diff --git a/README.md b/README.md index 546e95a..1491d6b 100644 --- a/README.md +++ b/README.md @@ -4,6 +4,8 @@ **Documentation can be found [here](https://docs.adventurelog.app).** +**Join the AdventureLog Community Discord Server [here](https://discord.gg/wRbQ9Egr8C).** + # Table of Contents - [Installation](#installation) diff --git a/backend/server/adventures/admin.py b/backend/server/adventures/admin.py index 7ac6842..ab8bfc6 100644 --- a/backend/server/adventures/admin.py +++ b/backend/server/adventures/admin.py @@ -46,8 +46,9 @@ from users.models import CustomUser class CustomUserAdmin(UserAdmin): model = CustomUser list_display = ['username', 'email', 'is_staff', 'is_active', 'image_display'] + readonly_fields = ('uuid',) fieldsets = UserAdmin.fieldsets + ( - (None, {'fields': ('profile_pic',)}), + (None, {'fields': ('profile_pic', 'uuid', 'public_profile')}), ) def image_display(self, obj): if obj.profile_pic: diff --git a/backend/server/adventures/migrations/0005_collection_shared_with.py b/backend/server/adventures/migrations/0005_collection_shared_with.py new file mode 100644 index 0000000..c3ee3ac --- /dev/null +++ b/backend/server/adventures/migrations/0005_collection_shared_with.py @@ -0,0 +1,20 @@ +# Generated by Django 5.0.8 on 2024-09-02 13:21 + +from django.conf import settings +from django.db import migrations, models + + +class Migration(migrations.Migration): + + dependencies = [ + ('adventures', '0004_transportation_end_date'), + migrations.swappable_dependency(settings.AUTH_USER_MODEL), + ] + + operations = [ + migrations.AddField( + model_name='collection', + name='shared_with', + field=models.ManyToManyField(blank=True, related_name='shared_with', to=settings.AUTH_USER_MODEL), + ), + ] diff --git a/backend/server/adventures/models.py b/backend/server/adventures/models.py index a7f3522..79033be 100644 --- a/backend/server/adventures/models.py +++ b/backend/server/adventures/models.py @@ -81,6 +81,7 @@ class Collection(models.Model): end_date = models.DateField(blank=True, null=True) updated_at = models.DateTimeField(auto_now=True) is_archived = models.BooleanField(default=False) + shared_with = models.ManyToManyField(User, related_name='shared_with', blank=True) # if connected adventures are private and collection is public, raise an error diff --git a/backend/server/adventures/permissions.py b/backend/server/adventures/permissions.py index b4241c2..5f9a911 100644 --- a/backend/server/adventures/permissions.py +++ b/backend/server/adventures/permissions.py @@ -27,4 +27,71 @@ class IsPublicReadOnly(permissions.BasePermission): return obj.is_public or obj.user_id == request.user # Write permissions are only allowed to the owner of the object + return obj.user_id == request.user + +class CollectionShared(permissions.BasePermission): + """ + Custom permission to only allow read-only access to public objects, + and write access to the owner of the object. + """ + + def has_object_permission(self, request, view, obj): + + # Read permissions are allowed if the object is shared with the user + if obj.shared_with and obj.shared_with.filter(id=request.user.id).exists(): + return True + + # Write permissions are allowed if the object is shared with the user + if request.method not in permissions.SAFE_METHODS and obj.shared_with.filter(id=request.user.id).exists(): + return True + + # Read permissions are allowed if the object is public + if request.method in permissions.SAFE_METHODS: + return obj.is_public or obj.user_id == request.user + + # Write permissions are only allowed to the owner of the object + return obj.user_id == request.user + +class IsOwnerOrSharedWithFullAccess(permissions.BasePermission): + """ + Custom permission to allow: + - Full access for shared users + - Full access for owners + - Read-only access for others on safe methods + """ + + def has_object_permission(self, request, view, obj): + # Check if the object has a collection + if hasattr(obj, 'collection') and obj.collection: + # Allow all actions for shared users + if request.user in obj.collection.shared_with.all(): + return True + + # Always allow GET, HEAD, or OPTIONS requests (safe methods) + if request.method in permissions.SAFE_METHODS: + return True + + # Allow all actions for the owner + return obj.user_id == request.user + +class IsPublicOrOwnerOrSharedWithFullAccess(permissions.BasePermission): + """ + Custom permission to allow: + - Read-only access for public objects + - Full access for shared users + - Full access for owners + """ + + def has_object_permission(self, request, view, obj): + # Allow read-only access for public objects + if obj.is_public and request.method in permissions.SAFE_METHODS: + return True + + # Check if the object has a collection + if hasattr(obj, 'collection') and obj.collection: + # Allow all actions for shared users + if request.user in obj.collection.shared_with.all(): + return True + + # Allow all actions for the owner return obj.user_id == request.user \ No newline at end of file diff --git a/backend/server/adventures/serializers.py b/backend/server/adventures/serializers.py index 9acd0b2..c012976 100644 --- a/backend/server/adventures/serializers.py +++ b/backend/server/adventures/serializers.py @@ -8,19 +8,6 @@ class AdventureImageSerializer(serializers.ModelSerializer): fields = ['id', 'image', 'adventure'] read_only_fields = ['id'] - # def to_representation(self, instance): - # representation = super().to_representation(instance) - - # # Build the full URL for the image - # request = self.context.get('request') - # if request and instance.image: - # public_url = request.build_absolute_uri(instance.image.url) - # else: - # public_url = f"{os.environ.get('PUBLIC_URL', 'http://127.0.0.1:8000').rstrip('/')}/media/{instance.image.name}" - - # representation['image'] = public_url - # return representation - def to_representation(self, instance): representation = super().to_representation(instance) if instance.image: @@ -55,29 +42,6 @@ class TransportationSerializer(serializers.ModelSerializer): ] read_only_fields = ['id', 'created_at', 'updated_at', 'user_id'] - def validate(self, data): - # Check if the collection is public and the transportation is not - collection = data.get('collection') - is_public = data.get('is_public', False) - if collection and collection.is_public and not is_public: - raise serializers.ValidationError( - 'Transportations associated with a public collection must be public.' - ) - - # Check if the user owns the collection - request = self.context.get('request') - if request and collection and collection.user_id != request.user: - raise serializers.ValidationError( - 'Transportations must be associated with collections owned by the same user.' - ) - - return data - - def create(self, validated_data): - # Set the user_id to the current user - validated_data['user_id'] = self.context['request'].user - return super().create(validated_data) - class NoteSerializer(serializers.ModelSerializer): class Meta: @@ -87,29 +51,6 @@ class NoteSerializer(serializers.ModelSerializer): 'is_public', 'collection', 'created_at', 'updated_at' ] read_only_fields = ['id', 'created_at', 'updated_at', 'user_id'] - - def validate(self, data): - # Check if the collection is public and the transportation is not - collection = data.get('collection') - is_public = data.get('is_public', False) - if collection and collection.is_public and not is_public: - raise serializers.ValidationError( - 'Notes associated with a public collection must be public.' - ) - - # Check if the user owns the collection - request = self.context.get('request') - if request and collection and collection.user_id != request.user: - raise serializers.ValidationError( - 'Notes must be associated with collections owned by the same user.' - ) - - return data - - def create(self, validated_data): - # Set the user_id to the current user - validated_data['user_id'] = self.context['request'].user - return super().create(validated_data) class ChecklistItemSerializer(serializers.ModelSerializer): class Meta: @@ -119,29 +60,15 @@ class ChecklistItemSerializer(serializers.ModelSerializer): ] read_only_fields = ['id', 'created_at', 'updated_at', 'user_id', 'checklist'] - def validate(self, data): - # Check if the checklist is public and the checklist item is not - checklist = data.get('checklist') - is_checked = data.get('is_checked', False) - if checklist and checklist.is_public and not is_checked: - raise serializers.ValidationError( - 'Checklist items associated with a public checklist must be checked.' - ) - - # Check if the user owns the checklist - request = self.context.get('request') - if request and checklist and checklist.user_id != request.user: - raise serializers.ValidationError( - 'Checklist items must be associated with checklists owned by the same user.' - ) - - return data - - def create(self, validated_data): - # Set the user_id to the current user - validated_data['user_id'] = self.context['request'].user - return super().create(validated_data) - + # def validate(self, data): + # # Check if the checklist is public and the checklist item is not + # checklist = data.get('checklist') + # is_checked = data.get('is_checked', False) + # if checklist and checklist.is_public and not is_checked: + # raise serializers.ValidationError( + # 'Checklist items associated with a public checklist must be checked.' + # ) + class ChecklistSerializer(serializers.ModelSerializer): items = ChecklistItemSerializer(many=True, source='checklistitem_set') @@ -204,13 +131,6 @@ class ChecklistSerializer(serializers.ModelSerializer): 'Checklists associated with a public collection must be public.' ) - # Check