feat: Enhance collection sharing and location management features

- Implemented unsharing functionality in CollectionViewSet, including removal of user-owned locations from collections. - Refactored ContentImageViewSet to support multiple content types and improved permission checks for image uploads. - Added user ownership checks in LocationViewSet for delete operations. - Enhanced collection management in the frontend to display both owned and shared collections separately. - Updated Immich integration to handle access control based on location visibility and user permissions. - Improved UI components to show creator information and manage collection links more effectively. - Added loading states and error handling in collection fetching logic.
2025-07-31 02:39:38 +02:00 · 2025-07-12 09:20:23 -04:00 · 2025-07-12 09:20:23 -04:00 · ba162175fe
commit ba162175fe
parent 7f80dad94b
19 changed files with 641 additions and 245 deletions
--- a/backend/server/adventures/views/attachment_view.py
+++ b/backend/server/adventures/views/attachment_view.py
@ -2,51 +2,97 @@ from rest_framework import viewsets, status
 from rest_framework.decorators import action
 from rest_framework.permissions import IsAuthenticated
 from rest_framework.response import Response
+from django.contrib.contenttypes.models import ContentType
 from adventures.models import Location, ContentAttachment
 from adventures.serializers import AttachmentSerializer
+from adventures.permissions import IsOwnerOrSharedWithFullAccess
+

 class AttachmentViewSet(viewsets.ModelViewSet):
    serializer_class = AttachmentSerializer
-    permission_classes = [IsAuthenticated]
+    permission_classes = [IsOwnerOrSharedWithFullAccess]

    def get_queryset(self):
        return ContentAttachment.objects.filter(user=self.request.user)
-    
+
    def create(self, request, *args, **kwargs):
        if not request.user.is_authenticated:
            return Response({"error": "User is not authenticated"}, status=status.HTTP_401_UNAUTHORIZED)
-        location_id = request.data.get('location')
-        try:
-            location = Location.objects.get(id=location_id)
-        except Location.DoesNotExist:
-            return Response({"error": "Location not found"}, status=status.HTTP_404_NOT_FOUND)
-
-        if location.user != request.user:
-            # Check if the location has any collections
-            if location.collections.exists():
-                # Check if the user is in the shared_with list of any of the location's collections
-                user_has_access = False
-                for collection in location.collections.all():
-                    if collection.shared_with.filter(id=request.user.id).exists():
-                        user_has_access = True
-                        break
-                
-                if not user_has_access:
-                    return Response({"error": "User does not have permission to access this location"}, status=status.HTTP_403_FORBIDDEN)
-            else:
-                return Response({"error": "User does not own this location"}, status=status.HTTP_403_FORBIDDEN)
        
-        return super().create(request, *args, **kwargs)
-    
-    def perform_create(self, serializer):
-        location_id = self.request.data.get('location')
-        location = Location.objects.get(id=location_id)
+        # Get the content object details
+        content_type_id = request.data.get('content_type')
+        object_id = request.data.get('object_id')
+        
+        # For backward compatibility, also check for 'location' parameter
+        location_id = request.data.get('location')
+        
+        if location_id and not (content_type_id and object_id):
+            # Handle legacy location-specific requests
+            try:
+                location = Location.objects.get(id=location_id)
+                content_type = ContentType.objects.get_for_model(Location)
+                content_type_id = content_type.id
+                object_id = location_id
+            except Location.DoesNotExist:
+                return Response({"error": "Location not found"}, status=status.HTTP_404_NOT_FOUND)
+        
+        if not (content_type_id and object_id):
+            return Response({"error": "content_type and object_id are required"}, status=status.HTTP_400_BAD_REQUEST)

-        # If the location belongs to collections, set the owner to the collection owner
-        if location.collections.exists():
-            # Get the first collection's owner (assuming all collections have the same owner)
-            collection = location.collections.first()
-            serializer.save(user=collection.user)
-        else:
-            # Otherwise, set the owner to the request user
-            serializer.save(user=self.request.user)
+        try:
+            content_type = ContentType.objects.get(id=content_type_id)
+            model_class = content_type.model_class()
+            content_object = model_class.objects.get(id=object_id)
+        except (ContentType.DoesNotExist, model_class.DoesNotExist):
+            return Response({"error": "Content object not found"}, status=status.HTTP_404_NOT_FOUND)
+
+        return super().create(request, *args, **kwargs)
+
+    def perform_create(self, serializer):
+        content_type_id = self.request.data.get('content_type')
+        object_id = self.request.data.get('object_id')
+        
+        # Handle legacy location parameter
+        location_id = self.request.data.get('location')
+        if location_id and not (content_type_id and object_id):
+            content_type = ContentType.objects.get_for_model(Location)
+            content_type_id = content_type.id
+            object_id = location_id
+
+        content_type = ContentType.objects.get(id=content_type_id)
+        model_class = content_type.model_class()
+        content_object = model_class.objects.get(id=object_id)
+
+        # Determine the appropriate user to assign
+        attachment_user = self._get_attachment_user(content_object)
+        
+        serializer.save(
+            user=attachment_user,
+            content_type=content_type,
+            object_id=object_id
+        )
+
+    def _get_attachment_user(self, content_object):
+        """
+        Determine which user should own the attachment based on the content object.
+        This preserves the original logic for shared collections.
+        """
+        # Handle Location objects
+        if isinstance(content_object, Location):
+            if content_object.collections.exists():
+                # Get the first collection's owner (assuming all collections have the same owner)
+                collection = content_object.collections.first()
+                return collection.user
+            else:
+                return self.request.user
+        
+        # Handle other content types with collections
+        elif hasattr(content_object, 'collection') and content_object.collection:
+            return content_object.collection.user
+        
+        # Handle content objects with a user field
+        elif hasattr(content_object, 'user'):
+            return content_object.user
+        
+        # Default to request user
+        return self.request.user