From d87d0e807f2a7f6fcf8911dab98950aa4588f1f8 Mon Sep 17 00:00:00 2001
From: Sean Morley <mail@seanmorley.com>
Date: Mon, 19 May 2025 11:21:40 -0400
Subject: [PATCH 1/2] Fixes [BUG] Cannot change a adventure from Private to
 Public #617

---
 .../server/adventures/views/adventure_view.py | 26 ++++++++++++-------
 .../src/lib/components/AdventureModal.svelte  |  2 +-
 2 files changed, 17 insertions(+), 11 deletions(-)

diff --git a/backend/server/adventures/views/adventure_view.py b/backend/server/adventures/views/adventure_view.py
index 55beac3..d533279 100644
--- a/backend/server/adventures/views/adventure_view.py
+++ b/backend/server/adventures/views/adventure_view.py
@@ -10,6 +10,7 @@ from adventures.models import Adventure, Category, Transportation, Lodging
 from adventures.permissions import IsOwnerOrSharedWithFullAccess
 from adventures.serializers import AdventureSerializer, TransportationSerializer, LodgingSerializer
 from adventures.utils import pagination
+from django.contrib.auth.models import AnonymousUser
 import requests
 
 class AdventureViewSet(viewsets.ModelViewSet):
@@ -60,14 +61,15 @@ class AdventureViewSet(viewsets.ModelViewSet):
         """
         user = self.request.user
 
+        # Actions that allow public access (include 'retrieve' and your custom action)
+        public_allowed_actions = {'retrieve', 'additional_info'}
+
         if not user.is_authenticated:
-            # Unauthenticated users can only access public adventures for retrieval
-            if self.action == 'retrieve':
+            if self.action in public_allowed_actions:
                 return Adventure.objects.retrieve_adventures(user, include_public=True).order_by('-updated_at')
             return Adventure.objects.none()
 
-        # Authenticated users: Handle retrieval separately
-        include_public = self.action == 'retrieve'
+        include_public = self.action in public_allowed_actions
         return Adventure.objects.retrieve_adventures(
             user,
             include_public=include_public,
@@ -75,6 +77,7 @@ class AdventureViewSet(viewsets.ModelViewSet):
             include_shared=True
         ).order_by('-updated_at')
 
+
     def perform_update(self, serializer):
         adventure = serializer.save()
         if adventure.collection:
@@ -175,11 +178,15 @@ class AdventureViewSet(viewsets.ModelViewSet):
     def additional_info(self, request, pk=None):
         adventure = self.get_object()
 
-        # Permission check: owner or shared collection member
-        if adventure.user_id != request.user:
-            if not (adventure.collection and adventure.collection.shared_with.filter(id=request.user.id).exists()):
-                return Response({"error": "User does not have permission to access this adventure"},
-                                status=status.HTTP_403_FORBIDDEN)
+        user = request.user
+
+        # Allow if public
+        if not adventure.is_public:
+            # Only allow owner or shared collection members
+            if not user.is_authenticated or adventure.user_id != user:
+                if not (adventure.collection and adventure.collection.shared_with.filter(uuid=user.uuid).exists()):
+                    return Response({"error": "User does not have permission to access this adventure"},
+                                    status=status.HTTP_403_FORBIDDEN)
 
         serializer = self.get_serializer(adventure)
         response_data = serializer.data
@@ -202,7 +209,6 @@ class AdventureViewSet(viewsets.ModelViewSet):
                             "sunrise": results.get('sunrise'),
                             "sunset": results.get('sunset')
                         })
-                
 
         response_data['sun_times'] = sun_times
         return Response(response_data)
\ No newline at end of file
diff --git a/frontend/src/lib/components/AdventureModal.svelte b/frontend/src/lib/components/AdventureModal.svelte
index 37af876..8a93284 100644
--- a/frontend/src/lib/components/AdventureModal.svelte
+++ b/frontend/src/lib/components/AdventureModal.svelte
@@ -607,7 +607,7 @@
 									<p class="text-red-500">{wikiError}</p>
 								</div>
 							</div>
-							{#if !collection?.id}
+							{#if !adventure?.collection}
 								<div>
 									<div class="form-control flex items-start mt-1">
 										<label class="label cursor-pointer flex items-start space-x-2">

From bd9f3fc4944fb460d1c30276ec1707c41c28243f Mon Sep 17 00:00:00 2001
From: Sean Morley <98704938+seanmorley15@users.noreply.github.com>
Date: Mon, 19 May 2025 11:28:04 -0400
Subject: [PATCH 2/2] Update backend/server/adventures/views/adventure_view.py

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
---
 backend/server/adventures/views/adventure_view.py | 1 -
 1 file changed, 1 deletion(-)

diff --git a/backend/server/adventures/views/adventure_view.py b/backend/server/adventures/views/adventure_view.py
index d533279..a936f86 100644
--- a/backend/server/adventures/views/adventure_view.py
+++ b/backend/server/adventures/views/adventure_view.py
@@ -10,7 +10,6 @@ from adventures.models import Adventure, Category, Transportation, Lodging
 from adventures.permissions import IsOwnerOrSharedWithFullAccess
 from adventures.serializers import AdventureSerializer, TransportationSerializer, LodgingSerializer
 from adventures.utils import pagination
-from django.contrib.auth.models import AnonymousUser
 import requests
 
 class AdventureViewSet(viewsets.ModelViewSet):