if the user owns the checklist - request = self.context.get('request') - if request and collection and collection.user_id != request.user: - raise serializers.ValidationError( - 'Checklists must be associated with collections owned by the same user.' - ) - return data @@ -225,5 +145,14 @@ class CollectionSerializer(serializers.ModelSerializer): class Meta: model = Collection # fields are all plus the adventures field - fields = ['id', 'description', 'user_id', 'name', 'is_public', 'adventures', 'created_at', 'start_date', 'end_date', 'transportations', 'notes', 'updated_at', 'checklists', 'is_archived'] + fields = ['id', 'description', 'user_id', 'name', 'is_public', 'adventures', 'created_at', 'start_date', 'end_date', 'transportations', 'notes', 'updated_at', 'checklists', 'is_archived', 'shared_with'] read_only_fields = ['id', 'created_at', 'updated_at', 'user_id'] + + def to_representation(self, instance): + representation = super().to_representation(instance) + # Make it display the user uuid for the shared users instead of the PK + shared_uuids = [] + for user in instance.shared_with.all(): + shared_uuids.append(str(user.uuid)) + representation['shared_with'] = shared_uuids + return representation \ No newline at end of file diff --git a/backend/server/adventures/views.py b/backend/server/adventures/views.py index ba69054..7d2a136 100644 --- a/backend/server/adventures/views.py +++ b/backend/server/adventures/views.py @@ -6,14 +6,18 @@ from rest_framework import viewsets from django.db.models.functions import Lower from rest_framework.response import Response from .models import Adventure, Checklist, Collection, Transportation, Note, AdventureImage +from django.core.exceptions import PermissionDenied from worldtravel.models import VisitedRegion, Region, Country from .serializers import AdventureImageSerializer, AdventureSerializer, CollectionSerializer, NoteSerializer, TransportationSerializer, ChecklistSerializer from rest_framework.permissions import IsAuthenticated -from django.db.models import Q, Prefetch -from .permissions import IsOwnerOrReadOnly, IsPublicReadOnly +from django.db.models import Q +from .permissions import CollectionShared, IsOwnerOrSharedWithFullAccess, IsPublicOrOwnerOrSharedWithFullAccess from rest_framework.pagination import PageNumberPagination from django.shortcuts import get_object_or_404 from rest_framework import status +from django.contrib.auth import get_user_model + +User = get_user_model() class StandardResultsSetPagination(PageNumberPagination): page_size = 25 @@ -28,7 +32,7 @@ from django.db.models import Q class AdventureViewSet(viewsets.ModelViewSet): serializer_class = AdventureSerializer - permission_classes = [IsOwnerOrReadOnly, IsPublicReadOnly] + permission_classes = [IsOwnerOrSharedWithFullAccess, IsPublicOrOwnerOrSharedWithFullAccess] pagination_class = StandardResultsSetPagination def apply_sorting(self, queryset): @@ -68,41 +72,36 @@ class AdventureViewSet(viewsets.ModelViewSet): return queryset.order_by(ordering) def get_queryset(self): + # if the user is not authenticated return only public adventures for retrieve action + if not self.request.user.is_authenticated: + if self.action == 'retrieve': + return Adventure.objects.filter(is_public=True) + return Adventure.objects.none() + + if self.action == 'retrieve': # For individual adventure retrieval, include public adventures return Adventure.objects.filter( - Q(is_public=True) | Q(user_id=self.request.user.id) + Q(is_public=True) | Q(user_id=self.request.user.id) | Q(collection__shared_with=self.request.user) ) else: - # For other actions, only include user's own adventures - return Adventure.objects.filter(user_id=self.request.user.id) - - def list(self, request, *args, **kwargs): - # Prevent listing all adventures - return Response({"detail": "Listing all adventures is not allowed."}, - status=status.HTTP_403_FORBIDDEN) + # For other actions, include user's own adventures and shared adventures + return Adventure.objects.filter( + Q(user_id=self.request.user.id) | Q(collection__shared_with=self.request.user) + ) def retrieve(self, request, *args, **kwargs): queryset = self.get_queryset() adventure = get_object_or_404(queryset, pk=kwargs['pk']) serializer = self.get_serializer(adventure) return Response(serializer.data) - - def perform_create(self, serializer): - adventure = serializer.save(user_id=self.request.user) - if adventure.collection: - adventure.is_public = adventure.collection.is_public - adventure.save() def perform_update(self, serializer): adventure = serializer.save() if adventure.collection: adventure.is_public = adventure.collection.is_public adventure.save() - - def perform_create(self, serializer): - serializer.save(user_id=self.request.user) - + @action(detail=False, methods=['get']) def filtered(self, request): types = request.query_params.get('types', '').split(',') @@ -195,6 +194,100 @@ class AdventureViewSet(viewsets.ModelViewSet): queryset = self.apply_sorting(queryset) serializer = self.get_serializer(queryset, many=True) return Response(serializer.data) + + def update(self, request, *args, **kwargs): + # Retrieve the current object + instance = self.get_object() + + # Partially update the instance with the request data + serializer = self.get_serializer(instance, data=request.data, partial=True) + serializer.is_valid(raise_exception=True) + + # if the adventure is trying to have is_public changed and its part of a collection return an error + if new_collection is not None: + serializer.validated_data['is_public'] = new_collection.is_public + elif instance.collection: + serializer.validated_data['is_public'] = instance.collection.is_public + + + # Retrieve the collection from the validated data + new_collection = serializer.validated_data.get('collection') + + user = request.user + print(new_collection) + + if new_collection is not None and new_collection!=instance.collection: + # Check if the user is the owner of the new collection + if new_collection.user_id != user or instance.user_id != user: + raise PermissionDenied("You do not have permission to use this collection.") + elif new_collection is None: + # Handle the case where the user is trying to set the collection to None + if instance.collection is not None and instance.collection.user_id != user: + raise PermissionDenied("You cannot remove the collection as you are not the owner.") + + # Perform the update + self.perform_update(serializer) + + # Return the updated instance + return Response(serializer.data) + + def partial_update(self, request, *args, **kwargs): + # Retrieve the current object + instance = self.get_object() + + # Partially update the instance with the request data + serializer = self.get_serializer(instance, data=request.data, partial=True) + serializer.is_valid(raise_exception=True) + + # Retrieve the collection from the validated data + new_collection = serializer.validated_data.get('collection') + + user = request.user + print(new_collection) + + # if the adventure is trying to have is_public changed and its part of a collection return an error + if new_collection is not None: + serializer.validated_data['is_public'] = new_collection.is_public + elif instance.collection: + serializer.validated_data['is_public'] = instance.collection.is_public + + if new_collection is not None and new_collection!=instance.collection: + # Check if the user is the owner of the new collection + if new_collection.user_id != user or instance.user_id != user: + raise PermissionDenied("You do not have permission to use this collection.") + elif new_collection is None: + # Handle the case where the user is trying to set the collection to None + if instance.collection is not None and instance.collection.user_id != user: + raise PermissionDenied("You cannot remove the collection as you are not the owner.") + + # Perform the update + self.perform_update(serializer) + + # Return the updated instance + return Response(serializer.data) + + def perform_update(self, serializer): + serializer.save() + + # when creating an adventure, make sure the user is the owner of the collection or shared with the collection + def perform_create(self, serializer): + # Retrieve the collection from the validated data + collection = serializer.validated_data.get('collection') + + # Check if a collection is provided + if collection: + user = self.request.user + # Check if the user is the owner or is in the shared_with list + if collection.user_id != user and not collection.shared_with.filter(id=user.id).exists(): + # Return an error response if the user does not have permission + raise PermissionDenied("You do not have permission to use this collection.") + # if collection the owner of the adventure is the owner of the collection + # set the is_public field of the adventure to the is_public field of the collection + serializer.save(user_id=collection.user_id, is_public=collection.is_public) + return + + # Save the adventure with the current user as the owner + serializer.save(user_id=self.request.user) def paginate_and_respond(self, queryset, request): paginator = self.pagination_class() @@ -207,7 +300,7 @@ class AdventureViewSet(viewsets.ModelViewSet): class CollectionViewSet(viewsets.ModelViewSet): serializer_class = CollectionSerializer - permission_classes = [IsOwnerOrReadOnly, IsPublicReadOnly] + permission_classes = [CollectionShared] pagination_class = StandardResultsSetPagination # def get_queryset(self): @@ -244,7 +337,7 @@ class CollectionViewSet(viewsets.ModelViewSet): # make sure the user is authenticated if not request.user.is_authenticated: return Response({"error": "User is not authenticated"}, status=400) - queryset = self.get_queryset() + queryset = Collection.objects.filter(user_id=request.user.id) queryset = self.apply_sorting(queryset) collections = self.paginate_and_respond(queryset, request) return collections @@ -285,10 +378,21 @@ class CollectionViewSet(viewsets.ModelViewSet): serializer = self.get_serializer(instance, data=request.data, partial=partial) serializer.is_valid(raise_exception=True) + if 'collection' in serializer.validated_data: + new_collection = serializer.validated_data['collection'] + # if the new collection is different from the old one and the user making the request is not the owner of the new collection return an error + if new_collection != instance.collection and new_collection.user_id != request.user: + return Response({"error": "User does not own the new collection"}, status=400) + # Check if the 'is_public' field is present in the update data if 'is_public' in serializer.validated_data: new_public_status = serializer.validated_data['is_public'] + # if is_publuc has changed and the user is not the owner of the collection return an error + if new_public_status != instance.is_public and instance.user_id != request.user: + print(f"User {request.user.id} does not own the collection {instance.id} that is owned by {instance.user_id}") + return Response({"error": "User does not own the collection"}, status=400) + # Update associated adventures to match the collection's is_public status Adventure.objects.filter(collection=instance).update(is_public=new_public_status) @@ -310,25 +414,86 @@ class CollectionViewSet(viewsets.ModelViewSet): instance._prefetched_objects_cache = {} return Response(serializer.data) + + # make an action to retreive all adventures that are shared with the user + @action(detail=False, methods=['get']) + def shared(self, request): + if not request.user.is_authenticated: + return Response({"error": "User is not authenticated"}, status=400) + queryset = Collection.objects.filter( + shared_with=request.user + ) + queryset = self.apply_sorting(queryset) + serializer = self.get_serializer(queryset, many=True) + return Response(serializer.data) + + # Adds a new user to the shared_with field of an adventure + @action(detail=True, methods=['post'], url_path='share/(?P[^/.]+)') + def share(self, request, pk=None, uuid=None): + collection = self.get_object() + if not uuid: + return Response({"error": "User UUID is required"}, status=400) + try: + user = User.objects.get(uuid=uuid, public_profile=True) + except User.DoesNotExist: + return Response({"error": "User not found"}, status=404) + + if user == request.user: + return Response({"error": "Cannot share with yourself"}, status=400) + + if collection.shared_with.filter(id=user.id).exists(): + return Response({"error": "Adventure is already shared with this user"}, status=400) + + collection.shared_with.add(user) + collection.save() + return Response({"success": f"Shared with {user.username}"}) + + @action(detail=True, methods=['post'], url_path='unshare/(?P[^/.]+)') + def unshare(self, request, pk=None, uuid=None): + if not request.user.is_authenticated: + return Response({"error": "User is not authenticated"}, status=400) + collection = self.get_object() + if not uuid: + return Response({"error": "User UUID is required"}, status=400) + try: + user = User.objects.get(uuid=uuid, public_profile=True) + except User.DoesNotExist: + return Response({"error": "User not found"}, status=404) + + if user == request.user: + return Response({"error": "Cannot unshare with yourself"}, status=400) + + if not collection.shared_with.filter(id=user.id).exists(): + return Response({"error": "Collection is not shared with this user"}, status=400) + + collection.shared_with.remove(user) + collection.save() + return Response({"success": f"Unshared with {user.username}"}) def get_queryset(self): if self.action == 'destroy': return Collection.objects.filter(user_id=self.request.user.id) if self.action in ['update', 'partial_update']: - return Collection.objects.filter(user_id=self.request.user.id) + return Collection.objects.filter( + Q(user_id=self.request.user.id) | Q(shared_with=self.request.user) + ).distinct() if self.action == 'retrieve': + if not self.request.user.is_authenticated: + return Collection.objects.filter(is_public=True) return Collection.objects.filter( - Q(is_public=True) | Q(user_id=self.request.user.id) - ) + Q(is_public=True) | Q(user_id=self.request.user.id) | Q(shared_with=self.request.user) + ).distinct() - # For other actions (like list), only include user's non-archived collections + # For list action, include collections owned by the user or shared with the user, that are not archived return Collection.objects.filter( - Q(user_id=self.request.user.id) & Q(is_archived=False) - ) + (Q(user_id=self.request.user.id) | Q(shared_with=self.request.user)) & Q(is_archived=False) + ).distinct() + def perform_create(self, serializer): + # This is ok because you cannot share a collection when creating it serializer.save(user_id=self.request.user) def paginate_and_respond(self, queryset, request): @@ -430,7 +595,7 @@ class ActivityTypesView(viewsets.ViewSet): class TransportationViewSet(viewsets.ModelViewSet): queryset = Transportation.objects.all() serializer_class = TransportationSerializer - permission_classes = [IsAuthenticated] + permission_classes = [IsOwnerOrSharedWithFullAccess, IsPublicOrOwnerOrSharedWithFullAccess] filterset_fields = ['type', 'is_public', 'collection'] # return error message if user is not authenticated on the root endpoint @@ -451,21 +616,108 @@ class TransportationViewSet(viewsets.ModelViewSet): def get_queryset(self): - - """ - This view should return a list of all transportations - for the currently authenticated user. - """ - user = self.request.user - return Transportation.objects.filter(user_id=user) + # if the user is not authenticated return only public transportations for retrieve action + if not self.request.user.is_authenticated: + if self.action == 'retrieve': + return Transportation.objects.filter(is_public=True) + return Transportation.objects.none() + + if self.action == 'retrieve': + # For individual adventure retrieval, include public adventures + return Transportation.objects.filter( + Q(is_public=True) | Q(user_id=self.request.user.id) | Q(collection__shared_with=self.request.user) + ) + else: + # For other actions, include user's own adventures and shared adventures + return Transportation.objects.filter( + Q(user_id=self.request.user.id) | Q(collection__shared_with=self.request.user) + ) + + def partial_update(self, request, *args, **kwargs): + # Retrieve the current object + instance = self.get_object() + + # Partially update the instance with the request data + serializer = self.get_serializer(instance, data=request.data, partial=True) + serializer.is_valid(raise_exception=True) + + # Retrieve the collection from the validated data + new_collection = serializer.validated_data.get('collection') + + user = request.user + print(new_collection) + + if new_collection is not None and new_collection!=instance.collection: + # Check if the user is the owner of the new collection + if new_collection.user_id != user or instance.user_id != user: + raise PermissionDenied("You do not have permission to use this collection.") + elif new_collection is None: + # Handle the case where the user is trying to set the collection to None + if instance.collection is not None and instance.collection.user_id != user: + raise PermissionDenied("You cannot remove the collection as you are not the owner.") + + # Perform the update + self.perform_update(serializer) + + # Return the updated instance + return Response(serializer.data) + + def partial_update(self, request, *args, **kwargs): + # Retrieve the current object + instance = self.get_object() + + # Partially update the instance with the request data + serializer = self.get_serializer(instance, data=request.data, partial=True) + serializer.is_valid(raise_exception=True) + + # Retrieve the collection from the validated data + new_collection = serializer.validated_data.get('collection') + + user = request.user + print(new_collection) + + if new_collection is not None and new_collection!=instance.collection: + # Check if the user is the owner of the new collection + if new_collection.user_id != user or instance.user_id != user: + raise PermissionDenied("You do not have permission to use this collection.") + elif new_collection is None: + # Handle the case where the user is trying to set the collection to None + if instance.collection is not None and instance.collection.user_id != user: + raise PermissionDenied("You cannot remove the collection as you are not the owner.") + + # Perform the update + self.perform_update(serializer) + + # Return the updated instance + return Response(serializer.data) + + def perform_update(self, serializer): + serializer.save() + + # when creating an adventure, make sure the user is the owner of the collection or shared with the collection def perform_create(self, serializer): + # Retrieve the collection from the validated data + collection = serializer.validated_data.get('collection') + + # Check if a collection is provided + if collection: + user = self.request.user + # Check if the user is the owner or is in the shared_with list + if collection.user_id != user and not collection.shared_with.filter(id=user.id).exists(): + # Return an error response if the user does not have permission + raise PermissionDenied("You do not have permission to use this collection.") + # if collection the owner of the adventure is the owner of the collection + serializer.save(user_id=collection.user_id) + return + + # Save the