AdventureLog/backend/server/adventures/permissions.py

from rest_framework import permissions

class IsOwnerOrReadOnly(permissions.BasePermission):
    """
    Owners can edit, others have read-only access.
    """
    def has_object_permission(self, request, view, obj):
        if request.method in permissions.SAFE_METHODS:
            return True
        # obj.user_id is FK to User, compare with request.user
        return obj.user_id == request.user


class IsPublicReadOnly(permissions.BasePermission):
    """
    Read-only if public or owner, write only for owner.
    """
    def has_object_permission(self, request, view, obj):
        if request.method in permissions.SAFE_METHODS:
            return obj.is_public or obj.user_id == request.user
        return obj.user_id == request.user


class CollectionShared(permissions.BasePermission):
    """
    Allow full access if user is in shared_with of collection(s) or owner,
    read-only if public or shared_with,
    write only if owner or shared_with.
    """
    def has_object_permission(self, request, view, obj):
        user = request.user
        if not user or not user.is_authenticated:
            # Anonymous: only read public
            return request.method in permissions.SAFE_METHODS and obj.is_public

        # Check if user is in shared_with of any collections related to the obj
        # If obj is a Collection itself:
        if hasattr(obj, 'shared_with'):
            if obj.shared_with.filter(id=user.id).exists():
                return True

        # If obj is an Adventure (has collections M2M)
        if hasattr(obj, 'collections'):
            # Check if user is in shared_with of any related collection
            shared_collections = obj.collections.filter(shared_with=user)
            if shared_collections.exists():
                return True

        # Read permission if public or owner
        if request.method in permissions.SAFE_METHODS:
            return obj.is_public or obj.user_id == user

        # Write permission only if owner or shared user via collections
        if obj.user_id == user:
            return True

        if hasattr(obj, 'collections'):
            if obj.collections.filter(shared_with=user).exists():
                return True

        # Default deny
        return False


class IsOwnerOrSharedWithFullAccess(permissions.BasePermission):
    """
    Full access for owners and users shared via collections,
    read-only for others if public.
    """
    def has_object_permission(self, request, view, obj):
        user = request.user
        if not user or not user.is_authenticated:
            return request.method in permissions.SAFE_METHODS and obj.is_public

        # If safe method (read), allow if:
        if request.method in permissions.SAFE_METHODS:
            if obj.is_public:
                return True
            if obj.user_id == user:
                return True
            # If user in shared_with of any collection related to obj
            if hasattr(obj, 'collections') and obj.collections.filter(shared_with=user).exists():
                return True
            if hasattr(obj, 'collection') and obj.collection and obj.collection.shared_with.filter(id=user.id).exists():
                return True
            if hasattr(obj, 'shared_with') and obj.shared_with.filter(id=user.id).exists():
                return True
            return False

        # For write methods, allow if owner or shared user
        if obj.user_id == user:
            return True
        if hasattr(obj, 'collections') and obj.collections.filter(shared_with=user).exists():
            return True
        if hasattr(obj, 'collection') and obj.collection and obj.collection.shared_with.filter(id=user.id).exists():
            return True
        if hasattr(obj, 'shared_with') and obj.shared_with.filter(id=user.id).exists():
            return True

        return False
chore: Add TripViewSet and TripSerializer for managing trips 2024-07-09 13:26:39 -04:00			`from rest_framework import permissions`

			`class IsOwnerOrReadOnly(permissions.BasePermission):`
			`"""`
feat: Enhance Adventure and Collection Management - Added support for multiple collections in AdventureSerializer, allowing adventures to be linked to multiple collections. - Implemented validation to ensure collections belong to the current user during adventure creation and updates. - Introduced a signal to update adventure publicity based on the public status of linked collections. - Updated file permission checks to consider multiple collections when determining access rights. - Modified AdventureImageViewSet and AttachmentViewSet to check access against collections instead of a single collection. - Enhanced AdventureViewSet to support filtering and sorting adventures based on collections. - Updated frontend components to manage collections more effectively, including linking and unlinking adventures from collections. - Adjusted API endpoints and data structures to accommodate the new collections feature. - Improved user experience with appropriate notifications for collection actions. 2025-06-12 15:54:01 -04:00			`Owners can edit, others have read-only access.`
chore: Add TripViewSet and TripSerializer for managing trips 2024-07-09 13:26:39 -04:00			`"""`
			`def has_object_permission(self, request, view, obj):`
			`if request.method in permissions.SAFE_METHODS:`
			`return True`
feat: Enhance Adventure and Collection Management - Added support for multiple collections in AdventureSerializer, allowing adventures to be linked to multiple collections. - Implemented validation to ensure collections belong to the current user during adventure creation and updates. - Introduced a signal to update adventure publicity based on the public status of linked collections. - Updated file permission checks to consider multiple collections when determining access rights. - Modified AdventureImageViewSet and AttachmentViewSet to check access against collections instead of a single collection. - Enhanced AdventureViewSet to support filtering and sorting adventures based on collections. - Updated frontend components to manage collections more effectively, including linking and unlinking adventures from collections. - Adjusted API endpoints and data structures to accommodate the new collections feature. - Improved user experience with appropriate notifications for collection actions. 2025-06-12 15:54:01 -04:00			`# obj.user_id is FK to User, compare with request.user`
permisison fixes 2024-07-09 16:48:52 -04:00			`return obj.user_id == request.user`


