd a deleted field, exclude deleted items`
			`try:`
			`queryset = queryset.filter(deleted=False)`
			`except FieldError:`
			`pass`

			`# exclude blocks from both directions`
			`if not viewer.is_anonymous:`
			`queryset = queryset.exclude(`
			`Q(user__blocked_by=viewer) \| Q(user__blocks=viewer)`
			`)`

			`# you can't see followers only or direct messages if you're not logged in`
			`if viewer.is_anonymous:`
			`privacy_levels = [`
			`p for p in privacy_levels if not p in ["followers", "direct"]`
			`]`

			`# filter to only privided privacy levels`
			`queryset = queryset.filter(privacy__in=privacy_levels)`

			`# only include statuses the user follows`
			`if following_only:`
			`queryset = queryset.exclude(`
			`~Q( # remove everythign except`
			`Q(user__followers=viewer)`
			`\| Q(user=viewer) # user following`
			`\| Q(mention_users=viewer) # is self # mentions user`
			`),`
			`)`
			`# exclude followers-only statuses the user doesn't follow`
			`elif "followers" in privacy_levels:`
			`queryset = cls.followers_filter(queryset, viewer)`

			`# exclude direct messages not intended for the user`
			`if "direct" in privacy_levels:`
			`queryset = cls.direct_filter(queryset, viewer)`

			`return queryset`

			`@classmethod`
			`def followers_filter(cls, queryset, viewer):`
			`"""Override-able filter for "followers" privacy level"""`
			`return queryset.exclude(`
			`~Q( # user isn't following and it isn't their own status`
			`Q(user__followers=viewer) \| Q(user=viewer)`
			`),`
			`privacy="followers", # and the status is followers only`
			`)`

			`@classmethod`
			`def direct_filter(cls, queryset, viewer):`
			`"""Override-able filter for "direct" privacy level"""`
User override in child class instead of if/else for privacy_filter 2021-10-06 18:08:54 +00:00			`return queryset.exclude(~Q(user=viewer), privacy="direct")`
Moves privacy filter to model class 2021-10-06 16:48:11 +00:00
Adds model function to check perms 2021-09-27 21:02:34 +00:00
Updates for broadcast changes 2020-05-14 01:23:54 +00:00			`@receiver(models.signals.post_save)`
Runs black 2021-03-08 16:49:10 +00:00			`# pylint: disable=unused-argument`
Add statuses to timelines 2021-03-22 21:11:23 +00:00			`def set_remote_id(sender, instance, created, args, *kwargs):`
New version of black, new whitespace 2021-04-26 16:15:42 +00:00			`"""set the remote_id after save (when the id is available)"""`
Runs black 2021-03-08 16:49:10 +00:00			`if not created or not hasattr(instance, "get_remote_id"):`
Unify concept of absolute_id and remote_id 2020-05-13 01:56:28 +00:00			`return`
More books tests 2020-05-14 18:28:45 +00:00			`if not instance.remote_id:`
			`instance.remote_id = instance.get_remote_id()`
Fixes field and lists tests 2021-02-07 00:13:59 +00:00			`try:`
			`instance.save(broadcast=False)`
			`except TypeError:`
			`instance.save()`