fix rights on albums and next/previous pictures

This commit is contained in:
thomas girod
2024-08-08 13:15:19 +02:00
parent d3b203a4a1
commit 00dc03a235
5 changed files with 110 additions and 112 deletions

View File

@ -41,17 +41,12 @@ class PicturesController(ControllerBase):
cf. https://ae.utbm.fr/user/32663/pictures/)
"""
user: User = self.context.request.user
if not user.was_subscribed and filters.users_identified != {user.id}:
# User can view any moderated picture if he/she is subscribed.
# If not, he/she can view only the one he/she has been identified on
raise PermissionDenied
pictures = list(
return (
filters.filter(Picture.objects.viewable_by(user))
.distinct()
.order_by("-parent__date", "date")
.annotate(album=F("parent__name"))
)
return pictures
@api_controller("/sas/relation", tags="User identification on SAS pictures")