feat: protect paid courses

apps/api/src/routers/ee/payments.py

@@ -19,6 +19,7 @@ from src.services.payments.payments_courses import (
 )
 from src.services.payments.payments_webhook import handle_stripe_webhook
 from src.services.payments.stripe import create_checkout_session
+from src.services.payments.payments_access import check_course_paid_access
 
 
 router = APIRouter()
@@ -185,3 +186,22 @@ async def api_create_checkout_session(
     db_session: Session = Depends(get_db_session),
 ):
     return await create_checkout_session(request, org_id, product_id, redirect_uri, current_user, db_session)
+
+@router.get("/{org_id}/courses/{course_id}/access")
+async def api_check_course_paid_access(
+    request: Request,
+    org_id: int,
+    course_id: int,
+    current_user: PublicUser = Depends(get_current_user),
+    db_session: Session = Depends(get_db_session),
+):
+    """
+    Check if current user has paid access to a specific course
+    """
+    return {
+        "has_access": await check_course_paid_access(
+            course_id=course_id,
+            user=current_user,
+            db_session=db_session
+        )
+    }

apps/api/src/services/courses/activities/activities.py

@@ -14,6 +14,8 @@ from fastapi import HTTPException, Request
 from uuid import uuid4
 from datetime import datetime
 
+from src.services.payments.payments_access import check_activity_paid_access
+
 
 ####################################################
 # CRUD
@@ -112,7 +114,16 @@ async def get_activity(
     # RBAC check
     await rbac_check(request, course.course_uuid, current_user, "read", db_session)
 
-    activity = ActivityRead.model_validate(activity)
+    # Paid access check
+    has_paid_access = await check_activity_paid_access(
+        activity_id=activity.id if activity.id else 0,
+        user=current_user,
+        db_session=db_session
+    )
+
+    activity_read = ActivityRead.model_validate(activity)
+    activity_read.content = activity_read.content if has_paid_access else { "paid_access": False }
+    activity = activity_read
 
     return activity
 
@@ -258,30 +269,32 @@ async def get_activities(
 
 async def rbac_check(
     request: Request,
-    course_uuid: str,
+    element_uuid: str,
     current_user: PublicUser | AnonymousUser,
     action: Literal["create", "read", "update", "delete"],
     db_session: Session,
 ):
+    
+
     if action == "read":
         if current_user.id == 0:  # Anonymous user
             res = await authorization_verify_if_element_is_public(
-                request, course_uuid, action, db_session
+                request, element_uuid, action, db_session
             )
             return res
         else:
             res = await authorization_verify_based_on_roles_and_authorship(
-                request, current_user.id, action, course_uuid, db_session
+                request, current_user.id, action, element_uuid, db_session
             )
             return res
     else:
+        # For non-read actions, proceed with regular RBAC checks
         await authorization_verify_if_user_is_anon(current_user.id)
-
         await authorization_verify_based_on_roles_and_authorship(
             request,
             current_user.id,
             action,
-            course_uuid,
+            element_uuid,
             db_session,
         )
 