adventure with the current user as the owner serializer.save(user_id=self.request.user) class NoteViewSet(viewsets.ModelViewSet): queryset = Note.objects.all() serializer_class = NoteSerializer - permission_classes = [IsAuthenticated] + permission_classes = [IsOwnerOrSharedWithFullAccess, IsPublicOrOwnerOrSharedWithFullAccess] filterset_fields = ['is_public', 'collection'] # return error message if user is not authenticated on the root endpoint @@ -486,21 +738,108 @@ class NoteViewSet(viewsets.ModelViewSet): def get_queryset(self): - - """ - This view should return a list of all notes - for the currently authenticated user. - """ - user = self.request.user - return Note.objects.filter(user_id=user) + # if the user is not authenticated return only public transportations for retrieve action + if not self.request.user.is_authenticated: + if self.action == 'retrieve': + return Note.objects.filter(is_public=True) + return Note.objects.none() + + if self.action == 'retrieve': + # For individual adventure retrieval, include public adventures + return Note.objects.filter( + Q(is_public=True) | Q(user_id=self.request.user.id) | Q(collection__shared_with=self.request.user) + ) + else: + # For other actions, include user's own adventures and shared adventures + return Note.objects.filter( + Q(user_id=self.request.user.id) | Q(collection__shared_with=self.request.user) + ) + + def partial_update(self, request, *args, **kwargs): + # Retrieve the current object + instance = self.get_object() + + # Partially update the instance with the request data + serializer = self.get_serializer(instance, data=request.data, partial=True) + serializer.is_valid(raise_exception=True) + + # Retrieve the collection from the validated data + new_collection = serializer.validated_data.get('collection') + + user = request.user + print(new_collection) + + if new_collection is not None and new_collection!=instance.collection: + # Check if the user is the owner of the new collection + if new_collection.user_id != user or instance.user_id != user: + raise PermissionDenied("You do not have permission to use this collection.") + elif new_collection is None: + # Handle the case where the user is trying to set the collection to None + if instance.collection is not None and instance.collection.user_id != user: + raise PermissionDenied("You cannot remove the collection as you are not the owner.") + + # Perform the update + self.perform_update(serializer) + + # Return the updated instance + return Response(serializer.data) + + def partial_update(self, request, *args, **kwargs): + # Retrieve the current object + instance = self.get_object() + + # Partially update the instance with the request data + serializer = self.get_serializer(instance, data=request.data, partial=True) + serializer.is_valid(raise_exception=True) + + # Retrieve the collection from the validated data + new_collection = serializer.validated_data.get('collection') + + user = request.user + print(new_collection) + + if new_collection is not None and new_collection!=instance.collection: + # Check if the user is the owner of the new collection + if new_collection.user_id != user or instance.user_id != user: + raise PermissionDenied("You do not have permission to use this collection.") + elif new_collection is None: + # Handle the case where the user is trying to set the collection to None + if instance.collection is not None and instance.collection.user_id != user: + raise PermissionDenied("You cannot remove the collection as you are not the owner.") + + # Perform the update + self.perform_update(serializer) + + # Return the updated instance + return Response(serializer.data) + + def perform_update(self, serializer): + serializer.save() + + # when creating an adventure, make sure the user is the owner of the collection or shared with the collection def perform_create(self, serializer): + # Retrieve the collection from the validated data + collection = serializer.validated_data.get('collection') + + # Check if a collection is provided + if collection: + user = self.request.user + # Check if the user is the owner or is in the shared_with list + if collection.user_id != user and not collection.shared_with.filter(id=user.id).exists(): + # Return an error response if the user does not have permission + raise PermissionDenied("You do not have permission to use this collection.") + # if collection the owner of the adventure is the owner of the collection + serializer.save(user_id=collection.user_id) + return + + # Save the adventure with the current user as the owner serializer.save(user_id=self.request.user) class ChecklistViewSet(viewsets.ModelViewSet): queryset = Checklist.objects.all() serializer_class = ChecklistSerializer - permission_classes = [IsAuthenticated] + permission_classes = [IsOwnerOrSharedWithFullAccess, IsPublicOrOwnerOrSharedWithFullAccess] filterset_fields = ['is_public', 'collection'] # return error message if user is not authenticated on the root endpoint @@ -521,15 +860,102 @@ class ChecklistViewSet(viewsets.ModelViewSet): def get_queryset(self): - - """ - This view should return a list of all checklists - for the currently authenticated user. - """ - user = self.request.user - return Checklist.objects.filter(user_id=user) + # if the user is not authenticated return only public transportations for retrieve action + if not self.request.user.is_authenticated: + if self.action == 'retrieve': + return Checklist.objects.filter(is_public=True) + return Checklist.objects.none() + + if self.action == 'retrieve': + # For individual adventure retrieval, include public adventures + return Checklist.objects.filter( + Q(is_public=True) | Q(user_id=self.request.user.id) | Q(collection__shared_with=self.request.user) + ) + else: + # For other actions, include user's own adventures and shared adventures + return Checklist.objects.filter( + Q(user_id=self.request.user.id) | Q(collection__shared_with=self.request.user) + ) + + def partial_update(self, request, *args, **kwargs): + # Retrieve the current object + instance = self.get_object() + + # Partially update the instance with the request data + serializer = self.get_serializer(instance, data=request.data, partial=True) + serializer.is_valid(raise_exception=True) + + # Retrieve the collection from the validated data + new_collection = serializer.validated_data.get('collection') + + user = request.user + print(new_collection) + + if new_collection is not None and new_collection!=instance.collection: + # Check if the user is the owner of the new collection + if new_collection.user_id != user or instance.user_id != user: + raise PermissionDenied("You do not have permission to use this collection.") + elif new_collection is None: + # Handle the case where the user is trying to set the collection to None + if instance.collection is not None and instance.collection.user_id != user: + raise PermissionDenied("You cannot remove the collection as you are not the owner.") + + # Perform the update + self.perform_update(serializer) + + # Return the updated instance + return Response(serializer.data) + + def partial_update(self, request, *args, **kwargs): + # Retrieve the current object + instance = self.get_object() + + # Partially update the instance with the request data + serializer = self.get_serializer(instance, data=request.data, partial=True) + serializer.is_valid(raise_exception=True) + + # Retrieve the collection from the validated data + new_collection = serializer.validated_data.get('collection') + + user = request.user + print(new_collection) + + if new_collection is not None and new_collection!=instance.collection: + # Check if the user is the owner of the new collection + if new_collection.user_id != user or instance.user_id != user: + raise PermissionDenied("You do not have permission to use this collection.") + elif new_collection is None: + # Handle the case where the user is trying to set the collection to None + if instance.collection is not None and instance.collection.user_id != user: + raise PermissionDenied("You cannot remove the collection as you are not the owner.") + + # Perform the update + self.perform_update(serializer) + + # Return the updated instance + return Response(serializer.data) + + def perform_update(self, serializer): + serializer.save() + + # when creating an adventure, make sure the user is the owner of the collection or shared with the collection def perform_create(self, serializer): + # Retrieve the collection from the validated data + collection = serializer.validated_data.get('collection') + + # Check if a collection is provided + if collection: + user = self.request.user + # Check if the user is the owner or is in the shared_with list + if collection.user_id != user and not collection.shared_with.filter(id=user.id).exists(): + # Return an error response if the user does not have permission + raise PermissionDenied("You do not have permission to use this collection.") + # if collection the owner of the adventure is the owner of the collection + serializer.save(user_id=collection.user_id) + return + + # Save the adventure with the current user as the owner serializer.save(user_id=self.request.user) class AdventureImageViewSet(viewsets.ModelViewSet): @@ -555,7 +981,13 @@ class AdventureImageViewSet(viewsets.ModelViewSet): return Response({"error": "Adventure not found"}, status=status.HTTP_404_NOT_FOUND) if adventure.user_id != request.user: - return Response({"error": "User does not own this adventure"}, status=status.HTTP_403_FORBIDDEN) + # Check if the adventure has a collection + if adventure.collection: + # Check if the user is in the collection's shared_with list + if not