def postView(request, id):
# We could check to see if the user has permission to view this post in here
# Based on the privacy setting etc.
# This is our post object with the given ID
# If the post doesn't exist it instantly 404's
# This way we won't have to do any taxing database math
post = get_object_or_404(Post, pk=id) #pk is primary key
# Do not display an image if the image does not exist
imageExists = False
if post.image_link != "":
imageExists = True
# Perform privacy calculations
# Has permission will be passed in
# If its False we could either display a 404 or a "you do not have permission"
hasPermission = Services.has_permission_to_see_post(request.user.id, post)
if post.is_markdown:
post.body = markdownify(post.body)
# Post is the post data
# imageExists is whether or not there is an image to display
# markDown is whether or not to display the plaintext or markdown contents
# Has permission determines whether or not to display content to the user
post.privacy_setting = Services.get_privacy_string_for_post(
post.privacy_setting)
return render(request, 'post/post.html', {
"post": post,
"imageExists": imageExists,
"hasPermission": hasPermission
})
def test_permissions_work_with_non_uuid(self):
# essentially test that we can pass in a string (instead of a UUID) without the function crashing
myPost = Post.objects.get(id="9c4f71d9-fcc5-48b0-8092-9b775969bc9f")
hasPermission = Services.has_permission_to_see_post(
"8c4f71d9-fcc5-48b0-8092-9b775969bc9e", myPost)
# if we get here, there hasn't been an error
self.assertEqual(True, hasPermission)
def test_fofof_cant_see_fof_posts(self):
friendOfFriendOfSomeUser = UserModels.CustomUser.objects.get(
id="8c4f71d9-fcc5-48b0-8092-9b775969bc9a")
myPost = Post.objects.get(id="9c4f71d9-fcc5-48b0-8092-9b775969bc9a")
hasPermission = Services.has_permission_to_see_post(
friendOfFriendOfSomeUser.id, myPost)
self.assertEqual(False, hasPermission)
def test_user_cannot_see_another_author_posts_when_not_allowed(self):
"""Users cannot see Another Author posts if they aren't authorized"""
strangerUser = UserModels.CustomUser.objects.get(
id="8c4f71d9-fcc5-48b0-8092-9b775969bc9e")
myPost = Post.objects.get(id="9c4f71d9-fcc5-48b0-8092-9b775969bc9d")
hasPermission = Services.has_permission_to_see_post(
strangerUser.id, myPost)
self.assertEqual(False, hasPermission)
def test_user_can_see_another_author_posts_when_allowed(self):
"""Authorized users can see the post when the post privacy is set to Another Author"""
someUser = UserModels.CustomUser.objects.get(
id="8c4f71d9-fcc5-48b0-8092-9b775969bc9d")
myPost = Post.objects.get(id="9c4f71d9-fcc5-48b0-8092-9b775969bc9d")
hasPermission = Services.has_permission_to_see_post(
someUser.id, myPost)
self.assertEqual(True, hasPermission)
def test_user_can_see_their_own_posts(self):
"""Users can see their own posts"""
author = UserModels.CustomUser.objects.get(
id="8c4f71d9-fcc5-48b0-8092-9b775969bc9c")
myPost = Post.objects.get(id="9c4f71d9-fcc5-48b0-8092-9b775969bc9c")
hasPermission = Services.has_permission_to_see_post(author.id, myPost)
self.assertEqual(True, hasPermission)
def test_user_can_see_public_posts(self):
"""Users can see public posts"""
strangerUser = UserModels.CustomUser.objects.get(
id="8c4f71d9-fcc5-48b0-8092-9b775969bc9e")
myPost = Post.objects.get(id="9c4f71d9-fcc5-48b0-8092-9b775969bc9f")
hasPermission = Services.has_permission_to_see_post(
strangerUser.id, myPost)
self.assertEqual(True, hasPermission)
