allow members to see groups and their lists

- add additional logic to visible_to_user, for groups and their objects
- cleans up some queries in Group view

NOTE: I can't work out how to make group lists only visible
to users who should be able to see them, on user group listings.
They still can't access the actual group, but can see it on
user pages. This is potentialy problematic.
This commit is contained in:
Hugh Rundle 2021-09-27 20:24:25 +10:00
parent df5a5f94a1
commit 1a02af1450
2 changed files with 15 additions and 11 deletions

View file

@ -77,8 +77,17 @@ class BookWyrmModel(models.Model):
): ):
return True return True
# TODO: if privacy is direct and the object is a group and viewer is a member of the group # you can see groups of which you are a member
# then return True if hasattr(self, "members") and viewer in self.members.all():
return True
# you can see objects which have a group of which you are a member
if hasattr(self, "group"):
if (
hasattr(self.group, "members")
and viewer in self.group.members.all()
):
return True
return False return False

View file

@ -13,7 +13,7 @@ from django.db.models.functions import Greatest
from bookwyrm import forms, models from bookwyrm import forms, models
from bookwyrm.suggested_users import suggested_users from bookwyrm.suggested_users import suggested_users
from .helpers import privacy_filter # TODO: from .helpers import privacy_filter
from .helpers import get_user_from_username from .helpers import get_user_from_username
from bookwyrm.settings import DOMAIN from bookwyrm.settings import DOMAIN
@ -23,10 +23,7 @@ class Group(View):
def get(self, request, group_id): def get(self, request, group_id):
"""display a group""" """display a group"""
# TODO: use get_or_404? group = get_object_or_404(models.Group, id=group_id)
# TODO: what is the difference between privacy filter and visible to user?
# get_object_or_404(models.Group, id=group_id)
group = models.Group.objects.get(id=group_id)
lists = models.List.objects.filter(group=group).order_by("-updated_date") lists = models.List.objects.filter(group=group).order_by("-updated_date")
lists = privacy_filter(request.user, lists) lists = privacy_filter(request.user, lists)
@ -43,7 +40,6 @@ class Group(View):
return TemplateResponse(request, "groups/group.html", data) return TemplateResponse(request, "groups/group.html", data)
@method_decorator(login_required, name="dispatch") @method_decorator(login_required, name="dispatch")
# pylint: disable=unused-argument
def post(self, request, group_id): def post(self, request, group_id):
"""edit a group""" """edit a group"""
user_group = get_object_or_404(models.Group, id=group_id) user_group = get_object_or_404(models.Group, id=group_id)
@ -61,7 +57,7 @@ class UserGroups(View):
"""display a group""" """display a group"""
user = get_user_from_username(request.user, username) user = get_user_from_username(request.user, username)
groups = models.Group.objects.filter(members=user).order_by("-updated_date") groups = models.Group.objects.filter(members=user).order_by("-updated_date")
groups = privacy_filter(request.user, groups) # groups = privacy_filter(request.user, groups)
paginated = Paginator(groups, 12) paginated = Paginator(groups, 12)
data = { data = {
@ -127,8 +123,7 @@ def add_member(request):
"""add a member to the group""" """add a member to the group"""
# TODO: if groups become AP values we need something like get_group_from_group_fullname # TODO: if groups become AP values we need something like get_group_from_group_fullname
# group = get_object_or_404(models.Group, id=request.POST.get("group")) group = get_object_or_404(models.Group, id=request.POST.get("group"))
group = models.Group.objects.get(id=request.POST["group"])
if not group: if not group:
return HttpResponseBadRequest() return HttpResponseBadRequest()