Collection: filter queryset only to collections for which the user has access to.
This commit is contained in:
parent
771d2d013d
commit
c74ed50bd5
@ -50,7 +50,8 @@ class BaseViewSet(viewsets.ModelViewSet):
|
|||||||
return serializer_class
|
return serializer_class
|
||||||
|
|
||||||
def get_collection_queryset(self, queryset=Collection.objects):
|
def get_collection_queryset(self, queryset=Collection.objects):
|
||||||
return queryset.all()
|
user = self.request.user
|
||||||
|
return queryset.filter(members__user=user)
|
||||||
|
|
||||||
|
|
||||||
class CollectionViewSet(BaseViewSet):
|
class CollectionViewSet(BaseViewSet):
|
||||||
@ -143,7 +144,7 @@ class CollectionItemViewSet(BaseViewSet):
|
|||||||
|
|
||||||
@action_decorator(detail=True, methods=['GET'])
|
@action_decorator(detail=True, methods=['GET'])
|
||||||
def revision(self, request, collection_uid=None, uid=None):
|
def revision(self, request, collection_uid=None, uid=None):
|
||||||
col = get_object_or_404(Collection.objects, uid=collection_uid)
|
col = get_object_or_404(self.get_collection_queryset(Collection.objects), uid=collection_uid)
|
||||||
col_it = get_object_or_404(col.items, uid=uid)
|
col_it = get_object_or_404(col.items, uid=uid)
|
||||||
|
|
||||||
serializer = CollectionItemRevisionSerializer(col_it.revisions.order_by('-id'), many=True)
|
serializer = CollectionItemRevisionSerializer(col_it.revisions.order_by('-id'), many=True)
|
||||||
@ -169,7 +170,8 @@ class CollectionItemChunkViewSet(viewsets.ViewSet):
|
|||||||
lookup_field = 'uid'
|
lookup_field = 'uid'
|
||||||
|
|
||||||
def get_collection_queryset(self, queryset=Collection.objects):
|
def get_collection_queryset(self, queryset=Collection.objects):
|
||||||
return queryset.all()
|
user = self.request.user
|
||||||
|
return queryset.filter(members__user=user)
|
||||||
|
|
||||||
def create(self, request, collection_uid=None, collection_item_uid=None):
|
def create(self, request, collection_uid=None, collection_item_uid=None):
|
||||||
col = get_object_or_404(self.get_collection_queryset(), uid=collection_uid)
|
col = get_object_or_404(self.get_collection_queryset(), uid=collection_uid)
|
||||||
|
Loading…
Reference in New Issue
Block a user