Docker/AdventureLog
Docker/AdventureLog
1
0
Fork 0
mirror of https://github.com/seanmorley15/AdventureLog.git synced 2025-07-19 04:49:37 +02:00
Code Issues Releases Activity

Fixes [BUG] Cannot change a adventure from Private to Public #617

Browse source
This commit is contained in:
Sean Morley 2025-05-19 11:52:51 -04:00 committed by GitHub
commit 5f19670ed9
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
2 changed files with 16 additions and 11 deletions
Download patch file Download diff file Expand all files Collapse all files

25
backend/server/adventures/views/adventure_view.py
View file

@ -60,14 +60,15 @@ class AdventureViewSet(viewsets.ModelViewSet):
""" """
user = self.request.user user = self.request.user
# Actions that allow public access (include 'retrieve' and your custom action)
public_allowed_actions = {'retrieve', 'additional_info'}
if not user.is_authenticated: if not user.is_authenticated:
# Unauthenticated users can only access public adventures for retrieval if self.action in public_allowed_actions:
if self.action == 'retrieve':
return Adventure.objects.retrieve_adventures(user, include_public=True).order_by('-updated_at') return Adventure.objects.retrieve_adventures(user, include_public=True).order_by('-updated_at')
return Adventure.objects.none() return Adventure.objects.none()
# Authenticated users: Handle retrieval separately include_public = self.action in public_allowed_actions
include_public = self.action == 'retrieve'
return Adventure.objects.retrieve_adventures( return Adventure.objects.retrieve_adventures(
user, user,
include_public=include_public, include_public=include_public,
@ -75,6 +76,7 @@ class AdventureViewSet(viewsets.ModelViewSet):
include_shared=True include_shared=True
).order_by('-updated_at') ).order_by('-updated_at')
def perform_update(self, serializer): def perform_update(self, serializer):
adventure = serializer.save() adventure = serializer.save()
if adventure.collection: if adventure.collection:
@ -175,11 +177,15 @@ class AdventureViewSet(viewsets.ModelViewSet):
def additional_info(self, request, pk=None): def additional_info(self, request, pk=None):
adventure = self.get_object() adventure = self.get_object()
# Permission check: owner or shared collection member user = request.user
if adventure.user_id != request.user:
if not (adventure.collection and adventure.collection.shared_with.filter(id=request.user.id).exists()): # Allow if public
return Response({"error": "User does not have permission to access this adventure"}, if not adventure.is_public:
status=status.HTTP_403_FORBIDDEN) # Only allow owner or shared collection members
if not user.is_authenticated or adventure.user_id != user:
if not (adventure.collection and adventure.collection.shared_with.filter(uuid=user.uuid).exists()):
return Response({"error": "User does not have permission to access this adventure"},
status=status.HTTP_403_FORBIDDEN)
serializer = self.get_serializer(adventure) serializer = self.get_serializer(adventure)
response_data = serializer.data response_data = serializer.data
@ -202,7 +208,6 @@ class AdventureViewSet(viewsets.ModelViewSet):
"sunrise": results.get('sunrise'), "sunrise": results.get('sunrise'),
"sunset": results.get('sunset') "sunset": results.get('sunset')
}) })
response_data['sun_times'] = sun_times response_data['sun_times'] = sun_times
return Response(response_data) return Response(response_data)

2
frontend/src/lib/components/AdventureModal.svelte
View file

@ -607,7 +607,7 @@
<p class="text-red-500">{wikiError}</p> <p class="text-red-500">{wikiError}</p>
</div> </div>
</div> </div>
{#if !collection?.id} {#if !adventure?.collection}
<div> <div>
<div class="form-control flex items-start mt-1"> <div class="form-control flex items-start mt-1">
<label class="label cursor-pointer flex items-start space-x-2"> <label class="label cursor-pointer flex items-start space-x-2">