Prevent users from seeing subscriptions outside their server list

2024-03-17 23:14:03 +00:00 · 2024-03-17 23:14:03 +00:00 · 20945e0003
commit 20945e0003
parent eb7083680c
5 changed files with 86 additions and 7 deletions
--- a/apps/api/views.py
+++ b/apps/api/views.py
@ -1,7 +1,5 @@
 # -*- encoding: utf-8 -*-

-import logging
-
 from django.db.utils import IntegrityError
 from django.core.exceptions import ValidationError
 from django_filters import rest_framework as rest_filters
@ -18,9 +16,6 @@ from .serializers import (
    )


-log = logging.getLogger(__name__)
-
-
 class DefaultPagination(PageNumberPagination):
    """Default class for pagination in API views."""

@ -81,7 +76,14 @@ class Subscription_DetailView(generics.RetrieveUpdateDestroyAPIView):
    parser_classes = [MultiPartParser, FormParser]

    serializer_class = SubscriptionSerializer
-    queryset = Subscription.objects.all().order_by("-creation_datetime")
+    # queryset = Subscription.objects.all().order_by("-creation_datetime")
+
+    def get_queryset(self):
+        user_servers = self.request.user.servers
+        user_servers = [server.id for server in user_servers]
+        return Subscription.objects \
+            .filter(server__in=user_servers) \
+            .order_by("-creation_datetime")


 # =================================================================================================
--- a/apps/authentication/migrations/0003_userserverlink.py
+++ b/apps/authentication/migrations/0003_userserverlink.py
@ -0,0 +1,24 @@
+# Generated by Django 5.0.1 on 2024-03-17 22:51
+
+import django.db.models.deletion
+from django.conf import settings
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('authentication', '0002_alter_discorduser_managers'),
+    ]
+
+    operations = [
+        migrations.CreateModel(
+            name='UserServerLink',
+            fields=[
+                ('id', models.PositiveBigIntegerField(primary_key=True, serialize=False)),
+                ('name', models.CharField(max_length=64)),
+                ('perm_flags', models.IntegerField()),
+                ('user_id', models.ForeignKey(on_delete=django.db.models.deletion.CASCADE, to=settings.AUTH_USER_MODEL)),
+            ],
+        ),
+    ]
--- a/apps/authentication/migrations/0004_alter_userserverlink_perm_flags.py
+++ b/apps/authentication/migrations/0004_alter_userserverlink_perm_flags.py
@ -0,0 +1,18 @@
+# Generated by Django 5.0.1 on 2024-03-17 23:00
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('authentication', '0003_userserverlink'),
+    ]
+
+    operations = [
+        migrations.AlterField(
+            model_name='userserverlink',
+            name='perm_flags',
+            field=models.IntegerField(blank=True, null=True),
+        ),
+    ]
--- a/apps/authentication/models.py
+++ b/apps/authentication/models.py
@ -117,4 +117,28 @@ class DiscordUser(models.Model):
        return self.is_superuser

    def has_module_perms(self, app_label):
-        return self.is_superuser
+        return self.is_superuser
+
+    @property
+    def servers(self):
+        return UserServerLink.objects.filter(user_id=self.id)
+
+
+class UserServerLink(models.Model):
+    """
+    Represents a server (aka guild) from Discord.
+    Serves soley as a permissions checking table to ensure that the
+    user only interacts with Subscriptions for their servers.
+    """
+
+    id = models.PositiveBigIntegerField(primary_key=True)
+    user_id = models.ForeignKey(to=DiscordUser, on_delete=models.CASCADE)
+    name = models.CharField(max_length=64)
+    perm_flags = models.IntegerField(null=True, blank=True)
+
+    def __str__(self):
+        return self.name
+
+    @property
+    def is_admin(self):
+        return self.perm_flags & 0x0000000000000008
--- a/apps/authentication/views.py
+++ b/apps/authentication/views.py
@ -9,6 +9,8 @@ from django.views.generic import View, TemplateView
 from django.shortcuts import render, redirect
 from django.contrib.auth import authenticate, login

+from .models import UserServerLink
+
 log = logging.getLogger(__name__)


@ -92,6 +94,15 @@ class GuildsView(View):

        content = response.json()

+        servers = [UserServerLink(
+            id=server["id"],
+            user_id=request.user,
+            name=server["name"]
+        ) for server in content]
+
+        UserServerLink.objects.filter(user_id=request.user).delete()
+        UserServerLink.objects.bulk_create(servers)
+
        return JsonResponse(content, safe=False)