adventure.collection.shared_with.filter(id=request.user.id).exists(): + return Response({"error": "User does not have permission to access this adventure"}, status=status.HTTP_403_FORBIDDEN) + else: + return Response({"error": "User does not own this adventure"}, status=status.HTTP_403_FORBIDDEN) return super().create(request, *args, **kwargs) diff --git a/backend/server/main/urls.py b/backend/server/main/urls.py index e9eb1f7..fe098bd 100644 --- a/backend/server/main/urls.py +++ b/backend/server/main/urls.py @@ -4,7 +4,7 @@ from django.views.generic import RedirectView, TemplateView from django.conf import settings from django.conf.urls.static import static from adventures import urls as adventures -from users.views import ChangeEmailView, IsRegistrationDisabled +from users.views import ChangeEmailView, IsRegistrationDisabled, PublicUserListView, PublicUserDetailView from .views import get_csrf_token from drf_yasg.views import get_schema_view @@ -22,6 +22,8 @@ urlpatterns = [ path('auth/change-email/', ChangeEmailView.as_view(), name='change_email'), path('auth/is-registration-disabled/', IsRegistrationDisabled.as_view(), name='is_registration_disabled'), + path('auth/users/', PublicUserListView.as_view(), name='public-user-list'), + path('auth/user//', PublicUserDetailView.as_view(), name='public-user-detail'), path('csrf/', get_csrf_token, name='get_csrf_token'), re_path(r'^$', TemplateView.as_view( diff --git a/backend/server/users/migrations/0002_customuser_public_profile.py b/backend/server/users/migrations/0002_customuser_public_profile.py new file mode 100644 index 0000000..e8ba313 --- /dev/null +++ b/backend/server/users/migrations/0002_customuser_public_profile.py @@ -0,0 +1,18 @@ +# Generated by Django 5.0.8 on 2024-09-06 23:46 + +from django.db import migrations, models + + +class Migration(migrations.Migration): + + dependencies = [ + ('users', '0001_initial'), + ] + + operations = [ + migrations.AddField( + model_name='customuser', + name='public_profile', + field=models.BooleanField(default=False), + ), + ] diff --git a/backend/server/users/models.py b/backend/server/users/models.py index d1fd990..fa28f1c 100644 --- a/backend/server/users/models.py +++ b/backend/server/users/models.py @@ -6,6 +6,7 @@ from django_resized import ResizedImageField class CustomUser(AbstractUser): profile_pic = ResizedImageField(force_format="WEBP", quality=75, null=True, blank=True, upload_to='profile-pics/') uuid = models.UUIDField(default=uuid.uuid4, editable=False, unique=True) + public_profile = models.BooleanField(default=False) def __str__(self): return self.username \ No newline at end of file diff --git a/backend/server/users/serializers.py b/backend/server/users/serializers.py index d9628ba..f7e4df6 100644 --- a/backend/server/users/serializers.py +++ b/backend/server/users/serializers.py @@ -1,7 +1,7 @@ from rest_framework import serializers from django.contrib.auth import get_user_model -from adventures.models import Adventure +from adventures.models import Adventure, Collection from users.forms import CustomAllAuthPasswordResetForm from dj_rest_auth.serializers import PasswordResetSerializer from rest_framework.exceptions import PermissionDenied @@ -133,8 +133,6 @@ class UserDetailsSerializer(serializers.ModelSerializer): @staticmethod def validate_username(username): if 'allauth.account' not in settings.INSTALLED_APPS: - # We don't need to call the all-auth - # username validator unless it's installed return username from allauth.account.adapter import get_adapter @@ -142,12 +140,9 @@ class UserDetailsSerializer(serializers.ModelSerializer): return username class Meta: - extra_fields = ['profile_pic'] + extra_fields = ['profile_pic', 'uuid', 'public_profile'] profile_pic = serializers.ImageField(required=False) - # see https://github.com/iMerica/dj-rest-auth/issues/181 - # UserModel.XYZ causing attribute error while importing other - # classes from `serializers.py`. So, we need to check whether the auth model has - # the attribute or not + if hasattr(UserModel, 'USERNAME_FIELD'): extra_fields.append(UserModel.USERNAME_FIELD) if hasattr(UserModel, 'EMAIL_FIELD'): @@ -160,21 +155,38 @@ class UserDetailsSerializer(serializers.ModelSerializer): extra_fields.append('date_joined') if hasattr(UserModel, 'is_staff'): extra_fields.append('is_staff') + if hasattr(UserModel, 'public_profile'): + extra_fields.append('public_profile') class Meta(UserDetailsSerializer.Meta): model = CustomUser - fields = UserDetailsSerializer.Meta.fields + ('profile_pic',) - + fields = UserDetailsSerializer.Meta.fields + ('profile_pic', 'uuid', 'public_profile') + model = UserModel fields = ('pk', *extra_fields) read_only_fields = ('email', 'date_joined', 'is_staff', 'is_superuser', 'is_active', 'pk') + def handle_public_profile_change(self, instance, validated_data): + """Remove user from `shared_with` if public profile is set to False.""" + if 'public_profile' in validated_data and not validated_data['public_profile']: + for collection in Collection.objects.filter(shared_with=instance): + collection.shared_with.remove(instance) + + def update(self, instance, validated_data): + self.handle_public_profile_change(instance, validated_data) + return super().update(instance, validated_data) + + def partial_update(self, instance, validated_data): + self.handle_public_profile_change(instance, validated_data) + return super().partial_update(instance, validated_data) + + class CustomUserDetailsSerializer(UserDetailsSerializer): class Meta(UserDetailsSerializer.Meta): model = CustomUser - fields = UserDetailsSerializer.Meta.fields + ('profile_pic',) + fields = UserDetailsSerializer.Meta.fields + ('profile_pic', 'uuid', 'public_profile') def to_representation(self, instance): representation = super().to_representation(instance) diff --git a/backend/server/users/views.py b/backend/server/users/views.py index 2c8021d..5300d8c 100644 --- a/backend/server/users/views.py +++ b/backend/server/users/views.py @@ -6,6 +6,11 @@ from .serializers import ChangeEmailSerializer from drf_yasg.utils import swagger_auto_schema from drf_yasg import openapi from django.conf import settings +from django.shortcuts import get_object_or_404 +from django.contrib.auth import get_user_model +from .serializers import CustomUserDetailsSerializer as PublicUserSerializer + +User = get_user_model() class ChangeEmailView(APIView): permission_classes = [IsAuthenticated] @@ -41,4 +46,40 @@ class IsRegistrationDisabled(APIView): ) def get(self, request): return Response({"is_disabled": settings.DISABLE_REGISTRATION, "message": settings.DISABLE_REGISTRATION_MESSAGE}, status=status.HTTP_200_OK) - \ No newline at end of file + +class PublicUserListView(APIView): + # Allow the listing of all public users + permission_classes = [] + + @swagger_auto_schema( + responses={ + 200: openapi.Response('List of public users'), + 400: 'Bad Request' + }, + operation_description="List public users." + ) + def get(self, request): + users = User.objects.filter(public_profile=True).exclude(id=request.user.id) + # remove the email addresses from the response + for user in users: + user.email = None + serializer = PublicUserSerializer(users, many=True) + return Response(serializer.data, status=status.HTTP_200_OK) + +class PublicUserDetailView(APIView): + # Allow the retrieval of a single public user + permission_classes = [] + + @swagger_auto_schema( + responses={ + 200: openapi.Response('Public user information'), + 400: 'Bad Request' + }, + operation_description="Get public user information." + ) + def get(self, request, user_id): + user = get_object_or_404(User, uuid=user_id, public_profile=True) + # remove the email address from the response + user.email = None + serializer = PublicUserSerializer(user) + return Response(serializer.data, status=status.HTTP_200_OK) diff --git a/deploy.sh b/deploy.sh index 9548c7c..e2372e7 100644 --- a/deploy.sh +++ b/deploy.sh @@ -4,4 +4,5 @@ echo "Deploying latest version of AdventureLog" docker compose pull echo "Stating containers" docker compose up -d -echo "All set!" \ No newline at end of file +echo "All set!" +docker logs adventurelog-backend --follow \ No newline at end of file diff --git a/frontend/src/app.d.ts b/frontend/src/app.d.ts index ab72576..fe9063d 100644 --- a/frontend/src/app.d.ts +++ b/frontend/src/app.d.ts @@ -13,6 +13,8 @@ declare global { date_joined: string | null; is_staff: boolean; profile_pic: string | null; + uuid: string; + public_profile: boolean; } | null; } // interface PageData {} diff --git a/frontend/src/lib/components/AdventureCard.svelte b/frontend/src/lib/components/AdventureCard.svelte index 3264ae1..d72fdfa 100644 --- a/frontend/src/lib/components/AdventureCard.svelte +++ b/frontend/src/lib/components/AdventureCard.svelte @@ -1,7 +1,7 @@
@@ -51,10 +52,10 @@ - - {#if checklist.user_id == user?.pk} + {#if checklist.user_id == user?.pk || (collection && user && collection.shared_with.includes(user.uuid))}
-
{collection.is_public ? 'Public' : 'Private'}
+
{collection.is_public ? 'Public' : 'Private'}
{#if collection.is_archived}
Archived
{/if} @@ -117,7 +123,7 @@ {:else}
-
+
@@ -125,7 +131,7 @@ tabindex="0" class="dropdown-content menu bg-base-100 rounded-box z-[1] w-52 p-2 shadow" > - {#if type != 'link'} + {#if type != 'link' && type != 'viewonly'} + {/if} {#if collection.is_archived} {/if} + {#if type == 'viewonly'} + + {/if}
{/if} diff --git a/frontend/src/lib/components/CountryCard.svelte b/frontend/src/lib/components/CountryCard.svelte index e03dba3..0fbdace 100644 --- a/frontend/src/lib/components/CountryCard.svelte +++ b/frontend/src/lib/components/CountryCard.svelte @@ -1,6 +1,6 @@
@@ -21,6 +21,7 @@

