Fix unapproved packages appearing in collections

app/blueprints/collections/__init__.py

@@ -65,7 +65,11 @@ def view(author, name):
 	if not collection.check_perm(current_user, Permission.VIEW_COLLECTION):
 		abort(404)
 
-	return render_template("collections/view.html", collection=collection)
+	items = collection.items
+	if collection.check_perm(current_user, Permission.EDIT_COLLECTION):
+		items = [x for x in items if x.package.check_perm(current_user, Permission.VIEW_PACKAGE)]
+
+	return render_template("collections/view.html", collection=collection, items=items)
 
 
 class CollectionForm(FlaskForm):

app/blueprints/packages/packages.py

@@ -130,7 +130,7 @@ def user_redirect(author):
 @bp.route("/packages/<author>/<name>/")
 @is_package_page
 def view(package):
-	if package.state != PackageState.APPROVED and not package.check_perm(current_user, Permission.EDIT_PACKAGE):
+	if not package.check_perm(current_user, Permission.VIEW_PACKAGE):
 		return render_template("packages/gone.html", package=package), 403
 
 	show_similar = not package.approved and (

app/models/packages.py

@@ -645,14 +645,17 @@ class Package(db.Model):
 		return None
 
 	def check_perm(self, user, perm):
-		if not user.is_authenticated:
-			return False
-
 		if type(perm) == str:
 			perm = Permission[perm]
 		elif type(perm) != Permission:
 			raise Exception("Unknown permission given to Package.check_perm()")
 
+		if perm == Permission.VIEW_PACKAGE:
+			return self.state == PackageState.APPROVED or self.check_perm(user, Permission.EDIT_PACKAGE)
+
+		if not user.is_authenticated:
+			return False
+
 		is_owner = user == self.author
 		is_maintainer = is_owner or user.rank.at_least(UserRank.EDITOR) or user in self.maintainers
 		is_approver = user.rank.at_least(UserRank.APPROVER)

app/models/users.py

@@ -59,6 +59,7 @@ class UserRank(enum.Enum):
 
 
 class Permission(enum.Enum):
+	VIEW_PACKAGE       = "VIEW_PACKAGE"
 	EDIT_PACKAGE       = "EDIT_PACKAGE"
 	DELETE_PACKAGE     = "DELETE_PACKAGE"
 	CHANGE_AUTHOR      = "CHANGE_AUTHOR"

app/templates/collections/view.html

@@ -59,24 +59,29 @@
 
 	<section class="mt-5">
 		<h2 class="sr-only">{{ _("Packages") }}</h2>
-		{% if not collection.items %}
+		{% if not items %}
 			<p class="text-muted">
 				{{ _("To add a package, go to the package's page and click 'Add to collection'") }}
 			</p>
 		{% endif %}
 		<div class="grid-2 gap-3">
-			{% for item in collection.items %}
+			{% for item in items %}
 				{% set package_link %}
 					<a href="{{ item.package.get_url('packages.view') }}">
 						{{ item.package.title }}
 					</a>
 				{% endset %}
-				<div class="">
+				<div>
 					<article class="card">
 						<div class="embed-responsive embed-responsive-16by9">
 							<img class="card-img-top embed-responsive-item" src="{{ item.package.get_thumb_url(4) }}" alt="{{ item.package.title }} screenshot">
 						</div>
 						<div class="card-body">
+							{% if item.package.state.name != "APPROVED" %}
+								<span class="badge badge-warning float-right">
+									{{ item.package.state.value }}
+								</span>
+							{% endif %}
 							<h5 class="mt-0">
 								{{ _("%(title)s by %(author)s", title=package_link, author=item.package.author.display_name) }}
 							</h5>