From 3988ee1d4b4827ec0e549bbfe0cb89d8d2cb0fcd Mon Sep 17 00:00:00 2001 From: swve Date: Sat, 2 Nov 2024 23:16:33 +0100 Subject: [PATCH] feat: protect paid courses --- apps/api/src/routers/ee/payments.py | 20 ++++ .../services/courses/activities/activities.py | 25 +++- .../src/services/payments/payments_access.py | 98 ++++++++++++++++ .../src/services/payments/payments_courses.py | 2 - apps/api/src/services/payments/products.py | 0 .../activity/[activityid]/activity.tsx | 9 +- .../Courses/CourseActions/CoursesActions.tsx | 110 ++++++++++++++---- .../CourseActions/PaidCourseActivity.tsx | 26 +++++ apps/web/services/payments/payments.ts | 9 ++ 9 files changed, 266 insertions(+), 33 deletions(-) create mode 100644 apps/api/src/services/payments/payments_access.py delete mode 100644 apps/api/src/services/payments/products.py create mode 100644 apps/web/components/Objects/Courses/CourseActions/PaidCourseActivity.tsx diff --git a/apps/api/src/routers/ee/payments.py b/apps/api/src/routers/ee/payments.py index 2ae0e48d..3c452978 100644 --- a/apps/api/src/routers/ee/payments.py +++ b/apps/api/src/routers/ee/payments.py @@ -19,6 +19,7 @@ from src.services.payments.payments_courses import ( ) from src.services.payments.payments_webhook import handle_stripe_webhook from src.services.payments.stripe import create_checkout_session +from src.services.payments.payments_access import check_course_paid_access router = APIRouter() @@ -185,3 +186,22 @@ async def api_create_checkout_session( db_session: Session = Depends(get_db_session), ): return await create_checkout_session(request, org_id, product_id, redirect_uri, current_user, db_session) + +@router.get("/{org_id}/courses/{course_id}/access") +async def api_check_course_paid_access( + request: Request, + org_id: int, + course_id: int, + current_user: PublicUser = Depends(get_current_user), + db_session: Session = Depends(get_db_session), +): + """ + Check if current user has paid access to a specific course + """ + return { + "has_access": await check_course_paid_access( + course_id=course_id, + user=current_user, + db_session=db_session + ) + } diff --git a/apps/api/src/services/courses/activities/activities.py b/apps/api/src/services/courses/activities/activities.py index 25591550..985a48af 100644 --- a/apps/api/src/services/courses/activities/activities.py +++ b/apps/api/src/services/courses/activities/activities.py @@ -14,6 +14,8 @@ from fastapi import HTTPException, Request from uuid import uuid4 from datetime import datetime +from src.services.payments.payments_access import check_activity_paid_access + #################################################### # CRUD @@ -112,7 +114,16 @@ async def get_activity( # RBAC check await rbac_check(request, course.course_uuid, current_user, "read", db_session) - activity = ActivityRead.model_validate(activity) + # Paid access check + has_paid_access = await check_activity_paid_access( + activity_id=activity.id if activity.id else 0, + user=current_user, + db_session=db_session + ) + + activity_read = ActivityRead.model_validate(activity) + activity_read.content = activity_read.content if has_paid_access else { "paid_access": False } + activity = activity_read return activity @@ -258,30 +269,32 @@ async def get_activities( async def rbac_check( request: Request, - course_uuid: str, + element_uuid: str, current_user: PublicUser | AnonymousUser, action: Literal["create", "read", "update", "delete"], db_session: Session, ): + + if action == "read": if current_user.id == 0: # Anonymous user res = await authorization_verify_if_element_is_public( - request, course_uuid, action, db_session + request, element_uuid, action, db_session ) return res else: res = await authorization_verify_based_on_roles_and_authorship( - request, current_user.id, action, course_uuid, db_session + request, current_user.id, action, element_uuid, db_session ) return res else: + # For non-read actions, proceed with regular RBAC checks await authorization_verify_if_user_is_anon(current_user.id) - await authorization_verify_based_on_roles_and_authorship( request, current_user.id, action, - course_uuid, + element_uuid, db_session, ) diff --git a/apps/api/src/services/payments/payments_access.py b/apps/api/src/services/payments/payments_access.py new file mode 100644 index 00000000..6f2632ac --- /dev/null +++ b/apps/api/src/services/payments/payments_access.py @@ -0,0 +1,98 @@ +from sqlmodel import Session, select +from src.db.payments.payments_users import PaymentStatusEnum, PaymentsUser +from src.db.users import PublicUser, AnonymousUser +from src.db.payments.payments_courses import PaymentsCourse +from src.db.courses.activities import Activity +from src.db.courses.courses import Course +from fastapi import HTTPException + +async def check_activity_paid_access( + activity_id: int, + user: PublicUser | AnonymousUser, + db_session: Session, +) -> bool: + """ + Check if a user has access to a specific activity + Returns True if: + - User is an author of the course + - Activity is in a free course + - User has a valid subscription for the course + """ + + + # Get activity and associated course + statement = select(Activity).where(Activity.id == activity_id) + activity = db_session.exec(statement).first() + + if not activity: + raise HTTPException(status_code=404, detail="Activity not found") + + # Check if course exists + statement = select(Course).where(Course.id == activity.course_id) + course = db_session.exec(statement).first() + + if not course: + raise HTTPException(status_code=404, detail="Course not found") + + # Check if course is linked to a product + statement = select(PaymentsCourse).where(PaymentsCourse.course_id == course.id) + course_payment = db_session.exec(statement).first() + + # If course is not linked to any product, it's free + if not course_payment: + return True + + # Anonymous users have no