fix: collections bugs

2025-12-19 04:19:25 +00:00 · 2024-06-15 14:59:11 +01:00 · 2024-06-15 14:59:11 +01:00 · 46e09f27c2
commit 46e09f27c2
parent 9c1fb565af
2 changed files with 20 additions and 17 deletions
--- a/apps/api/src/security/rbac/rbac.py
+++ b/apps/api/src/security/rbac/rbac.py
@ -33,19 +33,18 @@ async def authorization_verify_if_element_is_public(
                    detail="User rights : You don't have the right to perform this action",
                )

-        if element_nature == "collections" and action == "read":
-
-            statement = select(Collection).where(
-                Collection.public == True, Collection.collection_uuid == element_uuid
+    if element_nature == "collections" and action == "read":
+        statement = select(Collection).where(
+            Collection.public == True, Collection.collection_uuid == element_uuid
+        )
+        collection = db_session.exec(statement).first()
+        if collection:
+            return True
+        else:
+            raise HTTPException(
+                status_code=status.HTTP_403_FORBIDDEN,
+                detail="User rights : You don't have the right to perform this action",
            )
-            collection = db_session.exec(statement).first()
-            if collection:
-                return True
-            else:
-                raise HTTPException(
-                    status_code=status.HTTP_403_FORBIDDEN,
-                    detail="User rights : You don't have the right to perform this action",
-                )
    else:
        raise HTTPException(
            status_code=status.HTTP_403_FORBIDDEN,
--- a/apps/api/src/services/courses/collections.py
+++ b/apps/api/src/services/courses/collections.py
@ -28,7 +28,7 @@ from fastapi import HTTPException, status, Request
 async def get_collection(
    request: Request,
    collection_uuid: str,
-    current_user: PublicUser,
+    current_user: PublicUser | AnonymousUser,
    db_session: Session,
 ) -> CollectionRead:
    statement = select(Collection).where(Collection.collection_uuid == collection_uuid)
@ -48,6 +48,7 @@ async def get_collection(
    statement_all = (
        select(Course)
        .join(CollectionCourse, Course.id == CollectionCourse.course_id)
+        .where(CollectionCourse.org_id == collection.org_id)
        .distinct(Course.id)
    )

@ -57,7 +58,7 @@ async def get_collection(
        .where(CollectionCourse.org_id == collection.org_id, Course.public == True)
    )

-    if current_user.id == 0:
+    if current_user.user_uuid == "user_anonymous":
        statement = statement_public
    else:
        statement = statement_all
@ -88,7 +89,6 @@ async def create_collection(
    # Add collection to database
    db_session.add(collection)
    db_session.commit()
-
    db_session.refresh(collection)

    # Link courses to collection
@ -184,6 +184,7 @@ async def update_collection(
    statement = (
        select(Course)
        .join(CollectionCourse, Course.id == CollectionCourse.course_id)
+        .where(Course.org_id == collection.org_id)
        .distinct(Course.id)
    )

@ -255,6 +256,7 @@ async def get_collections(
        statement_all = (
            select(Course)
            .join(CollectionCourse, Course.id == CollectionCourse.course_id)
+            .where(CollectionCourse.org_id == collection.org_id)
            .distinct(Course.id)
        )
        statement_public = (
@ -297,8 +299,10 @@ async def rbac_check(
                    detail="User rights : You are not allowed to read this collection",
                )
        else:
-            res = await authorization_verify_based_on_roles_and_authorship_and_usergroups(
-                request, current_user.id, action, collection_uuid, db_session
+            res = (
+                await authorization_verify_based_on_roles_and_authorship_and_usergroups(
+                    request, current_user.id, action, collection_uuid, db_session
+                )
            )
            return res
    else: