Fix unapproved packages appearing in collections

This commit is contained in:
rubenwardy 2023-08-16 01:00:51 +01:00
parent f470357a42
commit ea2f1f4f6f
5 changed files with 21 additions and 8 deletions

@ -65,7 +65,11 @@ def view(author, name):
if not collection.check_perm(current_user, Permission.VIEW_COLLECTION):
abort(404)
return render_template("collections/view.html", collection=collection)
items = collection.items
if collection.check_perm(current_user, Permission.EDIT_COLLECTION):
items = [x for x in items if x.package.check_perm(current_user, Permission.VIEW_PACKAGE)]
return render_template("collections/view.html", collection=collection, items=items)
class CollectionForm(FlaskForm):

@ -130,7 +130,7 @@ def user_redirect(author):
@bp.route("/packages/<author>/<name>/")
@is_package_page
def view(package):
if package.state != PackageState.APPROVED and not package.check_perm(current_user, Permission.EDIT_PACKAGE):
if not package.check_perm(current_user, Permission.VIEW_PACKAGE):
return render_template("packages/gone.html", package=package), 403
show_similar = not package.approved and (

@ -645,14 +645,17 @@ class Package(db.Model):
return None
def check_perm(self, user, perm):
if not user.is_authenticated:
return False
if type(perm) == str:
perm = Permission[perm]
elif type(perm) != Permission:
raise Exception("Unknown permission given to Package.check_perm()")
if perm == Permission.VIEW_PACKAGE:
return self.state == PackageState.APPROVED or self.check_perm(user, Permission.EDIT_PACKAGE)
if not user.is_authenticated:
return False
is_owner = user == self.author
is_maintainer = is_owner or user.rank.at_least(UserRank.EDITOR) or user in self.maintainers
is_approver = user.rank.at_least(UserRank.APPROVER)

@ -59,6 +59,7 @@ class UserRank(enum.Enum):
class Permission(enum.Enum):
VIEW_PACKAGE = "VIEW_PACKAGE"
EDIT_PACKAGE = "EDIT_PACKAGE"
DELETE_PACKAGE = "DELETE_PACKAGE"
CHANGE_AUTHOR = "CHANGE_AUTHOR"

@ -59,24 +59,29 @@
<section class="mt-5">
<h2 class="sr-only">{{ _("Packages") }}</h2>
{% if not collection.items %}
{% if not items %}
<p class="text-muted">
{{ _("To add a package, go to the package's page and click 'Add to collection'") }}
</p>
{% endif %}
<div class="grid-2 gap-3">
{% for item in collection.items %}
{% for item in items %}
{% set package_link %}
<a href="{{ item.package.get_url('packages.view') }}">
{{ item.package.title }}
</a>
{% endset %}
<div class="">
<div>
<article class="card">
<div class="embed-responsive embed-responsive-16by9">
<img class="card-img-top embed-responsive-item" src="{{ item.package.get_thumb_url(4) }}" alt="{{ item.package.title }} screenshot">
</div>
<div class="card-body">
{% if item.package.state.name != "APPROVED" %}
<span class="badge badge-warning float-right">
{{ item.package.state.value }}
</span>
{% endif %}
<h5 class="mt-0">
{{ _("%(title)s by %(author)s", title=package_link, author=item.package.author.display_name) }}
</h5>