apps/api/src/services/payments/payments_access.py

@@ -0,0 +1,98 @@
+from sqlmodel import Session, select
+from src.db.payments.payments_users import PaymentStatusEnum, PaymentsUser
+from src.db.users import PublicUser, AnonymousUser
+from src.db.payments.payments_courses import PaymentsCourse
+from src.db.courses.activities import Activity
+from src.db.courses.courses import Course
+from fastapi import HTTPException
+
+async def check_activity_paid_access(
+    activity_id: int,
+    user: PublicUser | AnonymousUser,
+    db_session: Session,
+) -> bool:
+    """
+    Check if a user has access to a specific activity
+    Returns True if:
+    - User is an author of the course
+    - Activity is in a free course
+    - User has a valid subscription for the course
+    """
+
+
+    # Get activity and associated course
+    statement = select(Activity).where(Activity.id == activity_id)
+    activity = db_session.exec(statement).first()
+
+    if not activity:
+        raise HTTPException(status_code=404, detail="Activity not found")
+
+    # Check if course exists
+    statement = select(Course).where(Course.id == activity.course_id)
+    course = db_session.exec(statement).first()
+
+    if not course:
+        raise HTTPException(status_code=404, detail="Course not found")
+
+    # Check if course is linked to a product
+    statement = select(PaymentsCourse).where(PaymentsCourse.course_id == course.id)
+    course_payment = db_session.exec(statement).first()
+
+    # If course is not linked to any product, it's free
+    if not course_payment:
+        return True
+    
+    # Anonymous users have no access to paid activities
+    if isinstance(user, AnonymousUser):
+        return False
+    
+    # Check if user has a valid subscription or payment
+    statement = select(PaymentsUser).where(
+        PaymentsUser.user_id == user.id,
+        PaymentsUser.payment_product_id == course_payment.payment_product_id,
+        PaymentsUser.status.in_( # type: ignore
+            [PaymentStatusEnum.ACTIVE, PaymentStatusEnum.COMPLETED]
+        ),
+    )
+    access = db_session.exec(statement).first()
+
+    return bool(access)
+
+async def check_course_paid_access(
+    course_id: int,
+    user: PublicUser | AnonymousUser,
+    db_session: Session,
+) -> bool:
+    """
+    Check if a user has paid access to a specific course
+    Returns True if:
+    - User is an author of the course
+    - Course is free (not linked to any product)
+    - User has a valid subscription for the course
+    """
+    # Check if course exists
+    statement = select(Course).where(Course.id == course_id)
+    course = db_session.exec(statement).first()
+
+    if not course:
+        raise HTTPException(status_code=404, detail="Course not found")
+
+    # Check if course is linked to a product
+    statement = select(PaymentsCourse).where(PaymentsCourse.course_id == course.id)
+    course_payment = db_session.exec(statement).first()
+
+    # If course is not linked to any product, it's free
+    if not course_payment:
+        return True
+
+    # Check if user has a valid subscription
+    statement = select(PaymentsUser).where(
+        PaymentsUser.user_id == user.id,
+        PaymentsUser.payment_product_id == course_payment.payment_product_id,
+        PaymentsUser.status.in_( # type: ignore
+            [PaymentStatusEnum.ACTIVE, PaymentStatusEnum.COMPLETED]
+        ),
+    )
+    subscription = db_session.exec(statement).first()
+
+    return bool(subscription)

apps/api/src/services/payments/payments_courses.py

@@ -121,5 +121,3 @@ async def get_courses_by_product(
     courses = db_session.exec(statement).all()
 
     return courses
-
-

apps/web/app/orgs/[orgslug]/(withmenu)/course/[courseuuid]/activity/[activityid]/activity.tsx

@@ -26,6 +26,7 @@ import toast from 'react-hot-toast'
 import { mutate } from 'swr'
 import ConfirmationModal from '@components/StyledElements/ConfirmationModal/ConfirmationModal'
 import { useMediaQuery } from 'usehooks-ts'
+import PaidCourseActivity from '@components/Objects/Courses/CourseActions/PaidCourseActivity'
 
 interface ActivityClientProps {
   activityid: string
@@ -80,6 +81,7 @@ function ActivityClient(props: ActivityClientProps) {
     else {
       setBgColor('bg-zinc-950');
     }
+    console.log(activity.content)
   }
     , [activity, pathname])
 
