2024-07-25 15:27:23 +00:00
|
|
|
from django.conf import settings
|
2024-07-31 09:56:38 +00:00
|
|
|
from django.db.models import F
|
2024-07-18 18:23:30 +00:00
|
|
|
from ninja import Query
|
2024-08-05 17:25:30 +00:00
|
|
|
from ninja_extra import ControllerBase, api_controller, paginate, route
|
2024-07-18 18:23:30 +00:00
|
|
|
from ninja_extra.exceptions import PermissionDenied
|
2024-08-05 17:25:30 +00:00
|
|
|
from ninja_extra.pagination import PageNumberPaginationExtra
|
2024-07-18 18:23:30 +00:00
|
|
|
from ninja_extra.permissions import IsAuthenticated
|
2024-08-05 17:25:30 +00:00
|
|
|
from ninja_extra.schemas import PaginatedResponseSchema
|
2024-07-25 15:27:23 +00:00
|
|
|
from pydantic import NonNegativeInt
|
2024-07-18 18:23:30 +00:00
|
|
|
|
|
|
|
from core.models import User
|
2024-07-25 15:27:23 +00:00
|
|
|
from sas.models import PeoplePictureRelation, Picture
|
2024-07-26 12:25:26 +00:00
|
|
|
from sas.schemas import PictureFilterSchema, PictureSchema
|
2024-07-18 18:23:30 +00:00
|
|
|
|
|
|
|
|
2024-07-25 21:31:54 +00:00
|
|
|
@api_controller("/sas/picture")
|
2024-07-25 15:27:23 +00:00
|
|
|
class PicturesController(ControllerBase):
|
2024-07-18 18:23:30 +00:00
|
|
|
@route.get(
|
2024-07-25 15:27:23 +00:00
|
|
|
"",
|
2024-08-05 17:25:30 +00:00
|
|
|
response=PaginatedResponseSchema[PictureSchema],
|
2024-07-18 18:23:30 +00:00
|
|
|
permissions=[IsAuthenticated],
|
|
|
|
url_name="pictures",
|
|
|
|
)
|
2024-08-05 17:25:30 +00:00
|
|
|
@paginate(PageNumberPaginationExtra, page_size=100)
|
2024-07-18 18:23:30 +00:00
|
|
|
def fetch_pictures(self, filters: Query[PictureFilterSchema]):
|
|
|
|
"""Find pictures viewable by the user corresponding to the given filters.
|
|
|
|
|
|
|
|
A user with an active subscription can see any picture, as long
|
|
|
|
as it has been moderated and not asked for removal.
|
|
|
|
An unsubscribed user can see the pictures he has been identified on
|
2024-07-26 12:25:26 +00:00
|
|
|
(only the moderated ones, too).
|
2024-07-18 18:23:30 +00:00
|
|
|
|
|
|
|
Notes:
|
|
|
|
Trying to fetch the pictures of another user with this route
|
|
|
|
while being unsubscribed will just result in an empty response.
|
2024-07-26 12:25:26 +00:00
|
|
|
|
|
|
|
Notes:
|
|
|
|
Unsubscribed users who are identified is not a rare case.
|
|
|
|
They can be UTT students, faluchards from other schools,
|
|
|
|
or even Richard Stallman (that ain't no joke,
|
|
|
|
cf. https://ae.utbm.fr/user/32663/pictures/)
|
2024-07-18 18:23:30 +00:00
|
|
|
"""
|
|
|
|
user: User = self.context.request.user
|
2024-08-06 10:37:50 +00:00
|
|
|
if not user.was_subscribed and filters.users_identified != {user.id}:
|
2024-07-18 18:23:30 +00:00
|
|
|
# User can view any moderated picture if he/she is subscribed.
|
|
|
|
# If not, he/she can view only the one he/she has been identified on
|
|
|
|
raise PermissionDenied
|
2024-08-06 11:23:34 +00:00
|
|
|
pictures = list(
|
2024-08-06 10:37:50 +00:00
|
|
|
filters.filter(Picture.objects.viewable_by(user))
|
2024-07-22 17:12:03 +00:00
|
|
|
.distinct()
|
2024-08-05 21:40:11 +00:00
|
|
|
.order_by("-parent__date", "date")
|
2024-07-31 09:56:38 +00:00
|
|
|
.annotate(album=F("parent__name"))
|
2024-07-18 18:23:30 +00:00
|
|
|
)
|
2024-08-06 11:23:34 +00:00
|
|
|
return pictures
|
2024-07-25 15:27:23 +00:00
|
|
|
|
|
|
|
|
2024-07-26 12:25:26 +00:00
|
|
|
@api_controller("/sas/relation", tags="User identification on SAS pictures")
|
2024-07-25 15:27:23 +00:00
|
|
|
class UsersIdentifiedController(ControllerBase):
|
2024-07-26 12:25:26 +00:00
|
|
|
@route.delete("/{relation_id}", permissions=[IsAuthenticated])
|
2024-07-25 15:27:23 +00:00
|
|
|
def delete_relation(self, relation_id: NonNegativeInt):
|
2024-07-26 12:25:26 +00:00
|
|
|
"""Untag a user from a SAS picture.
|
|
|
|
|
|
|
|
Root and SAS admins can delete any picture identification.
|
|
|
|
All other users can delete their own identification.
|
|
|
|
"""
|
|
|
|
relation = self.get_object_or_exception(PeoplePictureRelation, pk=relation_id)
|
|
|
|
user: User = self.context.request.user
|
2024-07-25 15:27:23 +00:00
|
|
|
if (
|
|
|
|
relation.user_id != user.id
|
|
|
|
and not user.is_root
|
|
|
|
and not user.is_in_group(pk=settings.SITH_GROUP_SAS_ADMIN_ID)
|
|
|
|
):
|
|
|
|
raise PermissionDenied
|
|
|
|
relation.delete()
|