fixed recipe api permissions when using shared recipes

2026-01-06 14:48:02 -05:00 · 2020-07-14 00:22:39 +02:00
parent c45472689e
commit e0dac67b84
4 changed files with 28 additions and 4 deletions
--- a/cookbook/views/api.py
+++ b/cookbook/views/api.py
@@ -23,7 +23,7 @@ from rest_framework.parsers import JSONParser, FileUploadParser, MultiPartParser
 from rest_framework.response import Response
 from rest_framework.viewsets import ViewSetMixin

-from cookbook.helper.permission_helper import group_required, CustomIsOwner, CustomIsAdmin, CustomIsUser, CustomIsGuest
+from cookbook.helper.permission_helper import group_required, CustomIsOwner, CustomIsAdmin, CustomIsUser, CustomIsGuest, CustomIsShare
 from cookbook.helper.recipe_url_import import get_from_html
 from cookbook.models import Recipe, Sync, Storage, CookLog, MealPlan, MealType, ViewLog, UserPreference, RecipeBook, Ingredient, Food, Step, Keyword, Unit, SyncLog
 from cookbook.provider.dropbox import Dropbox
@@ -198,7 +198,7 @@ class RecipeViewSet(viewsets.ModelViewSet, StandardFilterMixin):
    """
    queryset = Recipe.objects.all()
    serializer_class = RecipeSerializer
-    permission_classes = [permissions.IsAuthenticated]  # TODO split read and write permission for meal plan guest
+    permission_classes = [CustomIsShare | CustomIsGuest]  # TODO split read and write permission for meal plan guest

    @decorators.action(
        detail=True,
--- a/cookbook/views/views.py
+++ b/cookbook/views/views.py
@@ -116,7 +116,7 @@ def recipe_view(request, pk, share=None):

    return render(request, 'recipe_view.html',
                  {'recipe': recipe, 'comments': comments, 'comment_form': comment_form,
-                   'bookmark_form': bookmark_form})
+                   'bookmark_form': bookmark_form, 'share': share})


@group_required('user')