@@ -129,7 +131,7 @@ function ActivityClient(props: ActivityClientProps) {
                   </h1>
                 </div>
                 <div className="flex space-x-1 items-center">
-                  {activity && activity.published == true && (
+                  {activity && activity.published == true && activity.content.paid_access != false && (
                     <AuthenticatedClientElement checkMethod="authentication">
                       {activity.activity_type != 'TYPE_ASSIGNMENT' &&
                         <>
@@ -176,6 +178,11 @@ function ActivityClient(props: ActivityClientProps) {
                 <div
                   className={`p-7 drop-shadow-sm rounded-lg ${bgColor}`}
                 >
+                  {/* Paid Courses */}
+                  {activity.content.paid_access == false && (
+                    <PaidCourseActivity course={course} />
+                  )}
+                  {/* Activity Types */}
                   <div>
                     {activity.activity_type == 'TYPE_DYNAMIC' && (
                       <Canva content={activity.content} activity={activity} />

apps/web/components/Objects/Courses/CourseActions/CoursesActions.tsx

@@ -10,8 +10,8 @@ import { getUriWithOrg } from '@services/config/config'
 import { getProductsByCourse } from '@services/payments/products'
 import { LogIn, LogOut, ShoppingCart, AlertCircle } from 'lucide-react'
 import Modal from '@components/StyledElements/Modal/Modal'
-import CourseCTA from './CoursePaidOptions'
 import CoursePaidOptions from './CoursePaidOptions'
+import { checkPaidAccess } from '@services/payments/payments'
 
 interface Author {
   user_uuid: string
@@ -77,6 +77,7 @@ const Actions = ({ courseuuid, orgslug, course }: CourseActionsProps) => {
   const [linkedProducts, setLinkedProducts] = useState<any[]>([])
   const [isLoading, setIsLoading] = useState(true)
   const [isModalOpen, setIsModalOpen] = useState(false)
+  const [hasAccess, setHasAccess] = useState<boolean | null>(null)
 
   const isStarted = course.trail?.runs?.some(
     (run) => run.status === 'STATUS_IN_PROGRESS' && run.course_id === course.id
@@ -101,6 +102,28 @@ const Actions = ({ courseuuid, orgslug, course }: CourseActionsProps) => {
     fetchLinkedProducts()
   }, [course.id, course.org_id, session.data?.tokens?.access_token])
 
