permisison fixes

2025-07-24 15:29:36 +02:00 · 2024-07-09 16:48:52 -04:00 · 2024-07-09 16:48:52 -04:00 · 67619aec57
commit 67619aec57
parent d64abf2273
8 changed files with 112 additions and 34 deletions
--- a/backend/server/adventures/admin.py
+++ b/backend/server/adventures/admin.py
@ -6,8 +6,8 @@ from worldtravel.models import Country, Region, VisitedRegion


 class AdventureAdmin(admin.ModelAdmin):
-    list_display = ('name', 'type', 'user_id', 'date', 'image_display')
-    list_filter = ('type', 'user_id')
+    list_display = ('name', 'type', 'user_id', 'date', 'is_public', 'image_display')
+    list_filter = ('type', 'user_id', 'is_public')

    def image_display(self, obj):
        if obj.image:
--- a/backend/server/adventures/permissions.py
+++ b/backend/server/adventures/permissions.py
@ -12,4 +12,19 @@ class IsOwnerOrReadOnly(permissions.BasePermission):
            return True

        # Write permissions are only allowed to the owner of the object.
+        return obj.user_id == request.user
+
+
+class IsPublicReadOnly(permissions.BasePermission):
+    """
+    Custom permission to only allow read-only access to public objects,
+    and write access to the owner of the object.
+    """
+
+    def has_object_permission(self, request, view, obj):
+        # Read permissions are allowed if the object is public
+        if request.method in permissions.SAFE_METHODS:
+            return obj.is_public or obj.user_id == request.user
+
+        # Write permissions are only allowed to the owner of the object
        return obj.user_id == request.user
--- a/backend/server/adventures/views.py
+++ b/backend/server/adventures/views.py
@ -5,11 +5,11 @@ from .models import Adventure, Trip
 from .serializers import AdventureSerializer, TripSerializer
 from rest_framework.permissions import IsAuthenticated
 from django.db.models import Q, Prefetch
-from .permissions import IsOwnerOrReadOnly
+from .permissions import IsOwnerOrReadOnly, IsPublicReadOnly

 class AdventureViewSet(viewsets.ModelViewSet):
    serializer_class = AdventureSerializer
-    permission_classes = [IsAuthenticated, IsOwnerOrReadOnly]
+    permission_classes = [IsOwnerOrReadOnly, IsPublicReadOnly]

    def get_queryset(self):
        return Adventure.objects.filter(
@ -42,7 +42,7 @@ class AdventureViewSet(viewsets.ModelViewSet):

 class TripViewSet(viewsets.ModelViewSet):
    serializer_class = TripSerializer
-    permission_classes = [IsAuthenticated, IsOwnerOrReadOnly]
+    permission_classes = [IsOwnerOrReadOnly, IsPublicReadOnly]

    def get_queryset(self):
        return Trip.objects.filter(