From cfccd424cbdcac62f659e572c89ac58cc96d6d6e Mon Sep 17 00:00:00 2001 From: John Groszko Date: Thu, 23 Apr 2026 15:55:52 -0500 Subject: [PATCH] Timeline Permissions --- db/constants.py | 6 ++++++ db/queries.py | 33 +++++++++++++++++++++++---------- web/api.py | 11 ++++++----- web/vite/src/TimelineList.tsx | 16 ++++++++++------ 4 files changed, 45 insertions(+), 21 deletions(-) diff --git a/db/constants.py b/db/constants.py index df3dfa5..5528d0c 100644 --- a/db/constants.py +++ b/db/constants.py @@ -6,3 +6,9 @@ TIMELINE_ORDER_PUNISHED = "ORDER_PUNISHED" TIMELINE_ORDERS_POOL_CREATED = "ORDERS_POOL_CREATED" TIMELINE_ORDERS_POOL_UPDATED = "ORDERS_POOL_UPDATED" TIMELINE_ORDERS_POOL_DELETED = "ORDERS_POOL_DELETED" + +TIMELINE_ORDERS_POOL_EVENTS = [ + TIMELINE_ORDERS_POOL_CREATED, + TIMELINE_ORDERS_POOL_UPDATED, + TIMELINE_ORDERS_POOL_DELETED +] diff --git a/db/queries.py b/db/queries.py index 659645c..0e4e8e5 100644 --- a/db/queries.py +++ b/db/queries.py @@ -2,6 +2,7 @@ import datetime import json from peewee import JOIN, fn +from db.constants import TIMELINE_ORDERS_POOL_EVENTS from util import sqlite_time from .models import database, User, OrdersPool, DomSubUsers, Repeat, SkipDay, OrderStatus, MastodonServer, TimelineEvent @@ -57,6 +58,9 @@ def user_has_doms(id): def user_doms(id): return [d.dom for d in DomSubUsers.select(DomSubUsers.dom).where(DomSubUsers.sub_id == id)] +def user_subs(id): + return [d.sub for d in DomSubUsers.select(DomSubUsers.sub).where(DomSubUsers.dom_id == id)] + def user_can_orders_pools_view(user, sub): doms = user_doms(sub.id) @@ -222,13 +226,22 @@ def timeline_event_put(type, text, user, orders_pool=None, order_status=None, ac extra=json.dumps(extra) if extra is not None else None ) -def timeline_event_recent(user_ids, actor_ids=None, limit=5): - return (TimelineEvent - .select() - .where(( - TimelineEvent.user_id.in_(user_ids) | - (TimelineEvent.actor_user_id.in_(actor_ids) if actor_ids is not None else True) - )) - .order_by(TimelineEvent.updated_at.desc()) - .limit(limit) - ) \ No newline at end of file +def timeline_event_recent(user_id, limit=5): + user = User.get_by_id(user_id) + + can_view_orders_pools = user_can_orders_pools_view(user, user) + + result = TimelineEvent.select() + + if(can_view_orders_pools): + result = result.where( + (TimelineEvent.user_id == user_id) | + (TimelineEvent.actor_user_id == user_id) + ) + else: + result = result.where( + ((TimelineEvent.user_id == user_id) & TimelineEvent.type.not_in(TIMELINE_ORDERS_POOL_EVENTS)) | + (TimelineEvent.actor_user_id == user_id) + ) + + return result.order_by(TimelineEvent.updated_at.desc()).limit(limit) diff --git a/web/api.py b/web/api.py index ec8ba4e..9126c5b 100644 --- a/web/api.py +++ b/web/api.py @@ -79,13 +79,14 @@ def timeline(): "username": t.user.telegram_username, "actor_username": t.actor.telegram_username if t.actor is not None else None, "orders_pool": { - "id": t.orders_pool.id, + "id": t.orders_pool.id if user_can_orders_pools_edit(current_user.db_user, t.user) else None, "name": t.orders_pool.name, - } if t.orders_pool is not None else None, + } if ( + t.orders_pool is not None and + user_can_orders_pools_view(current_user.db_user, t.user) + ) else None, "order_status": t.order_status.text if t.order_status is not None else None, - } for t in timeline_event_recent( - subs, - [current_user.db_user.id,]) + } for t in timeline_event_recent(current_user.db_user.id) ]) @api.route('/mastodon_oauth') diff --git a/web/vite/src/TimelineList.tsx b/web/vite/src/TimelineList.tsx index 5a3c1e0..bd3de15 100644 --- a/web/vite/src/TimelineList.tsx +++ b/web/vite/src/TimelineList.tsx @@ -97,12 +97,16 @@ export const TimelineList: React.FC<{ ) : null} {orders_pool ? ( - - {orders_pool.name} - + {orders_pool.id ? ( + + {orders_pool.name} + + ) : ( + orders_pool.name + )} ) : null} {actor_username ? (