+  useEffect(() => {
+    const checkAccess = async () => {
+      if (!session.data?.user) return
+      try {
+        const response = await checkPaidAccess(
+          parseInt(course.id),
+          course.org_id,
+          session.data?.tokens?.access_token
+        )
+        setHasAccess(response.has_access)
+        
+      } catch (error) {
+        console.error('Failed to check course access')
+        setHasAccess(false)
+      }
+    }
+
+    if (linkedProducts.length > 0) {
+      checkAccess()
+    }
+  }, [course.id, course.org_id, session.data?.tokens?.access_token, linkedProducts])
+
   const handleCourseAction = async () => {
     if (!session.data?.user) {
       router.push(getUriWithOrg(orgslug, '/signup?orgslug=' + orgslug))
@@ -119,30 +142,69 @@ const Actions = ({ courseuuid, orgslug, course }: CourseActionsProps) => {
   if (linkedProducts.length > 0) {
     return (
       <div className="space-y-4">
-        <div className="p-4 bg-amber-50 border border-amber-200 rounded-lg nice-shadow">
-          <div className="flex items-center gap-3">
-            <AlertCircle className="w-5 h-5 text-amber-800" />
-            <h3 className="text-amber-800 font-semibold">Paid Course</h3>
+        {hasAccess ? (
+          <>
+            <div className="p-4 bg-green-50 border border-green-200 rounded-lg nice-shadow">
+              <div className="flex items-center gap-3">
+                <div className="w-2 h-2 bg-green-500 rounded-full animate-pulse" />
+                <h3 className="text-green-800 font-semibold">You Own This Course</h3>
+              </div>
+              <p className="text-green-700 text-sm mt-1">
+                You have purchased this course and have full access to all content.
+              </p>
+            </div>
+            <button
+              onClick={handleCourseAction}
+              className={`w-full py-3 rounded-lg nice-shadow font-semibold transition-colors flex items-center justify-center gap-2 ${
+                isStarted
+                  ? 'bg-red-500 text-white hover:bg-red-600'
+                  : 'bg-neutral-900 text-white hover:bg-neutral-800'
+              }`}
+            >
+              {isStarted ? (
+                <>
+                  <LogOut className="w-5 h-5" />
+                  Leave Course
+                </>
+              ) : (
+                <>
+                  <LogIn className="w-5 h-5" />
+                  Start Course
+                </>
+              )}
+            </button>
+          </>
+        ) : (
+          <div className="p-4 bg-amber-50 border border-amber-200 rounded-lg nice-shadow">
+            <div className="flex items-center gap-3">
+              <AlertCircle className="w-5 h-5 text-amber-800" />
+              <h3 className="text-amber-800 font-semibold">Paid Course</h3>
+            </div>
+            <p className="text-amber-700 text-sm mt-1">
+              This course requires purchase to access its content.
+            </p>
           </div>
-          <p className="text-amber-700 text-sm">
-            This course requires purchase to access its content.
-          </p>
-        </div>
-        <Modal
-          isDialogOpen={isModalOpen}
-          onOpenChange={setIsModalOpen}
-          dialogContent={<CoursePaidOptions course={course} />}
-          dialogTitle="Purchase Course"
-          dialogDescription="Select a payment option to access this course"
-          minWidth="sm"
-        />
-        <button
-          className="w-full bg-neutral-900 text-white py-3 rounded-lg nice-shadow font-semibold hover:bg-neutral-800 transition-colors flex items-center justify-center gap-2"
-          onClick={() => setIsModalOpen(true)}
-        >
-          <ShoppingCart className="w-5 h-5" />
-          Purchase Course
-        </button>
+        )}
+        
+        {!hasAccess && (
+          <>
+            <Modal
+              isDialogOpen={isModalOpen}
+              onOpenChange={setIsModalOpen}
+              dialogContent={<CoursePaidOptions course={course} />}
+              dialogTitle="Purchase Course"
+              dialogDescription="Select a payment option to access this course"
+              minWidth="sm"
+            />
+            <button
+              className="w-full bg-neutral-900 text-white py-3 rounded-lg nice-shadow font-semibold hover:bg-neutral-800 transition-colors flex items-center justify-center gap-2"
+              onClick={() => setIsModalOpen(true)}
+            >
+              <ShoppingCart className="w-5 h-5" />
+              Purchase Course
+            </button>
+          </>
+        )}
       </div>
     )
   }

apps/web/components/Objects/Courses/CourseActions/PaidCourseActivity.tsx

@@ -0,0 +1,26 @@
+import React from 'react'
+import { AlertCircle, ShoppingCart } from 'lucide-react'
+import CoursePaidOptions from './CoursePaidOptions'
+
+interface PaidCourseActivityProps {
+  course: any;
+}
+
+function PaidCourseActivity({ course }: PaidCourseActivityProps) {
+  return (
+    <div className="space-y-4 ">
+      <div className="p-4 bg-amber-50 border border-amber-200 rounded-lg nice-shadow">
+        <div className="flex items-center gap-3">
+          <AlertCircle className="w-5 h-5 text-amber-800" />
+          <h3 className="text-amber-800 font-semibold">Paid Content</h3>
+        </div>
+        <p className="text-amber-700 text-sm mt-1">
+          This content requires a course purchase to access. Please purchase the course to continue.
+        </p>
+      </div>
+      <CoursePaidOptions course={course} />
+    </div>
+  )
+}
+
+export default PaidCourseActivity

apps/web/services/payments/payments.ts

@@ -10,6 +10,15 @@ export async function getPaymentConfigs(orgId: number, access_token: string) {
   return res;
 }
 
+export async function checkPaidAccess(courseId: number, orgId: number, access_token: string) {
+  const result = await fetch(
+    `${getAPIUrl()}payments/${orgId}/courses/${courseId}/access`,
+    RequestBodyWithAuthHeader('GET', null, null, access_token)
+  );
+  const res = await errorHandling(result);
+  return res;
+}
+
 export async function createPaymentConfig(orgId: number, data: any, access_token: string) {
   const result = await fetch(
     `${getAPIUrl()}payments/${orgId}/config`,