Collection: filter queryset only to collections for which the user has access to.

master
Tom Hacohen 5 years ago
parent 771d2d013d
commit c74ed50bd5

@ -50,7 +50,8 @@ class BaseViewSet(viewsets.ModelViewSet):
return serializer_class return serializer_class
def get_collection_queryset(self, queryset=Collection.objects): def get_collection_queryset(self, queryset=Collection.objects):
return queryset.all() user = self.request.user
return queryset.filter(members__user=user)
class CollectionViewSet(BaseViewSet): class CollectionViewSet(BaseViewSet):
@ -143,7 +144,7 @@ class CollectionItemViewSet(BaseViewSet):
@action_decorator(detail=True, methods=['GET']) @action_decorator(detail=True, methods=['GET'])
def revision(self, request, collection_uid=None, uid=None): def revision(self, request, collection_uid=None, uid=None):
col = get_object_or_404(Collection.objects, uid=collection_uid) col = get_object_or_404(self.get_collection_queryset(Collection.objects), uid=collection_uid)
col_it = get_object_or_404(col.items, uid=uid) col_it = get_object_or_404(col.items, uid=uid)
serializer = CollectionItemRevisionSerializer(col_it.revisions.order_by('-id'), many=True) serializer = CollectionItemRevisionSerializer(col_it.revisions.order_by('-id'), many=True)
@ -169,7 +170,8 @@ class CollectionItemChunkViewSet(viewsets.ViewSet):
lookup_field = 'uid' lookup_field = 'uid'
def get_collection_queryset(self, queryset=Collection.objects): def get_collection_queryset(self, queryset=Collection.objects):
return queryset.all() user = self.request.user
return queryset.filter(members__user=user)
def create(self, request, collection_uid=None, collection_item_uid=None): def create(self, request, collection_uid=None, collection_item_uid=None):
col = get_object_or_404(self.get_collection_queryset(), uid=collection_uid) col = get_object_or_404(self.get_collection_queryset(), uid=collection_uid)

Loading…
Cancel
Save