{country.name}

+
{continentCodeToString(country.continent)}
diff --git a/frontend/src/lib/components/Navbar.svelte b/frontend/src/lib/components/Navbar.svelte index baa4fb9..e72c099 100644 --- a/frontend/src/lib/components/Navbar.svelte +++ b/frontend/src/lib/components/Navbar.svelte @@ -11,7 +11,9 @@ import Flower from '~icons/mdi/flower'; import Water from '~icons/mdi/water'; import AboutModal from './AboutModal.svelte'; + import AccountMultiple from '~icons/mdi/account-multiple'; import Avatar from './Avatar.svelte'; + import PaletteOutline from '~icons/mdi/palette-outline'; import { page } from '$app/stores'; let query: string = ''; @@ -81,6 +83,9 @@
    • +
  • + +
    • {/if} {#if !data.user} @@ -133,6 +138,11 @@
    • +
  • + +
    • {/if} {#if !data.user} @@ -184,6 +194,10 @@ on:click={() => (window.location.href = 'https://docs.adventurelog.app/')} >Documentation +

    Theme Selection

  • @@ -202,7 +216,12 @@
  • - + +
    • diff --git a/frontend/src/lib/components/NoteCard.svelte b/frontend/src/lib/components/NoteCard.svelte index 863ea4d..2949254 100644 --- a/frontend/src/lib/components/NoteCard.svelte +++ b/frontend/src/lib/components/NoteCard.svelte @@ -1,7 +1,7 @@
    @@ -52,10 +53,10 @@ - - {#if note.user_id == user?.pk} + {#if note.user_id == user?.pk || (collection && user && collection.shared_with.includes(user.uuid))} +
    + diff --git a/frontend/src/lib/components/TransportationCard.svelte b/frontend/src/lib/components/TransportationCard.svelte index efd5001..7b3a5e3 100644 --- a/frontend/src/lib/components/TransportationCard.svelte +++ b/frontend/src/lib/components/TransportationCard.svelte @@ -1,22 +1,17 @@

    {transportation.name}

    @@ -64,7 +59,7 @@ {/if}
    - {#if user?.pk === transportation.user_id} + {#if transportation.user_id == user?.pk || (collection && user && collection.shared_with.includes(user.uuid))}
    + import { goto } from '$app/navigation'; + import { continentCodeToString, getFlag } from '$lib'; + import type { User } from '$lib/types'; + import { createEventDispatcher } from 'svelte'; + const dispatch = createEventDispatcher(); + + import Calendar from '~icons/mdi/calendar'; + + export let sharing: boolean = false; + export let shared_with: string[] | undefined = undefined; + + export let user: User; + + +
    +
    +
    + {#if user.profile_pic} +
    +
    + {user.username} +
    +
    + {/if} +

    {user.first_name} {user.last_name}

    +
    +

    {user.username}

    + {#if user.is_staff} +
    Admin
    + {/if} + +
    + +

    + {user.date_joined ? 'Joined ' + new Date(user.date_joined).toLocaleDateString() : ''} +

    +
    +
    + {#if !sharing} + + {:else if shared_with && !shared_with.includes(user.uuid)} + + {:else} + + {/if} +
    +
    +
    diff --git a/frontend/src/lib/config.ts b/frontend/src/lib/config.ts index f063a68..59d6f4a 100644 --- a/frontend/src/lib/config.ts +++ b/frontend/src/lib/config.ts @@ -1,5 +1,4 @@ export let appVersion = 'Web v0.6.0'; -export let versionChangelog = 'https://github.com/seanmorley15/AdventureLog/releases/tag/v0.5.2'; +export let versionChangelog = 'https://github.com/seanmorley15/AdventureLog/releases/tag/v0.6.0'; export let appTitle = 'AdventureLog'; export let copyrightYear = '2024'; -// config for the frontend diff --git a/frontend/src/lib/index.ts b/frontend/src/lib/index.ts index 057e8bf..701dd13 100644 --- a/frontend/src/lib/index.ts +++ b/frontend/src/lib/index.ts @@ -1,5 +1,5 @@ import inspirationalQuotes from './json/quotes.json'; -import type { Adventure, Checklist, Collection, Note, Transportation } from './types'; +import type { Adventure, Checklist, Collection, Note, Transportation, User } from './types'; export function getRandomQuote() { const quotes = inspirationalQuotes.quotes; @@ -177,3 +177,24 @@ export function groupChecklistsByDate( return groupedChecklists; } + +export function continentCodeToString(code: string) { + switch (code) { + case 'AF': + return 'Africa'; + case 'AN': + return 'Antarctica'; + case 'AS': + return 'Asia'; + case 'EU': + return 'Europe'; + case 'NA': + return 'North America'; + case 'OC': + return 'Oceania'; + case 'SA': + return 'South America'; + default: + return 'Unknown'; + } +} diff --git a/frontend/src/lib/types.ts b/frontend/src/lib/types.ts index 4a7bdde..5e5060a 100644 --- a/frontend/src/lib/types.ts +++ b/frontend/src/lib/types.ts @@ -7,6 +7,8 @@ export type User = { date_joined: string | null; is_staff: boolean; profile_pic: string | null; + uuid: string; + public_profile: boolean; }; export type Adventure = { @@ -78,6 +80,7 @@ export type Collection = { notes?: Note[]; checklists?: Checklist[]; is_archived?: boolean; + shared_with: string[]; }; export type OpenStreetMapPlace = { diff --git a/frontend/src/routes/+error.svelte b/frontend/src/routes/+error.svelte index f0fe4c9..4cff1c8 100644 --- a/frontend/src/routes/+error.svelte +++ b/frontend/src/routes/+error.svelte @@ -4,21 +4,20 @@ import Lost from '$lib/assets/undraw_lost.svg'; -

    {$page.status}: {$page.error?.message}

    - {#if $page.status === 404}
    Lost in the forest -

    +

    + {$page.status}: {$page.error?.message} +

    +

    Oops, looks like you've wandered off the beaten path.