access to paid activities + if isinstance(user, AnonymousUser): + return False + + # Check if user has a valid subscription or payment + statement = select(PaymentsUser).where( + PaymentsUser.user_id == user.id, + PaymentsUser.payment_product_id == course_payment.payment_product_id, + PaymentsUser.status.in_( # type: ignore + [PaymentStatusEnum.ACTIVE, PaymentStatusEnum.COMPLETED] + ), + ) + access = db_session.exec(statement).first() + + return bool(access) + +async def check_course_paid_access( + course_id: int, + user: PublicUser | AnonymousUser, + db_session: Session, +) -> bool: + """ + Check if a user has paid access to a specific course + Returns True if: + - User is an author of the course + - Course is free (not linked to any product) + - User has a valid subscription for the course + """ + # Check if course exists + statement = select(Course).where(Course.id == course_id) + course = db_session.exec(statement).first() + + if not course: + raise HTTPException(status_code=404, detail="Course not found") + + # Check if course is linked to a product + statement = select(PaymentsCourse).where(PaymentsCourse.course_id == course.id) + course_payment = db_session.exec(statement).first() + + # If course is not linked to any product, it's free + if not course_payment: + return True + + # Check if user has a valid subscription + statement = select(PaymentsUser).where( + PaymentsUser.user_id == user.id, + PaymentsUser.payment_product_id == course_payment.payment_product_id, + PaymentsUser.status.in_( # type: ignore + [PaymentStatusEnum.ACTIVE, PaymentStatusEnum.COMPLETED] + ), + ) + subscription = db_session.exec(statement).first() + + return bool(subscription) diff --git a/apps/api/src/services/payments/payments_courses.py b/apps/api/src/services/payments/payments_courses.py index d35d9cfe..1382e408 100644 --- a/apps/api/src/services/payments/payments_courses.py +++ b/apps/api/src/services/payments/payments_courses.py @@ -121,5 +121,3 @@ async def get_courses_by_product( courses = db_session.exec(statement).all() return courses - - diff --git a/apps/api/src/services/payments/products.py b/apps/api/src/services/payments/products.py deleted file mode 100644 index e69de29b..00000000 diff --git a/apps/web/app/orgs/[orgslug]/(withmenu)/course/[courseuuid]/activity/[activityid]/activity.tsx b/apps/web/app/orgs/[orgslug]/(withmenu)/course/[courseuuid]/activity/[activityid]/activity.tsx index 3dc1853b..a5c64371 100644 --- a/apps/web/app/orgs/[orgslug]/(withmenu)/course/[courseuuid]/activity/[activityid]/activity.tsx +++ b/apps/web/app/orgs/[orgslug]/(withmenu)/course/[courseuuid]/activity/[activityid]/activity.tsx @@ -26,6 +26,7 @@ import toast from 'react-hot-toast' import { mutate } from 'swr' import ConfirmationModal from '@components/StyledElements/ConfirmationModal/ConfirmationModal' import { useMediaQuery } from 'usehooks-ts' +import PaidCourseActivity from '@components/Objects/Courses/CourseActions/PaidCourseActivity' interface ActivityClientProps { activityid: string @@ -80,6 +81,7 @@ function ActivityClient(props: ActivityClientProps) { else { setBgColor('bg-zinc-950'); } + console.log(activity.content) } , [activity, pathname]) @@ -129,7 +131,7 @@ function ActivityClient(props: ActivityClientProps) {
- {activity && activity.published == true && ( + {activity && activity.published == true && activity.content.paid_access != false && ( {activity.activity_type != 'TYPE_ASSIGNMENT' && <> @@ -176,6 +178,11 @@ function ActivityClient(props: ActivityClientProps) {
+ {/* Paid Courses */} + {activity.content.paid_access == false && ( + + )} + {/* Activity Types */}
{activity.activity_type == 'TYPE_DYNAMIC' && ( diff --git a/apps/web/components/Objects/Courses/CourseActions/CoursesActions.tsx b/apps/web/components/Objects/Courses/CourseActions/CoursesActions.tsx index 861b7731..4d5713d5 100644 --- a/apps/web/components/Objects/Courses/CourseActions/CoursesActions.tsx +++ b/apps/web/components/Objects/Courses/CourseActions/CoursesActions.tsx @@ -10,8 +10,8 @@ import { getUriWithOrg } from '@services/config/config' import { getProductsByCourse } from '@services/payments/products' import { LogIn, LogOut, ShoppingCart, AlertCircle } from 'lucide-react' import Modal from '@components/StyledElements/Modal/Modal' -import CourseCTA from './CoursePaidOptions' import CoursePaidOptions from './CoursePaidOptions' +import { checkPaidAccess } from '@services/payments/payments' interface Author { user_uuid: string @@ -77,6 +77,7 @@ const Actions = ({ courseuuid, orgslug, course }: CourseActionsProps) => { const [linkedProducts, setLinkedProducts] = useState([]) const [isLoading, setIsLoading] = useState(true) const [isModalOpen, setIsModalOpen] = useState(false) + const [hasAccess, setHasAccess] = useState(null) const isStarted = course.trail?.runs?.some( (run) => run.status === 'STATUS_IN_PROGRESS' && run.course_id === course.id @@ -101,6 +102,28 @@ const Actions = ({ courseuuid, orgslug, course }: CourseActionsProps) => { fetchLinkedProducts() }, [course.id, course.org_id, session.data?.tokens?.access_token]) + useEffect(() => { + const checkAccess = async () => { + if (!session.data?.user) return + try { + const response = await checkPaidAccess( + parseInt(course.id), + course.org_id, + session.data?.tokens?.access_token + ) + setHasAccess(response.has_access) + + } catch (error) { + console.error('Failed to check course access') + setHasAccess(false) + } + } + + if (linkedProducts.length > 0) { + checkAccess() + } + }, [course.id, course.org_id, session.data?.tokens?.access_token, linkedProducts]) + const handleCourseAction = async () => { if (!session.data?.user) { router.push(getUriWithOrg(orgslug, '/signup?orgslug=' + orgslug)) @@ -119,30 +142,69 @@ const Actions = ({ courseuuid, orgslug, course }: CourseActionsProps) => { if (linkedProducts.length > 0) { return (
-
-
- -