			`class IsPublicReadOnly(permissions.BasePermission):`
			`"""`
feat: Enhance Adventure and Collection Management - Added support for multiple collections in AdventureSerializer, allowing adventures to be linked to multiple collections. - Implemented validation to ensure collections belong to the current user during adventure creation and updates. - Introduced a signal to update adventure publicity based on the public status of linked collections. - Updated file permission checks to consider multiple collections when determining access rights. - Modified AdventureImageViewSet and AttachmentViewSet to check access against collections instead of a single collection. - Enhanced AdventureViewSet to support filtering and sorting adventures based on collections. - Updated frontend components to manage collections more effectively, including linking and unlinking adventures from collections. - Adjusted API endpoints and data structures to accommodate the new collections feature. - Improved user experience with appropriate notifications for collection actions. 2025-06-12 15:54:01 -04:00			`Read-only if public or owner, write only for owner.`
permisison fixes 2024-07-09 16:48:52 -04:00			`"""`
			`def has_object_permission(self, request, view, obj):`
			`if request.method in permissions.SAFE_METHODS:`
			`return obj.is_public or obj.user_id == request.user`
More sharing feartures and permissions 2024-09-02 10:29:51 -04:00			`return obj.user_id == request.user`
feat: Enhance Adventure and Collection Management - Added support for multiple collections in AdventureSerializer, allowing adventures to be linked to multiple collections. - Implemented validation to ensure collections belong to the current user during adventure creation and updates. - Introduced a signal to update adventure publicity based on the public status of linked collections. - Updated file permission checks to consider multiple collections when determining access rights. - Modified AdventureImageViewSet and AttachmentViewSet to check access against collections instead of a single collection. - Enhanced AdventureViewSet to support filtering and sorting adventures based on collections. - Updated frontend components to manage collections more effectively, including linking and unlinking adventures from collections. - Adjusted API endpoints and data structures to accommodate the new collections feature. - Improved user experience with appropriate notifications for collection actions. 2025-06-12 15:54:01 -04:00

More sharing feartures and permissions 2024-09-02 10:29:51 -04:00			`class CollectionShared(permissions.BasePermission):`
			`"""`
feat: Enhance Adventure and Collection Management - Added support for multiple collections in AdventureSerializer, allowing adventures to be linked to multiple collections. - Implemented validation to ensure collections belong to the current user during adventure creation and updates. - Introduced a signal to update adventure publicity based on the public status of linked collections. - Updated file permission checks to consider multiple collections when determining access rights. - Modified AdventureImageViewSet and AttachmentViewSet to check access against collections instead of a single collection. - Enhanced AdventureViewSet to support filtering and sorting adventures based on collections. - Updated frontend components to manage collections more effectively, including linking and unlinking adventures from collections. - Adjusted API endpoints and data structures to accommodate the new collections feature. - Improved user experience with appropriate notifications for collection actions. 2025-06-12 15:54:01 -04:00			`Allow full access if user is in shared_with of collection(s) or owner,`
			`read-only if public or shared_with,`
			`write only if owner or shared_with.`
More sharing feartures and permissions 2024-09-02 10:29:51 -04:00			`"""`
			`def has_object_permission(self, request, view, obj):`
feat: Enhance Adventure and Collection Management - Added support for multiple collections in AdventureSerializer, allowing adventures to be linked to multiple collections. - Implemented validation to ensure collections belong to the current user during adventure creation and updates. - Introduced a signal to update adventure publicity based on the public status of linked collections. - Updated file permission checks to consider multiple collections when determining access rights. - Modified AdventureImageViewSet and AttachmentViewSet to check access against collections instead of a single collection. - Enhanced AdventureViewSet to support filtering and sorting adventures based on collections. - Updated frontend components to manage collections more effectively, including linking and unlinking adventures from collections. - Adjusted API endpoints and data structures to accommodate the new collections feature. - Improved user experience with appropriate notifications for collection actions. 2025-06-12 15:54:01 -04:00			`user = request.user`
			`if not user or not user.is_authenticated:`
			`# Anonymous: only read public`
			`return request.method in permissions.SAFE_METHODS and obj.is_public`
More sharing feartures and permissions 2024-09-02 10:29:51 -04:00
feat: Enhance Adventure and Collection Management - Added support for multiple collections in AdventureSerializer, allowing adventures to be linked to multiple collections. - Implemented validation to ensure collections belong to the current user during adventure creation and updates. - Introduced a signal to update adventure publicity based on the public status of linked collections. - Updated file permission checks to consider multiple collections when determining access rights. - Modified AdventureImageViewSet and AttachmentViewSet to check access against collections instead of a single collection. - Enhanced AdventureViewSet to support filtering and sorting adventures based on collections. - Updated frontend components to manage collections more effectively, including linking and unlinking adventures from collections. - Adjusted API endpoints and data structures to accommodate the new collections feature. - Improved user experience with appropriate notifications for collection actions. 2025-06-12 15:54:01 -04:00			`# Check if user is in shared_with of any collections related to the obj`
			`# If obj is a Collection itself:`
			`if hasattr(obj, 'shared_with'):`
			`if obj.shared_with.filter(id=user.id).exists():`
			`return True`

