Allow anonymous read on bookmarks, user lists.

diff --git a/src/bookmarks/api/views.py b/src/bookmarks/api/views.py
index 32449da..b500a66 100644 (file)
--- a/src/bookmarks/api/views.py
+++ b/src/bookmarks/api/views.py
@@ -1,5 +1,6 @@
 from api.utils import never_cache
 
+from django.db.models import Q
 from django.http import Http404, JsonResponse
 from django.shortcuts import render, get_object_or_404
 from django.views.decorators import cache
@@ -10,7 +11,7 @@ from lxml import html
 import re
 from rest_framework.generics import ListAPIView, ListCreateAPIView, RetrieveUpdateDestroyAPIView
 from rest_framework import serializers
-from rest_framework.permissions import IsAuthenticated
+from rest_framework.permissions import SAFE_METHODS, IsAuthenticated, IsAuthenticatedOrReadOnly
 from api.fields import AbsoluteURLField
 
 
@@ -54,9 +55,15 @@ class BookBookmarksView(ListAPIView):
 
 @never_cache
 class BookmarkView(RetrieveUpdateDestroyAPIView):
-    permission_classes = [IsAuthenticated]
+    permission_classes = [IsAuthenticatedOrReadOnly]
     serializer_class = BookmarkSerializer
     lookup_field = 'uuid'
 
     def get_queryset(self):
-        return self.request.user.bookmark_set.all()
+        if self.request.method in SAFE_METHODS:
+            q = Q(deleted=False)
+            if self.request.user.is_authenticated:
+                q |= Q(user=self.request.user)
+            return models.Bookmark.objects.filter(q)
+        else:
+            return self.request.user.bookmark_set.all()

diff --git a/src/social/api/views.py b/src/social/api/views.py
index bf35297..9d8fd4a 100644 (file)
--- a/src/social/api/views.py
+++ b/src/social/api/views.py
@@ -2,10 +2,11 @@
 # Copyright © Fundacja Wolne Lektury. See NOTICE for more information.
 #
 from datetime import datetime
+from django.db.models import Q
 from django.http import Http404
 from django.utils.timezone import now, utc
 from rest_framework.generics import ListAPIView, ListCreateAPIView, RetrieveAPIView, RetrieveUpdateAPIView, RetrieveUpdateDestroyAPIView, get_object_or_404
-from rest_framework.permissions import IsAuthenticated, IsAuthenticatedOrReadOnly
+from rest_framework.permissions import SAFE_METHODS, IsAuthenticated, IsAuthenticatedOrReadOnly
 from rest_framework.response import Response
 from rest_framework import serializers
 from rest_framework.views import APIView
@@ -216,14 +217,24 @@ class ListsView(ListCreateAPIView):
 @never_cache
 class ListView(RetrieveUpdateDestroyAPIView):
     # TODO: check if can modify
-    permission_classes = [IsAuthenticated]
+    permission_classes = [IsAuthenticatedOrReadOnly]
     serializer_class = UserListSerializer
 
     def get_object(self):
-        return get_object_or_404(
-            models.UserList,
-            slug=self.kwargs['slug'],
-            user=self.request.user)
+        if self.request.method in SAFE_METHODS:
+            q = Q(deleted=False)
+            if self.request.user.is_authenticated:
+                q |= Q(user=self.request.user)
+            return get_object_or_404(
+                models.UserList,
+                q,
+                slug=self.kwargs['slug'],
+            )
+        else:
+            return get_object_or_404(
+                models.UserList,
+                slug=self.kwargs['slug'],
+                user=self.request.user)
 
     def perform_update(self, serializer):
         serializer.save(user=self.request.user)