klmp200/Sith
1
0
Fork 0
mirror of https://github.com/ae-utbm/sith.git synced 2025-11-10 05:53:06 +00:00
Code Issues Packages Projects Releases Wiki Activity

don't show hidden users in picture identifications

Browse Source
This commit is contained in:
imperosol
2025-11-07 18:32:56 +01:00
parent 1f3a483b1b
commit 144b05e49c
4 changed files with 64 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
sas/api.py
View File

@@ -143,11 +143,14 @@ class PicturesController(ControllerBase):
"/{picture_id}/identified", "/{picture_id}/identified",
permissions=[IsAuthenticated, CanView], permissions=[IsAuthenticated, CanView],
response=list[IdentifiedUserSchema], response=list[IdentifiedUserSchema],
url_name="picture_identifications",
) )
def fetch_identifications(self, picture_id: int): def fetch_identifications(self, picture_id: int):
"""Fetch the users that have been identified on the given picture.""" """Fetch the users that have been identified on the given picture."""
picture = self.get_object_or_exception(Picture, pk=picture_id) picture = self.get_object_or_exception(Picture, pk=picture_id)
return picture.people.select_related("user") return picture.people.viewable_by(self.context.request.user).select_related(
"user"
)
@route.put("/{picture_id}/identified", permissions=[IsAuthenticated, CanView]) @route.put("/{picture_id}/identified", permissions=[IsAuthenticated, CanView])
def identify_users(self, picture_id: NonNegativeInt, users: set[NonNegativeInt]): def identify_users(self, picture_id: NonNegativeInt, users: set[NonNegativeInt]):

13
sas/models.py
View File

@@ -265,6 +265,17 @@ def sas_notification_callback(notif: Notification):
notif.param = str(count) notif.param = str(count)
class PeoplePictureRelationQuerySet(models.QuerySet):
def viewable_by(self, user: User) -> Self:
if user.is_root or user.is_in_group(pk=settings.SITH_GROUP_SAS_ADMIN_ID):
return self
if user.was_subscribed:
return self.filter(
Q(user_id=user.id) | Q(user__is_subscriber_viewable=True)
)
return self.filter(user_id=user.id)
class PeoplePictureRelation(models.Model): class PeoplePictureRelation(models.Model):
"""The PeoplePictureRelation class makes the connection between User and Picture.""" """The PeoplePictureRelation class makes the connection between User and Picture."""
@@ -281,6 +292,8 @@ class PeoplePictureRelation(models.Model):
on_delete=models.CASCADE, on_delete=models.CASCADE,
) )
objects = PeoplePictureRelationQuerySet.as_manager()
class Meta: class Meta:
unique_together = ["user", "picture"] unique_together = ["user", "picture"]

23
sas/tests/test_api.py
View File

@@ -186,6 +186,29 @@ class TestPictureRelation(TestSas):
assert res.status_code == 404 assert res.status_code == 404
assert PeoplePictureRelation.objects.count() == relation_count assert PeoplePictureRelation.objects.count() == relation_count
def test_fetch_relations_including_hidden_users(self):
"""Test that normal subscribers users cannot see hidden profiles"""
picture = self.album_a.children_pictures.last()
self.user_a.is_subscriber_viewable = False
self.user_a.save()
url = reverse("api:picture_identifications", kwargs={"picture_id": picture.id})
# a normal subscriber user shouldn't see user_a as identified
self.client.force_login(subscriber_user.make())
response = self.client.get(url)
data = {user["user"]["id"] for user in response.json()}
assert data == {self.user_b.id, self.user_c.id}
# an admin should see everyone
self.client.force_login(
baker.make(
User, groups=[Group.objects.get(id=settings.SITH_GROUP_SAS_ADMIN_ID)]
)
)
response = self.client.get(url)
data = {user["user"]["id"] for user in response.json()}
assert data == {self.user_a.id, self.user_b.id, self.user_c.id}
class TestPictureModeration(TestSas): class TestPictureModeration(TestSas):
@classmethod @classmethod

25
sas/tests/test_model.py
View File

@@ -1,10 +1,11 @@
import pytest
from django.test import TestCase from django.test import TestCase
from model_bakery import baker from model_bakery import baker
from core.baker_recipes import old_subscriber_user, subscriber_user from core.baker_recipes import old_subscriber_user, subscriber_user
from core.models import User from core.models import User
from sas.baker_recipes import picture_recipe from sas.baker_recipes import picture_recipe
from sas.models import Picture from sas.models import PeoplePictureRelation, Picture
class TestPictureQuerySet(TestCase): class TestPictureQuerySet(TestCase):
@@ -44,3 +45,25 @@ class TestPictureQuerySet(TestCase):
user.pictures.create(picture=self.pictures[1]) # moderated user.pictures.create(picture=self.pictures[1]) # moderated
pictures = list(Picture.objects.viewable_by(user)) pictures = list(Picture.objects.viewable_by(user))
assert pictures == [self.pictures[1]] assert pictures == [self.pictures[1]]
@pytest.mark.django_db
def test_identifications_viewable_by_user():
picture = baker.make(Picture)
identifications = baker.make(
PeoplePictureRelation, picture=picture, _quantity=10, _bulk_create=True
)
identifications[0].user.is_subscriber_viewable = False
identifications[0].user.save()
assert (
list(picture.people.viewable_by(old_subscriber_user.make()))
== identifications[1:]
)
assert (
list(picture.people.viewable_by(baker.make(User, is_superuser=True)))
== identifications
)
assert list(picture.people.viewable_by(identifications[1].user)) == [
identifications[1]
]