    -

    - We couldn't find the page you were looking for. Don't worry, we can help you find your way - back.ry, we can -

    + +

    We couldn't find the page you were looking for.

    diff --git a/frontend/src/routes/+page.server.ts b/frontend/src/routes/+page.server.ts index 8cb9577..29cd18f 100644 --- a/frontend/src/routes/+page.server.ts +++ b/frontend/src/routes/+page.server.ts @@ -9,9 +9,18 @@ export const actions: Actions = { // change the theme only if it is one of the allowed themes if ( theme && - ['light', 'dark', 'night', 'retro', 'forest', 'aqua', 'forest', 'garden', 'emerald'].includes( - theme - ) + [ + 'light', + 'dark', + 'night', + 'retro', + 'forest', + 'aqua', + 'forest', + 'aestheticLight', + 'aestheticDark', + 'emerald' + ].includes(theme) ) { cookies.set('colortheme', theme, { path: '/', diff --git a/frontend/src/routes/adventures/[id]/+page.server.ts b/frontend/src/routes/adventures/[id]/+page.server.ts index aa253fb..aa01d2e 100644 --- a/frontend/src/routes/adventures/[id]/+page.server.ts +++ b/frontend/src/routes/adventures/[id]/+page.server.ts @@ -99,72 +99,5 @@ export const actions: Actions = { status: 204 }; } - }, - addToCollection: async (event) => { - const id = event.params as { id: string }; - const adventureId = id.id; - - const formData = await event.request.formData(); - const trip_id = formData.get('collection_id'); - - if (!trip_id) { - return { - status: 400, - error: { message: 'Missing collection id' } - }; - } - - if (!event.locals.user) { - const refresh = event.cookies.get('refresh'); - let auth = event.cookies.get('auth'); - if (!refresh) { - return { - status: 401, - body: { message: 'Unauthorized' } - }; - } - let res = await tryRefreshToken(refresh); - if (res) { - auth = res; - event.cookies.set('auth', auth, { - httpOnly: true, - sameSite: 'lax', - expires: new Date(Date.now() + 60 * 60 * 1000), // 60 minutes - path: '/' - }); - } else { - return { - status: 401, - body: { message: 'Unauthorized' } - }; - } - } - if (!adventureId) { - return { - status: 400, - error: new Error('Bad request') - }; - } - - let res = await fetch(`${serverEndpoint}/api/adventures/${event.params.id}/`, { - method: 'PATCH', - headers: { - Cookie: `${event.cookies.get('auth')}`, - 'Content-Type': 'application/json' - }, - body: JSON.stringify({ collection: trip_id }) - }); - let res2 = await res.json(); - console.log(res2); - if (!res.ok) { - return { - status: res.status, - error: new Error('Failed to delete adventure') - }; - } else { - return { - status: 204 - }; - } } }; diff --git a/frontend/src/routes/adventures/[id]/+page.svelte b/frontend/src/routes/adventures/[id]/+page.svelte index 3227faa..1c942b8 100644 --- a/frontend/src/routes/adventures/[id]/+page.svelte +++ b/frontend/src/routes/adventures/[id]/+page.svelte @@ -96,11 +96,13 @@ {/if} {#if adventure} -
    - -
    + {#if data.user && data.user.pk == adventure.user_id} +
    + +
    + {/if}
    diff --git a/frontend/src/routes/auth/[...path]/+server.ts b/frontend/src/routes/auth/[...path]/+server.ts new file mode 100644 index 0000000..7e0c8b0 --- /dev/null +++ b/frontend/src/routes/auth/[...path]/+server.ts @@ -0,0 +1,83 @@ +const PUBLIC_SERVER_URL = process.env['PUBLIC_SERVER_URL']; +const endpoint = PUBLIC_SERVER_URL || 'http://localhost:8000'; +import { json } from '@sveltejs/kit'; + +/** @type {import('./$types').RequestHandler} */ +export async function GET({ url, params, request, fetch, cookies }) { + // add the param format = json to the url or add additional if anothre param is already present + if (url.search) { + url.search = url.search + '&format=json'; + } else { + url.search = '?format=json'; + } + return handleRequest(url, params, request, fetch, cookies); +} + +/** @type {import('./$types').RequestHandler} */ +export async function POST({ url, params, request, fetch, cookies }) { + return handleRequest(url, params, request, fetch, cookies, true); +} + +export async function PATCH({ url, params, request, fetch, cookies }) { + return handleRequest(url, params, request, fetch, cookies, true); +} + +export async function PUT({ url, params, request, fetch, cookies }) { + return handleRequest(url, params, request, fetch, cookies, true); +} + +export async function DELETE({ url, params, request, fetch, cookies }) { + return handleRequest(url, params, request, fetch, cookies, true); +} + +// Implement other HTTP methods as needed (PUT, DELETE, etc.) + +async function handleRequest( + url: any, + params: any, + request: any, + fetch: any, + cookies: any, + requreTrailingSlash: boolean | undefined = false +) { + const path = params.path; + let targetUrl = `${endpoint}/auth/${path}${url.search}`; + + if (requreTrailingSlash && !targetUrl.endsWith('/')) { + targetUrl += '/'; + } + + const headers = new Headers(request.headers); + + const authCookie = cookies.get('auth'); + + if (authCookie) { + headers.set('Cookie', `${authCookie}`); + } + + try { + const response = await fetch(targetUrl, { + method: request.method, + headers: headers, + body: request.method !== 'GET' && request.method !== 'HEAD' ? await request.text() : undefined + }); + + if (response.status === 204) { + // For 204 No Content, return a response with no body + return new Response(null, { + status: 204, + headers: response.headers + }); + } + + const responseData = await response.text(); + + return new Response(responseData, { + status: response.status, + headers: response.headers + }); + } catch (error) { + console.error('Error forwarding request:', error); + return json({ error: 'Internal Server Error' }, { status: 500 }); + } +} diff --git a/frontend/src/routes/collections/[id]/+page.svelte b/frontend/src/routes/collections/[id]/+page.svelte index 4647f01..94b9283 100644 --- a/frontend/src/routes/collections/[id]/+page.svelte +++ b/frontend/src/routes/collections/[id]/+page.svelte @@ -88,16 +88,18 @@ return; } else { let adventure = event.detail; - let formData = new FormData(); - formData.append('collection_id', collection.id.toString()); - let res = await fetch(`/adventures/${adventure.id}?/addToCollection`, { - method: 'POST', - body: formData // Remove the Content-Type header + let res = await fetch(`/api/adventures/${adventure.id}/`, { + method: 'PATCH', + headers: { + 'Content-Type': 'application/json' + }, + body: JSON.stringify({ collection: collection.id.toString() }) }); if (res.ok) { console.log('Adventure added to collection'); + adventure = await res.json(); adventures = [...adventures, adventure]; } else { console.log('Error adding adventure to collection'); @@ -404,6 +406,7 @@ type={adventure.type} {adventure} on:typeChange={changeType} + {collection} /> {/each}
    @@ -423,6 +426,7 @@ transportationToEdit = event.detail; isTransportationEditModalOpen = true; }} + {collection} /> {/each}
    @@ -442,6 +446,7 @@ on:delete={(event) => { notes = notes.filter((n) => n.id != event.detail); }} + {collection} /> {/each}
    @@ -461,6 +466,7 @@ checklistToEdit = event.detail; isShowingChecklistModal = true; }} + {collection} /> {/each}
    diff --git a/frontend/src/routes/settings/+page.server.ts b/frontend/src/routes/settings/+page.server.ts index efd758a..9b97697 100644 --- a/frontend/src/routes/settings/+page.server.ts +++ b/frontend/src/routes/settings/+page.server.ts @@ -45,6 +45,7 @@ export const actions: Actions = { let first_name = formData.get('first_name') as string | null | undefined; let last_name = formData.get('last_name') as string | null | undefined; let profile_pic = formData.get('profile_pic') as File | null | undefined; + let public_profile = formData.get('public_profile') as string | null | undefined | boolean; const resCurrent = await fetch(`${endpoint}/auth/user/`, { headers: { @@ -56,6 +57,13 @@ export const actions: Actions = { return fail(resCurrent.status, await resCurrent.json()); } + if (public_profile === 'on') { + public_profile = true; + } else { + public_profile = false; + } + console.log(public_profile); + let currentUser = (await resCurrent.json()) as User; if (username === currentUser.username || !username) { @@ -84,6 +92,7 @@ export const actions: Actions = { if (profile_pic) { formDataToSend.append('profile_pic', profile_pic); } + formDataToSend.append('public_profile', public_profile.toString()); let res = await fetch(`${endpoint}/auth/user/`, { method: 'PATCH', diff --git a/frontend/src/routes/settings/+page.svelte b/frontend/src/routes/settings/+page.svelte index cb7bd28..61e2d57 100644 --- a/frontend/src/routes/settings/+page.svelte +++ b/frontend/src/routes/settings/+page.svelte @@ -111,6 +111,24 @@ id="profile_pic" class="file-input file-input-bordered w-full max-w-xs mb-2" />
    +
    +
    + +
    +
    diff --git a/frontend/src/routes/shared/+page.server.ts b/frontend/src/routes/shared/+page.server.ts new file mode 100644 index 0000000..b40dbac --- /dev/null +++ b/frontend/src/routes/shared/+page.server.ts @@ -0,0 +1,26 @@ +import { redirect } from '@sveltejs/kit'; +import type { PageServerLoad } from './$types'; + +const PUBLIC_SERVER_URL = process.env['PUBLIC_SERVER_URL']; +const serverEndpoint = PUBLIC_SERVER_URL || 'http://localhost:8000'; + +export const load = (async (event) => { + if (!event.locals.user) { + return redirect(302, '/login'); + } else { + let res = await fetch(`${serverEndpoint}/api/collections/shared/`, { + headers: { + Cookie: `${event.cookies.get('auth')}` + } + }); + if (!res.ok) { + return redirect(302, '/login'); + } else { + return { + props: { + collections: await res.json() + } + }; + } + } +}) satisfies PageServerLoad; diff --git a/frontend/src/routes/shared/+page.svelte b/frontend/src/routes/shared/+page.svelte new file mode 100644 index 0000000..7aa0e6c --- /dev/null +++ b/frontend/src/routes/shared/+page.svelte @@ -0,0 +1,27 @@ + + +{#if collections.length > 0} +
    + {#each collections as collection} + + {/each} +
    +{:else} +

