fix rights on albums and next/previous pictures

2025-07-11 12:29:24 +00:00 · 2024-08-08 13:15:19 +02:00
parent d3b203a4a1
commit 00dc03a235
5 changed files with 110 additions and 112 deletions
--- a/sas/api.py
+++ b/sas/api.py
@ -41,17 +41,12 @@ class PicturesController(ControllerBase):
            cf. https://ae.utbm.fr/user/32663/pictures/)
        """
        user: User = self.context.request.user
-        if not user.was_subscribed and filters.users_identified != {user.id}:
-            # User can view any moderated picture if he/she is subscribed.
-            # If not, he/she can view only the one he/she has been identified on
-            raise PermissionDenied
-        pictures = list(
+        return (
            filters.filter(Picture.objects.viewable_by(user))
            .distinct()
            .order_by("-parent__date", "date")
            .annotate(album=F("parent__name"))
        )
-        return pictures


@api_controller("/sas/relation", tags="User identification on SAS pictures")