Add EmbedList view with an X-Frame-Options exemption

2021-12-04 16:07:21 +01:00 · 2021-12-04 16:07:21 +01:00 · d22167e105
parent 3bd28afe93
commit d22167e105
1 changed files with 68 additions and 1 deletions
--- a/bookwyrm/views/list.py
+++ b/bookwyrm/views/list.py
@ -7,13 +7,14 @@ from django.core.paginator import Paginator
 from django.db import IntegrityError, transaction
 from django.db.models import Avg, Count, DecimalField, Q, Max
 from django.db.models.functions import Coalesce
-from django.http import HttpResponseBadRequest, HttpResponse
+from django.http import HttpResponseBadRequest, HttpResponse, Http404
 from django.shortcuts import get_object_or_404, redirect
 from django.template.response import TemplateResponse
 from django.urls import reverse
 from django.utils.decorators import method_decorator
 from django.views import View
 from django.views.decorators.http import require_POST
+from django.views.decorators.clickjacking import xframe_options_exempt

 from bookwyrm import book_search, forms, models
 from bookwyrm.activitypub import ActivitypubResponse
@ -200,6 +201,64 @@ class List(View):
        return redirect(book_list.local_path)


+class EmbedList(View):
+    """embeded book list page"""
+
+    def get(self, request, list_id, list_key):
+        """display a book list"""
+        book_list = get_object_or_404(models.List, id=list_id)
+
+        embed_key = str(book_list.embed_key.hex)
+
+        if list_key != embed_key:
+            raise Http404()
+
+        query = request.GET.get("q")
+        suggestions = None
+
+        # sort_by shall be "order" unless a valid alternative is given
+        sort_by = request.GET.get("sort_by", "order")
+        if sort_by not in ("order", "title", "rating"):
+            sort_by = "order"
+
+        # direction shall be "ascending" unless a valid alternative is given
+        direction = request.GET.get("direction", "ascending")
+        if direction not in ("ascending", "descending"):
+            direction = "ascending"
+
+        directional_sort_by = {
+            "order": "order",
+            "title": "book__title",
+            "rating": "average_rating",
+        }[sort_by]
+        if direction == "descending":
+            directional_sort_by = "-" + directional_sort_by
+
+        items = book_list.listitem_set.prefetch_related("user", "book", "book__authors")
+        if sort_by == "rating":
+            items = items.annotate(
+                average_rating=Avg(
+                    Coalesce("book__review__rating", 0.0),
+                    output_field=DecimalField(),
+                )
+            )
+        items = items.filter(approved=True).order_by(directional_sort_by)
+
+        paginated = Paginator(items, PAGE_LENGTH)
+
+        page = paginated.get_page(request.GET.get("page"))
+
+        data = {
+            "list": book_list,
+            "items": page,
+            "page_range": paginated.get_elided_page_range(
+                page.number, on_each_side=2, on_ends=1
+            ),
+            "query": query or "",
+        }
+        return TemplateResponse(request, "lists/embed-list.html", data)
+
+
 class Curate(View):
    """approve or discard list suggestsions"""

@ -447,3 +506,11 @@ def normalize_book_list_ordering(book_list_id, start=0, add_offset=0):
        if item.order != effective_order:
            item.order = effective_order
            item.save()
+
+
+@xframe_options_exempt
+def unsafe_embed_list(request, *args, **kwargs):
+    """allows the EmbedList view to be loaded through unsafe iframe origins"""
+
+    embed_list_view = EmbedList.as_view()
+    return embed_list_view(request, *args, **kwargs)