diff --git a/src/api/abl/PlaylistAbl.py b/src/api/abl/PlaylistAbl.py index 0ec9417..6006780 100644 --- a/src/api/abl/PlaylistAbl.py +++ b/src/api/abl/PlaylistAbl.py @@ -3,6 +3,7 @@ from ..models import Playlist, PlaylistFile, File, Role from .. import db from datetime import datetime from ..dao.Playlist import PlaylistDao +from ..dao.UsersDao import UsersDao from flask_login import current_user from screen.ScreenManager import ScreenManager @@ -50,17 +51,18 @@ class PlaylistAbl: def get_playlist(playlist_id): (query, files) = PlaylistDao.get_playlist(playlist_id) query = query.as_dict_with_roles() - return jsonify({ \ - 'id': query['id'], \ - 'name': query['name'], \ - 'owner_id': query['owner_id'], \ - 'view': query['view'], \ - 'edit': query['edit'], \ + return jsonify({ + 'id': query['id'], + 'name': query['name'], + 'owner_id': query['owner_id'], + 'view': query['view'], + 'edit': query['edit'], 'files': files}) @staticmethod def list(): - playlists = db.session.query(Playlist).all() + user_id = current_user.as_dict()['id'] + playlists = UsersDao.playlists(user_id) res = [] for playlist in playlists: p = playlist.as_dict() @@ -73,11 +75,11 @@ class PlaylistAbl: # EDIT PLAYLIST CONTENT @staticmethod def add_file(playlist_id, data): - new_playlist_file = PlaylistFile( \ - playlist_id=playlist_id, \ - file_id=data['file_id'], \ - position=data['position'], \ - seconds=data['seconds'] \ + new_playlist_file = PlaylistFile( + playlist_id=playlist_id, + file_id=data['file_id'], + position=data['position'], + seconds=data['seconds'] ) db.session.add(new_playlist_file) diff --git a/src/api/controllers/playlist.py b/src/api/controllers/playlist.py index ac26c24..898b20e 100644 --- a/src/api/controllers/playlist.py +++ b/src/api/controllers/playlist.py @@ -20,6 +20,7 @@ def create(): @playlist.route('/playlists', methods=["GET"]) @login_required +@permissions.require([Perm.VIEW_PLAYLIST]) def list(): return PlaylistAbl.list() diff --git a/src/api/dao/UsersDao.py b/src/api/dao/UsersDao.py index d346b7d..f966e23 100644 --- a/src/api/dao/UsersDao.py +++ b/src/api/dao/UsersDao.py @@ -1,13 +1,13 @@ from .. import db -from ..models import User, Role +from ..models import User, Role, Playlist class UsersDao: def has_role_view_q(user_id): has_role_to_view = db.session.query(User) \ .filter(User.id == user_id) \ - .filter( \ - User.roles.any( \ - Role.users.any(Role.playlists_view is not None) \ + .filter( + User.roles.any( + Role.users.any(Role.playlists_view is not None) )) \ .first() return has_role_to_view @@ -15,10 +15,34 @@ class UsersDao: def has_role_edit_q(user_id): has_role_to_edit = db.session.query(User) \ .filter(User.id == user_id) \ - .filter( \ - User.roles.any( \ - Role.users.any(Role.playlists_edit is not None) \ + .filter( + User.roles.any( + Role.users.any(Role.playlists_edit is not None) )) \ .first() return has_role_to_edit + def playlists(user_id): + playlists = db.session.query(Playlist) \ + .filter( + # all playlist where user can view + Playlist.view.any( + # check if a role belongs to this user + Role.user_id == user_id or + # check if a this user has a role to view + Role.users.any(User.id == user_id) \ + ) | + # all playlist where user can edit + Playlist.edit.any( + # check if a role belongs to this user + Role.user_id == user_id or + # check if a this user has a role to edit + Role.users.any(User.id == user_id) + + ) | + (Playlist.owner_id == user_id) + ) \ + .all() + return playlists + +