Control display of shelves based on privacy settings

2020-11-10 16:43:52 -08:00 · 2020-11-10 16:43:52 -08:00 · c16047d0bc
parent 176257eb85
commit c16047d0bc
2 changed files with 21 additions and 3 deletions
--- a/bookwyrm/view_actions.py
+++ b/bookwyrm/view_actions.py
@ -279,7 +279,7 @@ def create_shelf(request):
    if not form.is_valid():
        return redirect(request.headers.get('Referer', '/'))
    shelf = form.save()
-    return redirect('/user/%s/shelves/%s' % \
+    return redirect('/user/%s/shelf/%s' % \
            (request.user.localname, shelf.identifier))


--- a/bookwyrm/views.py
+++ b/bookwyrm/views.py
@ -631,14 +631,32 @@ def shelf_page(request, username, shelf_identifier):
    else:
        shelf = user.shelf_set.first()

+    is_self = request.user == user
+
+    shelves = user.shelf_set
+    if not is_self:
+        follower = user.followers.filter(id=request.user.id).exists()
+        # make sure the user has permission to view the shelf
+        if shelf.privacy == 'direct' or \
+                (shelf.privacy == 'followers' and not follower):
+            return HttpResponseNotFound()
+
+        # only show other shelves that should be visible
+        if follower:
+            shelves = shelves.filter(privacy__in=['public', 'followers'])
+        else:
+            print('hi')
+            shelves = shelves.filter(privacy='public')
+
+
    if is_api_request(request):
        return JsonResponse(shelf.to_activity(**request.GET))

    data = {
        'title': user.name,
        'user': user,
-        'is_self': request.user.id == user.id,
-        'shelves': user.shelf_set.all(),
+        'is_self': is_self,
+        'shelves': shelves.all(),
        'shelf': shelf,
        'create_form': forms.ShelfForm(),
        'edit_form': forms.ShelfForm(shelf),