mirror of
https://github.com/seanmorley15/AdventureLog.git
synced 2025-07-25 07:49:37 +02:00
feat: add Attachment model and implement file permission checks for media access
This commit is contained in:
Sean Morley
parent
433599dc20
commit
aa216f5688
7 changed files with 93 additions and 46 deletions
|
|
@ -1,7 +1,7 @@
|
|||
import os
|
||||
from django.contrib import admin
|
||||
from django.utils.html import mark_safe
|
||||
from .models import Adventure, Checklist, ChecklistItem, Collection, Transportation, Note, AdventureImage, Visit, Category
|
||||
from .models import Adventure, Checklist, ChecklistItem, Collection, Transportation, Note, AdventureImage, Visit, Category, Attachment
|
||||
from worldtravel.models import Country, Region, VisitedRegion, City, VisitedCity
|
||||
from allauth.account.decorators import secure_admin_login
|
||||
|
||||
|
|
@ -139,6 +139,7 @@ admin.site.register(AdventureImage, AdventureImageAdmin)
|
|||
admin.site.register(Category, CategoryAdmin)
|
||||
admin.site.register(City, CityAdmin)
|
||||
admin.site.register(VisitedCity)
|
||||
admin.site.register(Attachment)
|
||||
|
||||
admin.site.site_header = 'AdventureLog Admin'
|
||||
admin.site.site_title = 'AdventureLog Admin Site'
|
||||
|
|
|
|||
26
backend/server/adventures/migrations/0018_attachment.py
Normal file
26
backend/server/adventures/migrations/0018_attachment.py
Normal file
|
|
@ -0,0 +1,26 @@
|
|||
# Generated by Django 5.0.8 on 2025-01-19 00:39
|
||||
|
||||
import django.db.models.deletion
|
||||
import uuid
|
||||
from django.conf import settings
|
||||
from django.db import migrations, models
|
||||
|
||||
|
||||
class Migration(migrations.Migration):
|
||||
|
||||
dependencies = [
|
||||
('adventures', '0017_adventureimage_is_primary'),
|
||||
migrations.swappable_dependency(settings.AUTH_USER_MODEL),
|
||||
]
|
||||
|
||||
operations = [
|
||||
migrations.CreateModel(
|
||||
name='Attachment',
|
||||
fields=[
|
||||
('id', models.UUIDField(default=uuid.uuid4, editable=False, primary_key=True, serialize=False, unique=True)),
|
||||
('file', models.FileField(upload_to='attachments/')),
|
||||
('adventure', models.ForeignKey(on_delete=django.db.models.deletion.CASCADE, related_name='attachments', to='adventures.adventure')),
|
||||
('user_id', models.ForeignKey(default=1, on_delete=django.db.models.deletion.CASCADE, to=settings.AUTH_USER_MODEL)),
|
||||
],
|
||||
),
|
||||
]
|
||||
|
|
@ -287,6 +287,16 @@ class AdventureImage(models.Model):
|
|||
|
||||
def __str__(self):
|
||||
return self.image.url
|
||||
|
||||
class Attachment(models.Model):
|
||||
id = models.UUIDField(default=uuid.uuid4, editable=False, unique=True, primary_key=True)
|
||||
user_id = models.ForeignKey(
|
||||
User, on_delete=models.CASCADE, default=default_user_id)
|
||||
file = models.FileField(upload_to='attachments/')
|
||||
adventure = models.ForeignKey(Adventure, related_name='attachments', on_delete=models.CASCADE)
|
||||
|
||||
def __str__(self):
|
||||
return self.file.url
|
||||
|
||||
class Category(models.Model):
|
||||
id = models.UUIDField(default=uuid.uuid4, editable=False, unique=True, primary_key=True)
|
||||
|
|
|
|||
|
|
@ -1,33 +0,0 @@
|
|||
from adventures.models import AdventureImage
|
||||
|
||||
def checkAdventureImagePermission(imageId, user):
|
||||
"""
|
||||
Checks if the given user has permission to access the specified adventure image.
|
||||
|
||||
Args:
|
||||
imageId (str): The ID of the image to check permissions for.
|
||||
user (User): The user object to check permissions against.
|
||||
|
||||
Returns:
|
||||
bool: True if the user has permission to access the image, False otherwise.
|
||||
|
||||
Raises:
|
||||
AdventureImage.DoesNotExist: If the image with the specified ID does not exist.
|
||||
"""
|
||||
try:
|
||||
# Construct the full relative path to match the database field
|
||||
image_path = f"images/{imageId}"
|
||||
# Fetch the AdventureImage object
|
||||
adventure = AdventureImage.objects.get(image=image_path).adventure
|
||||
if adventure.is_public:
|
||||
return True
|
||||
elif adventure.user_id == user:
|
||||
return True
|
||||
elif adventure.collection:
|
||||
if adventure.collection.shared_with.filter(id=user.id).exists():
|
||||
return True
|
||||
else:
|
||||
return False
|
||||
except AdventureImage.DoesNotExist:
|
||||
print('No image')
|
||||
return False
|
||||
41
backend/server/adventures/utils/file_permissions.py
Normal file
41
backend/server/adventures/utils/file_permissions.py
Normal file
|
|
@ -0,0 +1,41 @@
|
|||
from adventures.models import AdventureImage, Attachment
|
||||
|
||||
protected_paths = ['images/', 'attachments/']
|
||||
|
||||
def checkFilePermission(fileId, user, mediaType):
|
||||
if mediaType not in protected_paths:
|
||||
return True
|
||||
if mediaType == 'images/':
|
||||
try:
|
||||
# Construct the full relative path to match the database field
|
||||
image_path = f"images/{fileId}"
|
||||
# Fetch the AdventureImage object
|
||||
adventure = AdventureImage.objects.get(image=image_path).adventure
|
||||
if adventure.is_public:
|
||||
return True
|
||||
elif adventure.user_id == user:
|
||||
return True
|
||||
elif adventure.collection:
|
||||
if adventure.collection.shared_with.filter(id=user.id).exists():
|
||||
return True
|
||||
else:
|
||||
return False
|
||||
except AdventureImage.DoesNotExist:
|
||||
return False
|
||||
elif mediaType == 'attachments/':
|
||||
try:
|
||||
# Construct the full relative path to match the database field
|
||||
attachment_path = f"attachments/{fileId}"
|
||||
# Fetch the Attachment object
|
||||
attachment = Attachment.objects.get(file=attachment_path).adventure
|
||||
if attachment.is_public:
|
||||
return True
|
||||
elif attachment.user_id == user:
|
||||
return True
|
||||
elif attachment.collection:
|
||||
if attachment.collection.shared_with.filter(id=user.id).exists():
|
||||
return True
|
||||
else:
|
||||
return False
|
||||
except Attachment.DoesNotExist:
|
||||
return False
|
||||
Loading…
Add table
Add a link
Reference in a new issue