def test_users_should_be_able_to_see_unlisted(self):
# has_permission_to_see_post wouldn't be called if they didn't know the url
strangerUser = UserModels.CustomUser.objects.get(
id="8c4f71d9-fcc5-48b0-8092-9b775969bc9e")
myPost = Post.objects.get(id="9c4f71d9-fcc5-48b0-8092-9b775969bc9b")
hasPermission = Services.has_permission_to_see_post(
strangerUser.id, myPost)
self.assertEqual(True, hasPermission)
def test_user_cannot_see_friends_posts_of_non_friends(self):
"""Users can't see My Friends posts when they aren't friends"""
strangerUser = UserModels.CustomUser.objects.get(
id="8c4f71d9-fcc5-48b0-8092-9b775969bc9e")
myPost = Post.objects.get(id="9c4f71d9-fcc5-48b0-8092-9b775969bc9e")
hasPermission = Services.has_permission_to_see_post(
strangerUser.id, myPost)
self.assertEqual(False, hasPermission)
def test_user_can_see_their_friends_posts_when_allowed(self):
"""Users can see their friends' posts when the posts are set to My Friends"""
someUser = UserModels.CustomUser.objects.get(
id="8c4f71d9-fcc5-48b0-8092-9b775969bc9d")
myPost = Post.objects.get(id="9c4f71d9-fcc5-48b0-8092-9b775969bc9e")
hasPermission = Services.has_permission_to_see_post(
someUser.id, myPost)
self.assertEqual(True, hasPermission)
def test_permissions_work_with_uuid(self):
# essentially test that we can pass in a UUID without the function crashing
# This is currently the same as an above test and uuid functionality is implicitly tested by other tests
# but I want to make sure this is explicitly tested in case the above tests change
strangerUser = UserModels.CustomUser.objects.get(
id="8c4f71d9-fcc5-48b0-8092-9b775969bc9e")
myPost = Post.objects.get(id="9c4f71d9-fcc5-48b0-8092-9b775969bc9f")
hasPermission = Services.has_permission_to_see_post(
strangerUser.id, myPost)
self.assertEqual(True, hasPermission)
def retrieve(self, request, pk=None):
# permission_classes = (IsAuthenticated,)
queryset = Post.objects.filter(pk=pk)
# serializer_class = PostSerializer(queryset, many=True)
post = getPostData(request, pk=pk)
requested_post = Post.objects.get(pk=pk)
response = OrderedDict()
response.update({"query": "getPost"})
response.update({"posts": post})
request_user_id = getAuthorIdForApiRequest(request)
if request_user_id == None:
raise ParseError(
"No correct X-User header or authentication were provided.")
if not Services.has_permission_to_see_post(request_user_id,
requested_post):
return Response("403", status=403)
# return Response(serializer_class.data)
return Response(response)
def profileView(request, username):
author = CustomUser.objects.get(username=username)
# will probably change the edit profile functionality later, and check if profile author == logged in user here
# get the profile author
if request.user.username == username:
profile_posts = Post.objects.filter(
author=author.id).order_by('-published')
else:
profile_posts_all = Post.objects.filter(
author=author.id).order_by('-published')
profile_posts = []
for post in profile_posts_all:
if Services.has_permission_to_see_post(request.user.id, post):
profile_posts.append(post)
for p in profile_posts:
if p.is_markdown:
p.body = markdownify(p.body)
return render(request, 'profile/profile.html', {
'author': author,
"posts": profile_posts
})
def userPosts(self, request, pk=None):
author_id = self.kwargs['pk']
author_id = str(author_id)
# uname = request.user
# uid = uname.id
uid = getAuthorIdForApiRequest(request)
if uid == None:
raise ParseError(
"No correct X-User header or authentication were provided.")
