From f9436a1d83e7e76e98cdd2a85bdf82d65a2a08c4 Mon Sep 17 00:00:00 2001
From: Corban-Lee Jones <corbz.jones@gmail.com>
Date: Sat, 7 Sep 2024 21:55:29 +0100
Subject: [PATCH] restrict tracked content to permitted users

---
 apps/api/views.py | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/apps/api/views.py b/apps/api/views.py
index e0cde18..5cee837 100644
--- a/apps/api/views.py
+++ b/apps/api/views.py
@@ -498,6 +498,17 @@ class TrackedContent_ListView(generics.ListCreateAPIView):
 
         return self.read_serializer_class
 
+    def get_queryset(self):
+        if self.request.user.is_superuser:
+            return TrackedContent.objects.all()
+
+        saved_guilds = SavedGuilds.objects.filter(added_by=self.request.user)
+        guild_ids = [guild.guild_id for guild in saved_guilds]
+
+        return TrackedContent.objects.filter(subscription__guild_id__in=guild_ids)
+
+        # return GuildSettings.objects.filter(guild_id__in=guild_ids)
+
     def post(self, request):
         serializer = self.get_serializer(data=request.data)
         serializer.is_valid(raise_exception=True)