ConceptProd/Portal
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

B: Fix access for unauth users

Browse Source
This commit is contained in:
Ivan 2025-07-16 10:52:54 +03:00
parent 2a3f413315
commit 86d81d7652
1 changed files with 15 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
rsconcept/backend/apps/prompt/views/prompts.py
View File

@ -4,6 +4,7 @@ from django.db import models
from drf_spectacular.utils import extend_schema from drf_spectacular.utils import extend_schema
from rest_framework import permissions, viewsets from rest_framework import permissions, viewsets
from rest_framework.decorators import action from rest_framework.decorators import action
from rest_framework.permissions import AllowAny
from rest_framework.response import Response from rest_framework.response import Response
from ..models import PromptTemplate from ..models import PromptTemplate
@ -15,6 +16,9 @@ class IsOwnerOrAdmin(permissions.BasePermission):
def has_object_permission(self, request, view, obj): def has_object_permission(self, request, view, obj):
if request.method in permissions.SAFE_METHODS: if request.method in permissions.SAFE_METHODS:
# Allow unauthenticated users to view only shared templates
if not request.user or not request.user.is_authenticated:
return obj.is_shared
return obj.is_shared or obj.owner == request.user return obj.is_shared or obj.owner == request.user
return obj.owner == request.user or request.user.is_staff or request.user.is_superuser return obj.owner == request.user or request.user.is_staff or request.user.is_superuser
@ -26,6 +30,11 @@ class PromptTemplateViewSet(viewsets.ModelViewSet):
serializer_class = PromptTemplateSerializer serializer_class = PromptTemplateSerializer
permission_classes = [permissions.IsAuthenticated, IsOwnerOrAdmin] permission_classes = [permissions.IsAuthenticated, IsOwnerOrAdmin]
def get_permissions(self):
if self.action in ['available', 'retrieve']:
return [AllowAny()]
return [permission() for permission in self.permission_classes]
def get_queryset(self): def get_queryset(self):
user = self.request.user user = self.request.user
if self.action == 'available': if self.action == 'available':
@ -45,8 +54,11 @@ class PromptTemplateViewSet(viewsets.ModelViewSet):
def available(self, request): def available(self, request):
'''Return user-owned and shared prompt templates.''' '''Return user-owned and shared prompt templates.'''
user = request.user user = request.user
owned = PromptTemplate.objects.filter(owner=user) if user.is_authenticated:
shared = PromptTemplate.objects.filter(is_shared=True) owned = PromptTemplate.objects.filter(owner=user)
templates = (owned | shared).distinct() shared = PromptTemplate.objects.filter(is_shared=True)
templates = (owned | shared).distinct()
else:
templates = PromptTemplate.objects.filter(is_shared=True)
serializer = PromptTemplateListSerializer(templates, many=True) serializer = PromptTemplateListSerializer(templates, many=True)
return Response(serializer.data) return Response(serializer.data)