diff --git a/app/blueprints/api/endpoints.py b/app/blueprints/api/endpoints.py index c5cbb464..bb4e0e22 100644 --- a/app/blueprints/api/endpoints.py +++ b/app/blueprints/api/endpoints.py @@ -867,18 +867,21 @@ def collection_list(): @bp.route("/api/collections///") +@is_api_authd @cors_allowed -def collection_view(author, name): +def collection_view(token, author, name): + user = token.owner if token else None + collection = Collection.query \ .filter(Collection.name == name, Collection.author.has(username=author)) \ .one_or_404() - if not collection.check_perm(current_user, Permission.VIEW_COLLECTION): + if not collection.check_perm(user, Permission.VIEW_COLLECTION): error(404, "Collection not found") items = collection.items - if collection.check_perm(current_user, Permission.EDIT_COLLECTION): - items = [x for x in items if x.package.check_perm(current_user, Permission.VIEW_PACKAGE)] + if not collection.check_perm(user, Permission.EDIT_COLLECTION): + items = [x for x in items if x.package.check_perm(user, Permission.VIEW_PACKAGE)] ret = collection.as_dict() ret["items"] = [x.as_dict() for x in items] diff --git a/app/models/collections.py b/app/models/collections.py index d1e1f5ac..f1eaf198 100644 --- a/app/models/collections.py +++ b/app/models/collections.py @@ -95,7 +95,7 @@ class Collection(db.Model): elif type(perm) != Permission: raise Exception("Unknown permission given to Collection.check_perm()") - if not user.is_authenticated: + if user is None or not user.is_authenticated: return perm == Permission.VIEW_COLLECTION and not self.private can_view = not self.private or self.author == user or user.rank.at_least(UserRank.MODERATOR)