			`# If obj is an Adventure (has collections M2M)`
			`if hasattr(obj, 'collections'):`
			`# Check if user is in shared_with of any related collection`
			`shared_collections = obj.collections.filter(shared_with=user)`
			`if shared_collections.exists():`
			`return True`
More sharing feartures and permissions 2024-09-02 10:29:51 -04:00
feat: Enhance Adventure and Collection Management - Added support for multiple collections in AdventureSerializer, allowing adventures to be linked to multiple collections. - Implemented validation to ensure collections belong to the current user during adventure creation and updates. - Introduced a signal to update adventure publicity based on the public status of linked collections. - Updated file permission checks to consider multiple collections when determining access rights. - Modified AdventureImageViewSet and AttachmentViewSet to check access against collections instead of a single collection. - Enhanced AdventureViewSet to support filtering and sorting adventures based on collections. - Updated frontend components to manage collections more effectively, including linking and unlinking adventures from collections. - Adjusted API endpoints and data structures to accommodate the new collections feature. - Improved user experience with appropriate notifications for collection actions. 2025-06-12 15:54:01 -04:00			`# Read permission if public or owner`
More sharing feartures and permissions 2024-09-02 10:29:51 -04:00			`if request.method in permissions.SAFE_METHODS:`
feat: Enhance Adventure and Collection Management - Added support for multiple collections in AdventureSerializer, allowing adventures to be linked to multiple collections. - Implemented validation to ensure collections belong to the current user during adventure creation and updates. - Introduced a signal to update adventure publicity based on the public status of linked collections. - Updated file permission checks to consider multiple collections when determining access rights. - Modified AdventureImageViewSet and AttachmentViewSet to check access against collections instead of a single collection. - Enhanced AdventureViewSet to support filtering and sorting adventures based on collections. - Updated frontend components to manage collections more effectively, including linking and unlinking adventures from collections. - Adjusted API endpoints and data structures to accommodate the new collections feature. - Improved user experience with appropriate notifications for collection actions. 2025-06-12 15:54:01 -04:00			`return obj.is_public or obj.user_id == user`

			`# Write permission only if owner or shared user via collections`
			`if obj.user_id == user:`
			`return True`

			`if hasattr(obj, 'collections'):`
			`if obj.collections.filter(shared_with=user).exists():`
			`return True`

			`# Default deny`
			`return False`
More sharing feartures and permissions 2024-09-02 10:29:51 -04:00

