private shares and revokation works

2025-12-13 00:34:38 +05:00
parent f5370aa7f9
commit 4007445396
13 changed files with 307 additions and 96 deletions
--- a/app/services/item_service.py
+++ b/app/services/item_service.py
@@ -8,11 +8,53 @@ from shapely.geometry import shape, Point, LineString
 import json

 from app.models.map_item import MapItem
+from app.models.map import Map
+from app.models.map_share import MapShare, SharePermission
 from app.models.user import User
 from app.schemas.map_item import MapItemCreate, MapItemUpdate
 from app.services.map_service import get_map_by_id


+def check_edit_permission(db: Session, map_id: UUID, user: User) -> None:
+    """Check if user has edit permission on a map. Raises exception if not."""
+    map_obj = db.query(Map).filter(Map.id == map_id).first()
+
+    if not map_obj:
+        raise HTTPException(
+            status_code=status.HTTP_404_NOT_FOUND,
+            detail="Map not found"
+        )
+
+    # Owner always has edit permission
+    if map_obj.owner_id == user.id:
+        return
+
+    # Admin always has edit permission
+    if user.is_admin:
+        return
+
+    # Check if user has share access
+    share = db.query(MapShare).filter(
+        MapShare.map_id == map_id,
+        MapShare.user_id == user.id
+    ).first()
+
+    if not share:
+        raise HTTPException(
+            status_code=status.HTTP_403_FORBIDDEN,
+            detail="You don't have access to this map"
+        )
+
+    # Check if share permission is EDIT
+    if share.permission != SharePermission.EDIT:
+        raise HTTPException(
+            status_code=status.HTTP_403_FORBIDDEN,
+            detail="You only have read-only access to this map"
+        )
+
+    return
+
+
 def get_map_items(db: Session, map_id: UUID, user: Optional[User] = None) -> List[MapItem]:
    """Get all items for a map."""
    # Verify user has access to the map
@@ -60,8 +102,8 @@ def geography_to_geojson(geography) -> dict:

 def create_map_item(db: Session, map_id: UUID, item_data: MapItemCreate, user: User) -> MapItem:
    """Create a new map item."""
-    # Verify user has access to the map
-    get_map_by_id(db, map_id, user)
+    # Verify user has edit permission on the map
+    check_edit_permission(db, map_id, user)

    # Convert GeoJSON to PostGIS geography
    geometry_wkt = geojson_to_geography(item_data.geometry)
@@ -142,6 +184,9 @@ def update_map_item(db: Session, item_id: UUID, item_data: MapItemUpdate, user:
    """Update a map item."""
    item = get_map_item_by_id(db, item_id, user)

+    # Verify user has edit permission on the map
+    check_edit_permission(db, item.map_id, user)
+
    # Update fields if provided
    if item_data.type is not None:
        item.type = item_data.type
@@ -162,6 +207,9 @@ def delete_map_item(db: Session, item_id: UUID, user: User) -> None:
    """Delete a map item."""
    item = get_map_item_by_id(db, item_id, user)

+    # Verify user has edit permission on the map
+    check_edit_permission(db, item.map_id, user)
+
    # Capture map_id and item_id before deletion for WebSocket broadcast
    map_id = item.map_id
    deleted_item_id = str(item.id)