uid = str(uid)
# allowed_posts = Post.objects.raw(' \
# WITH posts AS (SELECT id FROM API_post WHERE author_id in \
# (SELECT f2.friend_a_id AS fofid \
# FROM API_friendship f \
# JOIN API_friendship f2 ON f.friend_a_id = f2.friend_b_id \
# WHERE fofid NOT IN (SELECT friend_a_ID FROM API_friendship \
# WHERE friend_b_id = %s) AND f.friend_b_id = %s AND fofid != %s) AND privacy_setting = 4 \
# UNION \
# SELECT id FROM API_post WHERE (author_id in \
# (WITH friends(fid) AS (SELECT friend_b_id FROM API_friendship WHERE friend_a_id=%s) \
# SELECT * FROM friends WHERE fid != %s GROUP BY fid) \
# AND (privacy_setting = 3 OR privacy_setting = 4)) OR author_id = %s OR privacy_setting = 6) \
# SELECT * FROM API_post WHERE id in posts \
# AND author_id = %s \
# ORDER BY published DESC', [str(uid)]*6 + [author_id])
# Instead of this big boy query, just query for all our posts
# Then for each post, check to see if the user has permission
allowed_posts = []
allPosts = Post.objects.filter(author=author_id).order_by(
'-published') # I think this returns them all
for post in allPosts:
if Services.has_permission_to_see_post(uid, post):
allowed_posts.append(post)
paginator = PostsPagination()
paginated_posts = paginator.paginate_queryset(allowed_posts, request)
serialized_posts = PostSerializer(paginated_posts, many=True)
response = OrderedDict()
response.update({"query": "posts"})
response.update({"count": len(allowed_posts)})
response.update({"size": Services.get_page_size(request, paginator)})
response.update({"next": None})
response.update({"previous": None})
# response.update({"posts": serialized_posts.data})
posts = []
for post in serialized_posts.data:
# Get single post information
postId = str(post["id"])
posts.append(getPostData(request, pk=postId))
# response.update({"posts":serialized_posts.data})
response.update({"posts": posts})
if paginator.get_next_link() is not None:
response["next"] = paginator.get_next_link()
if paginator.get_previous_link() is not None:
response["previous"] = paginator.get_previous_link()
return Response(response)
def userPostComments(self, request, pk=None):
permission_classes = (IsAuthenticated, )
post_id = pk
# does the post exist?
try:
requested_post = Post.objects.get(id=post_id)
except:
response = {
'query': 'addComment',
'success': False,
'message': "Comment not allowed"
}
return Response(response, status=403)
if request.method == "POST":
# check that we're allowed to see the post - for now just check if the posts are public
# for right now, just return comments from public posts
# should we check if post visibility is serveronly/private?
request_user_id = getAuthorIdForApiRequest(request)
if request_user_id == None:
raise ParseError(
"No correct X-User header or authentication were provided."
)
if Services.has_permission_to_see_post(request_user_id,
requested_post):
body = json.loads(request.body.decode('utf-8'))
if Services.addComment(body, post_id):
response = {
'query': 'addComment',
'success': True,
'message': "Comment Added"
}
return Response(response, status=200)
else:
response = {
'query': 'addComment',
'success': False,
'message': "Comment not allowed"
}
return Response(response, status=403)
elif request.method == "GET": # this handles "GET" methods
# check that we're allowed to see the post - for now just check if the posts are public
# for right now, just return comments from public posts
paginator = PostsPagination()
# if requested_post.privacy_setting == "6":
request_user_id = getAuthorIdForApiRequest(request)
if request_user_id == None:
raise ParseError(
"No correct X-User header or authentication were provided."
)
if Services.has_permission_to_see_post(request_user_id,
requested_post):
queryset = Comment.objects.filter(
post=pk).order_by('-datetime')
comments = CommentSerializer(queryset, many=True).data
comments_response = []
for comment in comments:
comments_response.append(
getCommentData(request, pk=comment["id"]))
paginated_comments = paginator.paginate_queryset(
comments_response, request)
response = OrderedDict()
response.update({"query": "comments"})
response.update({"count": len(queryset)})
response.update(
{"size": Services.get_page_size(request, paginator)})
response.update({"next": None})
response.update({"previous": None})
response.update({"comments": paginated_comments})
if paginator.get_next_link() is not None:
response["next"] = paginator.get_next_link()
if paginator.get_previous_link() is not None:
response["previous"] = paginator.get_previous_link()
return Response(response)
else:
raise PermissionDenied(
"Forbidden: You don't have permission to access comments for this post or you provided an invalid user."
)
else:
raise MethodNotAllowed(method=request.method)
