From c74ed50bd5029aebc31841912ca573af03b97aa2 Mon Sep 17 00:00:00 2001 From: Tom Hacohen Date: Wed, 26 Feb 2020 21:13:33 +0200 Subject: [PATCH] Collection: filter queryset only to collections for which the user has access to. --- django_etesync/views.py | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/django_etesync/views.py b/django_etesync/views.py index 9bdb244..8de7313 100644 --- a/django_etesync/views.py +++ b/django_etesync/views.py @@ -50,7 +50,8 @@ class BaseViewSet(viewsets.ModelViewSet): return serializer_class def get_collection_queryset(self, queryset=Collection.objects): - return queryset.all() + user = self.request.user + return queryset.filter(members__user=user) class CollectionViewSet(BaseViewSet): @@ -143,7 +144,7 @@ class CollectionItemViewSet(BaseViewSet): @action_decorator(detail=True, methods=['GET']) def revision(self, request, collection_uid=None, uid=None): - col = get_object_or_404(Collection.objects, uid=collection_uid) + col = get_object_or_404(self.get_collection_queryset(Collection.objects), uid=collection_uid) col_it = get_object_or_404(col.items, uid=uid) serializer = CollectionItemRevisionSerializer(col_it.revisions.order_by('-id'), many=True) @@ -169,7 +170,8 @@ class CollectionItemChunkViewSet(viewsets.ViewSet): lookup_field = 'uid' def get_collection_queryset(self, queryset=Collection.objects): - return queryset.all() + user = self.request.user + return queryset.filter(members__user=user) def create(self, request, collection_uid=None, collection_item_uid=None): col = get_object_or_404(self.get_collection_queryset(), uid=collection_uid)