From e81fa13d40bf88a5d0b4e08a0fc175018c2a888b Mon Sep 17 00:00:00 2001 From: Radek Czajka Date: Mon, 17 Nov 2025 14:11:55 +0100 Subject: [PATCH] Allow anonymous read on bookmarks, user lists. --- src/bookmarks/api/views.py | 13 ++++++++++--- src/social/api/views.py | 23 +++++++++++++++++------ 2 files changed, 27 insertions(+), 9 deletions(-) diff --git a/src/bookmarks/api/views.py b/src/bookmarks/api/views.py index 32449da8c..b500a6654 100644 --- a/src/bookmarks/api/views.py +++ b/src/bookmarks/api/views.py @@ -1,5 +1,6 @@ from api.utils import never_cache +from django.db.models import Q from django.http import Http404, JsonResponse from django.shortcuts import render, get_object_or_404 from django.views.decorators import cache @@ -10,7 +11,7 @@ from lxml import html import re from rest_framework.generics import ListAPIView, ListCreateAPIView, RetrieveUpdateDestroyAPIView from rest_framework import serializers -from rest_framework.permissions import IsAuthenticated +from rest_framework.permissions import SAFE_METHODS, IsAuthenticated, IsAuthenticatedOrReadOnly from api.fields import AbsoluteURLField @@ -54,9 +55,15 @@ class BookBookmarksView(ListAPIView): @never_cache class BookmarkView(RetrieveUpdateDestroyAPIView): - permission_classes = [IsAuthenticated] + permission_classes = [IsAuthenticatedOrReadOnly] serializer_class = BookmarkSerializer lookup_field = 'uuid' def get_queryset(self): - return self.request.user.bookmark_set.all() + if self.request.method in SAFE_METHODS: + q = Q(deleted=False) + if self.request.user.is_authenticated: + q |= Q(user=self.request.user) + return models.Bookmark.objects.filter(q) + else: + return self.request.user.bookmark_set.all() diff --git a/src/social/api/views.py b/src/social/api/views.py index bf3529755..9d8fd4a59 100644 --- a/src/social/api/views.py +++ b/src/social/api/views.py @@ -2,10 +2,11 @@ # Copyright © Fundacja Wolne Lektury. See NOTICE for more information. # from datetime import datetime +from django.db.models import Q from django.http import Http404 from django.utils.timezone import now, utc from rest_framework.generics import ListAPIView, ListCreateAPIView, RetrieveAPIView, RetrieveUpdateAPIView, RetrieveUpdateDestroyAPIView, get_object_or_404 -from rest_framework.permissions import IsAuthenticated, IsAuthenticatedOrReadOnly +from rest_framework.permissions import SAFE_METHODS, IsAuthenticated, IsAuthenticatedOrReadOnly from rest_framework.response import Response from rest_framework import serializers from rest_framework.views import APIView @@ -216,14 +217,24 @@ class ListsView(ListCreateAPIView): @never_cache class ListView(RetrieveUpdateDestroyAPIView): # TODO: check if can modify - permission_classes = [IsAuthenticated] + permission_classes = [IsAuthenticatedOrReadOnly] serializer_class = UserListSerializer def get_object(self): - return get_object_or_404( - models.UserList, - slug=self.kwargs['slug'], - user=self.request.user) + if self.request.method in SAFE_METHODS: + q = Q(deleted=False) + if self.request.user.is_authenticated: + q |= Q(user=self.request.user) + return get_object_or_404( + models.UserList, + q, + slug=self.kwargs['slug'], + ) + else: + return get_object_or_404( + models.UserList, + slug=self.kwargs['slug'], + user=self.request.user) def perform_update(self, serializer): serializer.save(user=self.request.user) -- 2.20.1