feat: protect paid courses

2025-12-19 04:19:25 +00:00 · 2024-11-02 23:16:33 +01:00 · 2024-11-02 23:16:33 +01:00 · 3988ee1d4b
commit 3988ee1d4b
parent b7f09885df
9 changed files with 266 additions and 33 deletions
--- a/apps/api/src/routers/ee/payments.py
+++ b/apps/api/src/routers/ee/payments.py
@ -19,6 +19,7 @@ from src.services.payments.payments_courses import (
 )
 from src.services.payments.payments_webhook import handle_stripe_webhook
 from src.services.payments.stripe import create_checkout_session
+from src.services.payments.payments_access import check_course_paid_access


 router = APIRouter()
@ -185,3 +186,22 @@ async def api_create_checkout_session(
    db_session: Session = Depends(get_db_session),
 ):
    return await create_checkout_session(request, org_id, product_id, redirect_uri, current_user, db_session)
+
+@router.get("/{org_id}/courses/{course_id}/access")
+async def api_check_course_paid_access(
+    request: Request,
+    org_id: int,
+    course_id: int,
+    current_user: PublicUser = Depends(get_current_user),
+    db_session: Session = Depends(get_db_session),
+):
+    """
+    Check if current user has paid access to a specific course
+    """
+    return {
+        "has_access": await check_course_paid_access(
+            course_id=course_id,
+            user=current_user,
+            db_session=db_session
+        )
+    }
--- a/apps/api/src/services/courses/activities/activities.py
+++ b/apps/api/src/services/courses/activities/activities.py
@ -14,6 +14,8 @@ from fastapi import HTTPException, Request
 from uuid import uuid4
 from datetime import datetime

+from src.services.payments.payments_access import check_activity_paid_access
+

 ####################################################
 # CRUD
@ -112,7 +114,16 @@ async def get_activity(
    # RBAC check
    await rbac_check(request, course.course_uuid, current_user, "read", db_session)

-    activity = ActivityRead.model_validate(activity)
+    # Paid access check
+    has_paid_access = await check_activity_paid_access(
+        activity_id=activity.id if activity.id else 0,
+        user=current_user,
+        db_session=db_session
+    )
+
+    activity_read = ActivityRead.model_validate(activity)
+    activity_read.content = activity_read.content if has_paid_access else { "paid_access": False }
+    activity = activity_read

    return activity

@ -258,30 +269,32 @@ async def get_activities(

 async def rbac_check(
    request: Request,
-    course_uuid: str,
+    element_uuid: str,
    current_user: PublicUser | AnonymousUser,
    action: Literal["create", "read", "update", "delete"],
    db_session: Session,
 ):
+    
+
    if action == "read":
        if current_user.id == 0:  # Anonymous user
            res = await authorization_verify_if_element_is_public(
-                request, course_uuid, action, db_session
+                request, element_uuid, action, db_session
            )
            return res
        else:
            res = await authorization_verify_based_on_roles_and_authorship(
-                request, current_user.id, action, course_uuid, db_session
+                request, current_user.id, action, element_uuid, db_session
            )
            return res
    else:
+        # For non-read actions, proceed with regular RBAC checks
        await authorization_verify_if_user_is_anon(current_user.id)
-
        await authorization_verify_based_on_roles_and_authorship(
            request,
            current_user.id,
            action,
-            course_uuid,
+            element_uuid,
            db_session,
        )

