allow members to see groups and their lists

- add additional logic to visible_to_user, for groups and their objects - cleans up some queries in Group view NOTE: I can't work out how to make group lists only visible to users who should be able to see them, on user group listings. They still can't access the actual group, but can see it on user pages. This is potentialy problematic.
2025-01-05 14:58:43 +00:00 · 2021-09-27 20:24:25 +10:00 · 2021-09-27 20:24:25 +10:00 · 1a02af1450
commit 1a02af1450
parent df5a5f94a1
2 changed files with 15 additions and 11 deletions
--- a/bookwyrm/models/base_model.py
+++ b/bookwyrm/models/base_model.py
@ -77,8 +77,17 @@ class BookWyrmModel(models.Model):
            ):
                return True

-# TODO: if privacy is direct and the object is a group and viewer is a member of the group
-# then return True
+        # you can see groups of which you are a member
+        if hasattr(self, "members") and viewer in self.members.all():
+            return True
+
+        # you can see objects which have a group of which you are a member
+        if hasattr(self, "group"):
+            if (
+                hasattr(self.group, "members")
+                and viewer in self.group.members.all()
+            ):
+                return True

        return False

--- a/bookwyrm/views/group.py
+++ b/bookwyrm/views/group.py
@ -13,7 +13,7 @@ from django.db.models.functions import Greatest

 from bookwyrm import forms, models
 from bookwyrm.suggested_users import suggested_users
-from .helpers import privacy_filter # TODO:
+from .helpers import privacy_filter
 from .helpers import get_user_from_username
 from bookwyrm.settings import DOMAIN

@ -23,10 +23,7 @@ class Group(View):
    def get(self, request, group_id):
        """display a group"""

-        # TODO: use get_or_404?
-        # TODO: what is the difference between privacy filter and visible to user?
-        # get_object_or_404(models.Group, id=group_id)
-        group = models.Group.objects.get(id=group_id) 
+        group = get_object_or_404(models.Group, id=group_id)
        lists = models.List.objects.filter(group=group).order_by("-updated_date")
        lists = privacy_filter(request.user, lists)

@ -43,7 +40,6 @@ class Group(View):
        return TemplateResponse(request, "groups/group.html", data)

    @method_decorator(login_required, name="dispatch")
-    # pylint: disable=unused-argument
    def post(self, request, group_id):
        """edit a group"""
        user_group = get_object_or_404(models.Group, id=group_id)
@ -61,7 +57,7 @@ class UserGroups(View):
        """display a group"""
        user = get_user_from_username(request.user, username)
        groups = models.Group.objects.filter(members=user).order_by("-updated_date")
-        groups = privacy_filter(request.user, groups)
+        # groups = privacy_filter(request.user, groups)
        paginated = Paginator(groups, 12)

        data = {
@ -127,8 +123,7 @@ def add_member(request):
    """add a member to the group"""

    # TODO: if groups become AP values we need something like get_group_from_group_fullname
-    # group = get_object_or_404(models.Group, id=request.POST.get("group"))
-    group = models.Group.objects.get(id=request.POST["group"])
+    group = get_object_or_404(models.Group, id=request.POST.get("group"))
    if not group:
        return HttpResponseBadRequest()