Subs authorisation implementation

2024-04-26 23:27:01 +01:00 · 2024-04-26 23:27:01 +01:00 · 3808630e4d
commit 3808630e4d
parent c4145721cf
1 changed files with 27 additions and 3 deletions
--- a/apps/api/views.py
+++ b/apps/api/views.py
@ -2,6 +2,7 @@

 import logging

+from django.db.models import Subquery
 from django.db.utils import IntegrityError
 from django_filters import rest_framework as rest_filters
 from rest_framework import status, permissions, filters, generics
@ -43,13 +44,22 @@ class Subscription_ListView(generics.ListCreateAPIView):

    pagination_class = DefaultPagination
    serializer_class = SubscriptionSerializer
-    queryset = Subscription.objects.all().order_by("-creation_datetime")
+    # queryset = Subscription.objects.all().order_by("-creation_datetime")

    filter_backends = [filters.SearchFilter, rest_filters.DjangoFilterBackend, filters.OrderingFilter]
    filterset_fields = ["id", "name", "url", "guild_id", "creation_datetime", "extra_notes", "active"]
    search_fields = ["name", "extra_notes"]
    ordering_fields = ["creation_datetime", "guild_id"]

+    def get_queryset(self):
+        saved_guild_ids = SavedGuilds.objects \
+            .filter(added_by=self.request.user.id) \
+            .values("guild_id")
+
+        return Subscription.objects \
+            .filter(guild_id__in=Subquery(saved_guild_ids)) \
+            .order_by("-creation_datetime")
+
    def post(self, request):
        serializer = self.get_serializer(data=request.data)
        serializer.is_valid(raise_exception=True)
@ -79,7 +89,16 @@ class Subscription_DetailView(generics.RetrieveUpdateDestroyAPIView):
    parser_classes = [MultiPartParser, FormParser]

    serializer_class = SubscriptionSerializer
-    queryset = Subscription.objects.all().order_by("-creation_datetime")
+    # queryset = Subscription.objects.all().order_by("-creation_datetime")
+
+    def get_queryset(self):
+        saved_guild_ids = SavedGuilds.objects \
+            .filter(added_by=self.request.user.id) \
+            .values("guild_id")
+
+        return Subscription.objects \
+            .filter(guild_id__in=Subquery(saved_guild_ids)) \
+            .order_by("-creation_datetime")


 # =================================================================================================
@ -107,7 +126,12 @@ class SavedGuild_ListView(generics.ListCreateAPIView):
        return SavedGuilds.objects.filter(added_by=self.request.user)

    def post(self, request):
-        
+
+        # TODO:
+        # the data used for admin/owner verification is provided
+        # from the client, this is a potential attack vector, and
+        # should be rewritten.
+
        is_owner = request.data["owner"].lower() == "true"

        # Check user is admin in server