			`class IsOwnerOrSharedWithFullAccess(permissions.BasePermission):`
			`"""`
feat: Enhance Adventure and Collection Management - Added support for multiple collections in AdventureSerializer, allowing adventures to be linked to multiple collections. - Implemented validation to ensure collections belong to the current user during adventure creation and updates. - Introduced a signal to update adventure publicity based on the public status of linked collections. - Updated file permission checks to consider multiple collections when determining access rights. - Modified AdventureImageViewSet and AttachmentViewSet to check access against collections instead of a single collection. - Enhanced AdventureViewSet to support filtering and sorting adventures based on collections. - Updated frontend components to manage collections more effectively, including linking and unlinking adventures from collections. - Adjusted API endpoints and data structures to accommodate the new collections feature. - Improved user experience with appropriate notifications for collection actions. 2025-06-12 15:54:01 -04:00			`Full access for owners and users shared via collections,`
			`read-only for others if public.`
More sharing feartures and permissions 2024-09-02 10:29:51 -04:00			`"""`
			`def has_object_permission(self, request, view, obj):`
feat: Enhance Adventure and Collection Management - Added support for multiple collections in AdventureSerializer, allowing adventures to be linked to multiple collections. - Implemented validation to ensure collections belong to the current user during adventure creation and updates. - Introduced a signal to update adventure publicity based on the public status of linked collections. - Updated file permission checks to consider multiple collections when determining access rights. - Modified AdventureImageViewSet and AttachmentViewSet to check access against collections instead of a single collection. - Enhanced AdventureViewSet to support filtering and sorting adventures based on collections. - Updated frontend components to manage collections more effectively, including linking and unlinking adventures from collections. - Adjusted API endpoints and data structures to accommodate the new collections feature. - Improved user experience with appropriate notifications for collection actions. 2025-06-12 15:54:01 -04:00			`user = request.user`
			`if not user or not user.is_authenticated:`
			`return request.method in permissions.SAFE_METHODS and obj.is_public`
More sharing feartures and permissions 2024-09-02 10:29:51 -04:00
feat: Enhance Adventure and Collection Management - Added support for multiple collections in AdventureSerializer, allowing adventures to be linked to multiple collections. - Implemented validation to ensure collections belong to the current user during adventure creation and updates. - Introduced a signal to update adventure publicity based on the public status of linked collections. - Updated file permission checks to consider multiple collections when determining access rights. - Modified AdventureImageViewSet and AttachmentViewSet to check access against collections instead of a single collection. - Enhanced AdventureViewSet to support filtering and sorting adventures based on collections. - Updated frontend components to manage collections more effectively, including linking and unlinking adventures from collections. - Adjusted API endpoints and data structures to accommodate the new collections feature. - Improved user experience with appropriate notifications for collection actions. 2025-06-12 15:54:01 -04:00			`# If safe method (read), allow if:`
More sharing feartures and permissions 2024-09-02 10:29:51 -04:00			`if request.method in permissions.SAFE_METHODS:`
feat: Enhance Adventure and Collection Management - Added support for multiple collections in AdventureSerializer, allowing adventures to be linked to multiple collections. - Implemented validation to ensure collections belong to the current user during adventure creation and updates. - Introduced a signal to update adventure publicity based on the public status of linked collections. - Updated file permission checks to consider multiple collections when determining access rights. - Modified AdventureImageViewSet and AttachmentViewSet to check access against collections instead of a single collection. - Enhanced AdventureViewSet to support filtering and sorting adventures based on collections. - Updated frontend components to manage collections more effectively, including linking and unlinking adventures from collections. - Adjusted API endpoints and data structures to accommodate the new collections feature. - Improved user experience with appropriate notifications for collection actions. 2025-06-12 15:54:01 -04:00			`if obj.is_public:`
			`return True`
			`if obj.user_id == user:`
			`return True`
			`# If user in shared_with of any collection related to obj`
			`if hasattr(obj, 'collections') and obj.collections.filter(shared_with=user).exists():`
			`return True`
			`if hasattr(obj, 'collection') and obj.collection and obj.collection.shared_with.filter(id=user.id).exists():`
			`return True`
			`if hasattr(obj, 'shared_with') and obj.shared_with.filter(id=user.id).exists():`
			`return True`
			`return False`

			`# For write methods, allow if owner or shared user`
			`if obj.user_id == user:`
			`return True`
			`if hasattr(obj, 'collections') and obj.collections.filter(shared_with=user).exists():`
			`return True`
			`if hasattr(obj, 'collection') and obj.collection and obj.collection.shared_with.filter(id=user.id).exists():`
			`return True`
			`if hasattr(obj, 'shared_with') and obj.shared_with.filter(id=user.id).exists():`
More sharing feartures and permissions 2024-09-02 10:29:51 -04:00			`return True`

feat: Enhance Adventure and Collection Management - Added support for multiple collections in AdventureSerializer, allowing adventures to be linked to multiple collections. - Implemented validation to ensure collections belong to the current user during adventure creation and updates. - Introduced a signal to update adventure publicity based on the public status of linked collections. - Updated file permission checks to consider multiple collections when determining access rights. - Modified AdventureImageViewSet and AttachmentViewSet to check access against collections instead of a single collection. - Enhanced AdventureViewSet to support filtering and sorting adventures based on collections. - Updated frontend components to manage collections more effectively, including linking and unlinking adventures from collections. - Adjusted API endpoints and data structures to accommodate the new collections feature. - Improved user experience with appropriate notifications for collection actions. 2025-06-12 15:54:01 -04:00			`return False`