    + No collections found that are shared with you. + {#if data.user && !data.user?.public_profile} +

    In order to allow users to share with you, you need your profile set to public.

    + + {/if} +

    +{/if} diff --git a/frontend/src/routes/user/[uuid]/+page.server.ts b/frontend/src/routes/user/[uuid]/+page.server.ts new file mode 100644 index 0000000..882082f --- /dev/null +++ b/frontend/src/routes/user/[uuid]/+page.server.ts @@ -0,0 +1,29 @@ +import { redirect } from '@sveltejs/kit'; +import type { PageServerLoad } from './$types'; +const PUBLIC_SERVER_URL = process.env['PUBLIC_SERVER_URL']; +const serverEndpoint = PUBLIC_SERVER_URL || 'http://localhost:8000'; + +export const load = (async (event) => { + if (!event.cookies.get('auth')) { + return redirect(302, '/login'); + } + const uuid = event.params.uuid; + if (!uuid) { + return redirect(302, '/users'); + } + let res = await fetch(`${serverEndpoint}/auth/user/${uuid}/`, { + headers: { + Cookie: `${event.cookies.get('auth')}` + } + }); + if (!res.ok) { + return redirect(302, '/users'); + } else { + const data = await res.json(); + return { + props: { + user: data + } + }; + } +}) satisfies PageServerLoad; diff --git a/frontend/src/routes/user/[uuid]/+page.svelte b/frontend/src/routes/user/[uuid]/+page.svelte new file mode 100644 index 0000000..071be0f --- /dev/null +++ b/frontend/src/routes/user/[uuid]/+page.svelte @@ -0,0 +1,35 @@ + + +{#if user.profile_pic} +
    +
    + {user.username} +
    +
    +{/if} + +

    {user.first_name} {user.last_name}

    +

    {user.username}

    + +
    + {#if user.is_staff} +
    Admin
    + {/if} +
    + +
    +

    + {user.date_joined ? 'Joined ' + new Date(user.date_joined).toLocaleDateString() : ''} +

    +
    + + + {user.username} | AdventureLog + + diff --git a/frontend/src/routes/users/+page.server.ts b/frontend/src/routes/users/+page.server.ts new file mode 100644 index 0000000..4aa6573 --- /dev/null +++ b/frontend/src/routes/users/+page.server.ts @@ -0,0 +1,26 @@ +import { redirect } from '@sveltejs/kit'; +import type { PageServerLoad } from './$types'; +const PUBLIC_SERVER_URL = process.env['PUBLIC_SERVER_URL']; +const serverEndpoint = PUBLIC_SERVER_URL || 'http://localhost:8000'; + +export const load = (async (event) => { + if (!event.cookies.get('auth')) { + return redirect(302, '/login'); + } + + const res = await fetch(`${serverEndpoint}/auth/users/`, { + headers: { + Cookie: `${event.cookies.get('auth')}` + } + }); + if (!res.ok) { + return redirect(302, '/login'); + } else { + const data = await res.json(); + return { + props: { + users: data + } + }; + } +}) satisfies PageServerLoad; diff --git a/frontend/src/routes/users/+page.svelte b/frontend/src/routes/users/+page.svelte new file mode 100644 index 0000000..f639776 --- /dev/null +++ b/frontend/src/routes/users/+page.svelte @@ -0,0 +1,25 @@ + + +

    AdventureLog Users

    +
    + {#each users as user (user.uuid)} + + {/each} +
    + +{#if users.length === 0} +

    No users found with public profiles.

    +{/if} + + + Users + + diff --git a/frontend/src/routes/worldtravel/+page.svelte b/frontend/src/routes/worldtravel/+page.svelte index d52f228..48a1b54 100644 --- a/frontend/src/routes/worldtravel/+page.svelte +++ b/frontend/src/routes/worldtravel/+page.svelte @@ -3,16 +3,44 @@ import type { Country } from '$lib/types'; import type { PageData } from './$types'; + let searchQuery: string = ''; + + let filteredCountries: Country[] = []; + export let data: PageData; console.log(data); const countries: Country[] = data.props?.countries || []; + + $: { + // if query is empty, show all countries + if (searchQuery === '') { + filteredCountries = countries; + } else { + // otherwise, filter countries by name + filteredCountries = countries.filter((country) => + country.name.toLowerCase().includes(searchQuery.toLowerCase()) + ); + } + } -

    Country List

    +

    Country List

    + +

    + {filteredCountries.length} countries found +

    +
    + +
    - {#each countries as country} + {#each filteredCountries as country} {/each} diff --git a/frontend/tailwind.config.js b/frontend/tailwind.config.js index eeb76df..aea4f15 100644 --- a/frontend/tailwind.config.js +++ b/frontend/tailwind.config.js @@ -15,7 +15,52 @@ export default { 'aqua', 'emerald', { - garden: { + aestheticDark: { + primary: '#3e5747', + 'primary-focus': '#2f4236', + 'primary-content': '#e9e7e7', + + secondary: '#547b82', + 'secondary-focus': '#3d5960', + 'secondary-content': '#c1dfe5', + + accent: '#8b6161', + 'accent-focus': '#6e4545', + 'accent-content': '#f2eaea', + + neutral: '#2b2a2a', + 'neutral-focus': '#272525', + 'neutral-content': '#e9e7e7', + + 'base-100': '#121212', // Dark background + 'base-200': '#1d1d1d', + 'base-300': '#292929', + 'base-content': '#e9e7e7', // Light content on dark background + + // set bg-primary-content + 'bg-base': '#121212', + 'bg-base-content': '#e9e7e7', + + info: '#3b7ecb', + success: '#007766', + warning: '#d4c111', + error: '#e64a19', + + '--rounded-box': '1rem', + '--rounded-btn': '.5rem', + '--rounded-badge': '1.9rem', + + '--animation-btn': '.25s', + '--animation-input': '.2s', + + '--btn-text-case': 'uppercase', + '--navbar-padding': '.5rem', + '--border-btn': '1px', + + fontFamily: + 'ui-monospace, SFMono-Regular, Menlo, Monaco, Consolas, "Liberation Mono", "Courier New", monospace' + }, + aestheticLight: { primary: '#5a7c65', 'primary-focus': '#48604f', 'primary-content': '#dcd5d5',