Paid Course

+ {hasAccess ? ( + <> +
+
+
+

You Own This Course

+
+

+ You have purchased this course and have full access to all content. +

+
+ + + ) : ( +
+
+ +

Paid Course

+
+

+ This course requires purchase to access its content. +

-

- This course requires purchase to access its content. -

-
- } - dialogTitle="Purchase Course" - dialogDescription="Select a payment option to access this course" - minWidth="sm" - /> - + )} + + {!hasAccess && ( + <> + } + dialogTitle="Purchase Course" + dialogDescription="Select a payment option to access this course" + minWidth="sm" + /> + + + )}
) } diff --git a/apps/web/components/Objects/Courses/CourseActions/PaidCourseActivity.tsx b/apps/web/components/Objects/Courses/CourseActions/PaidCourseActivity.tsx new file mode 100644 index 00000000..091bd36b --- /dev/null +++ b/apps/web/components/Objects/Courses/CourseActions/PaidCourseActivity.tsx @@ -0,0 +1,26 @@ +import React from 'react' +import { AlertCircle, ShoppingCart } from 'lucide-react' +import CoursePaidOptions from './CoursePaidOptions' + +interface PaidCourseActivityProps { + course: any; +} + +function PaidCourseActivity({ course }: PaidCourseActivityProps) { + return ( +
+
+
+ +

Paid Content

+
+

+ This content requires a course purchase to access. Please purchase the course to continue. +

+
+ +
+ ) +} + +export default PaidCourseActivity \ No newline at end of file diff --git a/apps/web/services/payments/payments.ts b/apps/web/services/payments/payments.ts index dff00c83..35d294ef 100644 --- a/apps/web/services/payments/payments.ts +++ b/apps/web/services/payments/payments.ts @@ -10,6 +10,15 @@ export async function getPaymentConfigs(orgId: number, access_token: string) { return res; } +export async function checkPaidAccess(courseId: number, orgId: number, access_token: string) { + const result = await fetch( + `${getAPIUrl()}payments/${orgId}/courses/${courseId}/access`, + RequestBodyWithAuthHeader('GET', null, null, access_token) + ); + const res = await errorHandling(result); + return res; +} + export async function createPaymentConfig(orgId: number, data: any, access_token: string) { const result = await fetch( `${getAPIUrl()}payments/${orgId}/config`,