From c16047d0bca7db54d71cf098a3603c6de3d9154c Mon Sep 17 00:00:00 2001 From: Mouse Reeve Date: Tue, 10 Nov 2020 16:43:52 -0800 Subject: [PATCH] Control display of shelves based on privacy settings --- bookwyrm/view_actions.py | 2 +- bookwyrm/views.py | 22 ++++++++++++++++++++-- 2 files changed, 21 insertions(+), 3 deletions(-) diff --git a/bookwyrm/view_actions.py b/bookwyrm/view_actions.py index 18ec0ce4..ee035c5c 100644 --- a/bookwyrm/view_actions.py +++ b/bookwyrm/view_actions.py @@ -279,7 +279,7 @@ def create_shelf(request): if not form.is_valid(): return redirect(request.headers.get('Referer', '/')) shelf = form.save() - return redirect('/user/%s/shelves/%s' % \ + return redirect('/user/%s/shelf/%s' % \ (request.user.localname, shelf.identifier)) diff --git a/bookwyrm/views.py b/bookwyrm/views.py index 0bf86d7f..c8b887d1 100644 --- a/bookwyrm/views.py +++ b/bookwyrm/views.py @@ -631,14 +631,32 @@ def shelf_page(request, username, shelf_identifier): else: shelf = user.shelf_set.first() + is_self = request.user == user + + shelves = user.shelf_set + if not is_self: + follower = user.followers.filter(id=request.user.id).exists() + # make sure the user has permission to view the shelf + if shelf.privacy == 'direct' or \ + (shelf.privacy == 'followers' and not follower): + return HttpResponseNotFound() + + # only show other shelves that should be visible + if follower: + shelves = shelves.filter(privacy__in=['public', 'followers']) + else: + print('hi') + shelves = shelves.filter(privacy='public') + + if is_api_request(request): return JsonResponse(shelf.to_activity(**request.GET)) data = { 'title': user.name, 'user': user, - 'is_self': request.user.id == user.id, - 'shelves': user.shelf_set.all(), + 'is_self': is_self, + 'shelves': shelves.all(), 'shelf': shelf, 'create_form': forms.ShelfForm(), 'edit_form': forms.ShelfForm(shelf),