--- a/apps/api/src/services/payments/payments_access.py
+++ b/apps/api/src/services/payments/payments_access.py
@ -0,0 +1,98 @@
+from sqlmodel import Session, select
+from src.db.payments.payments_users import PaymentStatusEnum, PaymentsUser
+from src.db.users import PublicUser, AnonymousUser
+from src.db.payments.payments_courses import PaymentsCourse
+from src.db.courses.activities import Activity
+from src.db.courses.courses import Course
+from fastapi import HTTPException
+
+async def check_activity_paid_access(
+    activity_id: int,
+    user: PublicUser | AnonymousUser,
+    db_session: Session,
+) -> bool:
+    """
+    Check if a user has access to a specific activity
+    Returns True if:
+    - User is an author of the course
+    - Activity is in a free course
+    - User has a valid subscription for the course
+    """
+
+
+    # Get activity and associated course
+    statement = select(Activity).where(Activity.id == activity_id)
+    activity = db_session.exec(statement).first()
+
+    if not activity:
+        raise HTTPException(status_code=404, detail="Activity not found")
+
+    # Check if course exists
+    statement = select(Course).where(Course.id == activity.course_id)
+    course = db_session.exec(statement).first()
+
+    if not course:
+        raise HTTPException(status_code=404, detail="Course not found")
+
+    # Check if course is linked to a product
+    statement = select(PaymentsCourse).where(PaymentsCourse.course_id == course.id)
+    course_payment = db_session.exec(statement).first()
+
+    # If course is not linked to any product, it's free
+    if not course_payment:
+        return True
+    
+    # Anonymous users have no access to paid activities
+    if isinstance(user, AnonymousUser):
+        return False
+    
+    # Check if user has a valid subscription or payment
+    statement = select(PaymentsUser).where(
+        PaymentsUser.user_id == user.id,
+        PaymentsUser.payment_product_id == course_payment.payment_product_id,
+        PaymentsUser.status.in_( # type: ignore
+            [PaymentStatusEnum.ACTIVE, PaymentStatusEnum.COMPLETED]
+        ),
+    )
+    access = db_session.exec(statement).first()
+
+    return bool(access)
+
+async def check_course_paid_access(
+    course_id: int,
+    user: PublicUser | AnonymousUser,
+    db_session: Session,
+) -> bool:
+    """
+    Check if a user has paid access to a specific course
+    Returns True if:
+    - User is an author of the course
+    - Course is free (not linked to any product)
+    - User has a valid subscription for the course
+    """
+    # Check if course exists
+    statement = select(Course).where(Course.id == course_id)
+    course = db_session.exec(statement).first()
+
+    if not course:
+        raise HTTPException(status_code=404, detail="Course not found")
+
+    # Check if course is linked to a product
+    statement = select(PaymentsCourse).where(PaymentsCourse.course_id == course.id)
+    course_payment = db_session.exec(statement).first()
+
+    # If course is not linked to any product, it's free
+    if not course_payment:
+        return True
+
+    # Check if user has a valid subscription
+    statement = select(PaymentsUser).where(
+        PaymentsUser.user_id == user.id,
+        PaymentsUser.payment_product_id == course_payment.payment_product_id,
+        PaymentsUser.status.in_( # type: ignore
+            [PaymentStatusEnum.ACTIVE, PaymentStatusEnum.COMPLETED]
+        ),
+    )
+    subscription = db_session.exec(statement).first()
+
+    return bool(subscription)
--- a/apps/api/src/services/payments/payments_courses.py
+++ b/apps/api/src/services/payments/payments_courses.py
@ -121,5 +121,3 @@ async def get_courses_by_product(
    courses = db_session.exec(statement).all()

    return courses
-
-
--- a/apps/api/src/services/payments/products.py
+++ b/apps/api/src/services/payments/products.py
--- a/apps/web/app/orgs/[orgslug]/(withmenu)/course/[courseuuid]/activity/[activityid]/activity.tsx
+++ b/apps/web/app/orgs/[orgslug]/(withmenu)/course/[courseuuid]/activity/[activityid]/activity.tsx
@ -26,6 +26,7 @@ import toast from 'react-hot-toast'
 import { mutate } from 'swr'
 import ConfirmationModal from '@components/StyledElements/ConfirmationModal/ConfirmationModal'
 import { useMediaQuery } from 'usehooks-ts'
+import PaidCourseActivity from '@components/Objects/Courses/CourseActions/PaidCourseActivity'

 interface ActivityClientProps {
  activityid: string
@ -80,6 +81,7 @@ function ActivityClient(props: ActivityClientProps) {
    else {
      setBgColor('bg-zinc-950');
    }
+    console.log(activity.content)
  }
    , [activity, pathname])

@ -129,7 +131,7 @@ function ActivityClient(props: ActivityClientProps) {
                  </h1>
                </div>
                <div className="flex space-x-1 items-center">
-                  {activity && activity.published == true && (
+                  {activity && activity.published == true && activity.content.paid_access != false && (
                    <AuthenticatedClientElement checkMethod="authentication">
                      {activity.activity_type != 'TYPE_ASSIGNMENT' &&
                        <>
@ -176,6 +178,11 @@ function ActivityClient(props: ActivityClientProps) {
                <div
                  className={`p-7 drop-shadow-sm rounded-lg ${bgColor}`}
                >
+                  {/* Paid Courses */}
+                  {activity.content.paid_access == false && (
+                    <PaidCourseActivity course={course} />
+                  )}
+                  {/* Activity Types */}
                  <div>
                    {activity.activity_type == 'TYPE_DYNAMIC' && (
                      <Canva content={activity.content} activity={activity} />
--- a/apps/web/components/Objects/Courses/CourseActions/CoursesActions.tsx
+++ b/apps/web/components/Objects/Courses/CourseActions/CoursesActions.tsx
@ -10,8 +10,8 @@ import { getUriWithOrg } from '@services/config/config'
 import { getProductsByCourse } from '@services/payments/products'
 import { LogIn, LogOut, ShoppingCart, AlertCircle } from 'lucide-react'
 import Modal from '@components/StyledElements/Modal/Modal'
-import CourseCTA from './CoursePaidOptions'
 import CoursePaidOptions from './CoursePaidOptions'
+import { checkPaidAccess } from '@services/payments/payments'

 interface Author {
  user_uuid: string
@ -77,6 +77,7 @@ const Actions = ({ courseuuid, orgslug, course }: CourseActionsProps) => {
  const [linkedProducts, setLinkedProducts] = useState<any[]>([])
  const [isLoading, setIsLoading] = useState(true)
  const [isModalOpen, setIsModalOpen] = useState(false)
+  const [hasAccess, setHasAccess] = useState<boolean | null>(null)

  const isStarted = course.trail?.runs?.some(
    (run) => run.status === 'STATUS_IN_PROGRESS' && run.course_id === course.id
@ -101,6 +102,28 @@ const Actions = ({ courseuuid, orgslug, course }: CourseActionsProps) => {
    fetchLinkedProducts()
  }, [course.id, course.org_id, session.data?.tokens?.access_token])

+  useEffect(() => {
+    const checkAccess = async () => {
+      if (!session.data?.user) return
+      try {
+        const response = await checkPaidAccess(
+          parseInt(course.id),
+          course.org_id,
+          session.data?.tokens?.access_token
+        )
+        setHasAccess(response.has_access)
+        
+      } catch (error) {
+        console.error('Failed to check course access')
+        setHasAccess(false)
+      }
+    }
+
+    if (linkedProducts.length > 0) {
+      checkAccess()
+    }
+  }, [course.id, course.org_id, session.data?.tokens?.access_token, linkedProducts])
+
  const handleCourseAction = async () => {
    if (!session.data?.user) {
      router.push(getUriWithOrg(orgslug, '/signup?orgslug=' + orgslug))
@ -119,15 +142,52 @@ const Actions = ({ courseuuid, orgslug, course }: CourseActionsProps) => {
  if (linkedProducts.length > 0) {
    return (
      <div className="space-y-4">
+        {hasAccess ? (
+          <>
+            <div className="p-4 bg-green-50 border border-green-200 rounded-lg nice-shadow">
+              <div className="flex items-center gap-3">
+                <div className="w-2 h-2 bg-green-500 rounded-full animate-pulse" />
+                <h3 className="text-green-800 font-semibold">You Own This Course</h3>
+              </div>
+              <p className="text-green-700 text-sm mt-1">
+                You have purchased this course and have full access to all content.
+              </p>
+            </div>
+            <button
+              onClick={handleCourseAction}
+              className={`w-full py-3 rounded-lg nice-shadow font-semibold transition-colors flex items-center justify-center gap-2 ${
+                isStarted
+                  ? 'bg-red-500 text-white hover:bg-red-600'
+                  : 'bg-neutral-900 text-white hover:bg-neutral-800'
+              }`}
+            >
+              {isStarted ? (
+                <>
+                  <LogOut className="w-5 h-5" />
+                  Leave Course
+                </>
+              ) : (
+                <>
+                  <LogIn className="w-5 h-5" />
+                  Start Course
+                </>
+              )}
+            </button>
+          </>
+        ) : (
          <div className="p-4 bg-amber-50 border border-amber-200 rounded-lg nice-shadow">
            <div className="flex items-center gap-3">
              <AlertCircle className="w-5 h-5 text-amber-800" />
              <h3 className="text-amber-800 font-semibold">Paid Course</h3>
            </div>
-          <p className="text-amber-700 text-sm">
+            <p className="text-amber-700 text-sm mt-1">
              This course requires purchase to access its content.
            </p>
          </div>
+        )}
+        
+        {!hasAccess && (
+          <>
            <Modal
              isDialogOpen={isModalOpen}
              onOpenChange={setIsModalOpen}
@ -143,6 +203,8 @@ const Actions = ({ courseuuid, orgslug, course }: CourseActionsProps) => {
              <ShoppingCart className="w-5 h-5" />
              Purchase Course
            </button>
+          </>
+        )}
      </div>
    )
  }
--- a/apps/web/components/Objects/Courses/CourseActions/PaidCourseActivity.tsx
+++ b/apps/web/components/Objects/Courses/CourseActions/PaidCourseActivity.tsx
@ -0,0 +1,26 @@
+import React from 'react'
+import { AlertCircle, ShoppingCart } from 'lucide-react'
+import CoursePaidOptions from './CoursePaidOptions'
+
+interface PaidCourseActivityProps {
+  course: any;
+}
+
+function PaidCourseActivity({ course }: PaidCourseActivityProps) {
+  return (
+    <div className="space-y-4 ">
+      <div className="p-4 bg-amber-50 border border-amber-200 rounded-lg nice-shadow">
+        <div className="flex items-center gap-3">
+          <AlertCircle className="w-5 h-5 text-amber-800" />
+          <h3 className="text-amber-800 font-semibold">Paid Content</h3>
+        </div>
+        <p className="text-amber-700 text-sm mt-1">
+          This content requires a course purchase to access. Please purchase the course to continue.
+        </p>
+      </div>
+      <CoursePaidOptions course={course} />
+    </div>
+  )
+}
+
+export default PaidCourseActivity
--- a/apps/web/services/payments/payments.ts
+++ b/apps/web/services/payments/payments.ts
@ -10,6 +10,15 @@ export async function getPaymentConfigs(orgId: number, access_token: string) {
  return res;
 }

+export async function checkPaidAccess(courseId: number, orgId: number, access_token: string) {
+  const result = await fetch(
+    `${getAPIUrl()}payments/${orgId}/courses/${courseId}/access`,
+    RequestBodyWithAuthHeader('GET', null, null, access_token)
+  );
+  const res = await errorHandling(result);
+  return res;
+}
+
 export async function createPaymentConfig(orgId: number, data: any, access_token: string) {
  const result = await fetch(
    `${getAPIUrl()}payments/${orgId}/config`,