B: Fix access for unauth users

2025-08-14 04:40:36 +03:00 · 2025-07-16 10:53:15 +03:00 · 2025-07-16 10:53:15 +03:00 · 9964b8df23
commit 9964b8df23
parent d83ebfa8d5
1 changed files with 15 additions and 3 deletions
--- a/rsconcept/backend/apps/prompt/views/prompts.py
+++ b/rsconcept/backend/apps/prompt/views/prompts.py
@ -4,6 +4,7 @@ from django.db import models
 from drf_spectacular.utils import extend_schema
 from rest_framework import permissions, viewsets
 from rest_framework.decorators import action
+from rest_framework.permissions import AllowAny
 from rest_framework.response import Response

 from ..models import PromptTemplate
@ -15,6 +16,9 @@ class IsOwnerOrAdmin(permissions.BasePermission):

    def has_object_permission(self, request, view, obj):
        if request.method in permissions.SAFE_METHODS:
+            # Allow unauthenticated users to view only shared templates
+            if not request.user or not request.user.is_authenticated:
+                return obj.is_shared
            return obj.is_shared or obj.owner == request.user
        return obj.owner == request.user or request.user.is_staff or request.user.is_superuser

@ -26,6 +30,11 @@ class PromptTemplateViewSet(viewsets.ModelViewSet):
    serializer_class = PromptTemplateSerializer
    permission_classes = [permissions.IsAuthenticated, IsOwnerOrAdmin]

+    def get_permissions(self):
+        if self.action in ['available', 'retrieve']:
+            return [AllowAny()]
+        return [permission() for permission in self.permission_classes]
+
    def get_queryset(self):
        user = self.request.user
        if self.action == 'available':
@ -45,8 +54,11 @@ class PromptTemplateViewSet(viewsets.ModelViewSet):
    def available(self, request):
        '''Return user-owned and shared prompt templates.'''
        user = request.user
-        owned = PromptTemplate.objects.filter(owner=user)
-        shared = PromptTemplate.objects.filter(is_shared=True)
-        templates = (owned | shared).distinct()
+        if user.is_authenticated:
+            owned = PromptTemplate.objects.filter(owner=user)
+            shared = PromptTemplate.objects.filter(is_shared=True)
+            templates = (owned | shared).distinct()
+        else:
+            templates = PromptTemplate.objects.filter(is_shared=True)
        serializer = PromptTemplateListSerializer(templates, many=True)
        return Response(serializer.data)