Extract access checks

bookmarks/views/access.py

@@ -0,0 +1,56 @@
+from django.http import Http404
+
+from bookmarks.models import Bookmark, BookmarkAsset, Toast
+from bookmarks.type_defs import HttpRequest
+
+
+def bookmark_read(request: HttpRequest, bookmark_id: int | str):
+    try:
+        bookmark = Bookmark.objects.get(pk=int(bookmark_id))
+    except Bookmark.DoesNotExist:
+        raise Http404("Bookmark does not exist")
+
+    is_owner = bookmark.owner == request.user
+    is_shared = (
+        request.user.is_authenticated
+        and bookmark.shared
+        and bookmark.owner.profile.enable_sharing
+    )
+    is_public_shared = bookmark.shared and bookmark.owner.profile.enable_public_sharing
+    if not is_owner and not is_shared and not is_public_shared:
+        raise Http404("Bookmark does not exist")
+    if request.method == "POST" and not is_owner:
+        raise Http404("Bookmark does not exist")
+
+    return bookmark
+
+
+def bookmark_write(request: HttpRequest, bookmark_id: int | str):
+    try:
+        return Bookmark.objects.get(pk=bookmark_id, owner=request.user)
+    except Bookmark.DoesNotExist:
+        raise Http404("Bookmark does not exist")
+
+
+def asset_read(request: HttpRequest, asset_id: int | str):
+    try:
+        asset = BookmarkAsset.objects.get(pk=asset_id)
+    except BookmarkAsset.DoesNotExist:
+        raise Http404("Asset does not exist")
+
+    bookmark_read(request, asset.bookmark_id)
+    return asset
+
+
+def asset_write(request: HttpRequest, asset_id: int | str):
+    try:
+        return BookmarkAsset.objects.get(pk=asset_id, bookmark__owner=request.user)
+    except BookmarkAsset.DoesNotExist:
+        raise Http404("Asset does not exist")
+
+
+def toast_write(request: HttpRequest, toast_id: int | str):
+    try:
+        return Toast.objects.get(pk=toast_id, owner=request.user)
+    except Toast.DoesNotExist:
+        raise Http404("Toast does not exist")

bookmarks/views/assets.py

@@ -8,28 +8,7 @@ from django.http import (
 )
 from django.shortcuts import render
 
-from bookmarks.models import BookmarkAsset
-
-
-def _access_asset(request, asset_id: int):
-    try:
-        asset = BookmarkAsset.objects.get(pk=asset_id)
-    except BookmarkAsset.DoesNotExist:
-        raise Http404("Asset does not exist")
-
-    bookmark = asset.bookmark
-    is_owner = bookmark.owner == request.user
-    is_shared = (
-        request.user.is_authenticated
-        and bookmark.shared
-        and bookmark.owner.profile.enable_sharing
-    )
-    is_public_shared = bookmark.shared and bookmark.owner.profile.enable_public_sharing
-
-    if not is_owner and not is_shared and not is_public_shared:
-        raise Http404("Bookmark does not exist")
-
-    return asset
+from bookmarks.views import access
 
 
 def _get_asset_content(asset):
@@ -49,14 +28,14 @@ def _get_asset_content(asset):
 
 
 def view(request, asset_id: int):
-    asset = _access_asset(request, asset_id)
+    asset = access.asset_read(request, asset_id)
     content = _get_asset_content(asset)
 
     return HttpResponse(content, content_type=asset.content_type)
 
 
 def read(request, asset_id: int):
-    asset = _access_asset(request, asset_id)
+    asset = access.asset_read(request, asset_id)
     content = _get_asset_content(asset)
     content = content.decode("utf-8")
 

bookmarks/views/bookmarks.py

@@ -5,7 +5,6 @@ from django.contrib.auth.decorators import login_required
 from django.db.models import QuerySet
 from django.http import (
     HttpResponseRedirect,
-    Http404,
     HttpResponseBadRequest,
     HttpResponseForbidden,
 )
@@ -15,7 +14,6 @@ from django.urls import reverse
 from bookmarks import queries, utils
 from bookmarks.models import (
     Bookmark,
-    BookmarkAsset,
     BookmarkForm,
     BookmarkSearch,
     build_tag_string,
@@ -38,7 +36,7 @@ from bookmarks.services.bookmarks import (
 )
 from bookmarks.type_defs import HttpRequest
 from bookmarks.utils import get_safe_return_url
-from bookmarks.views import contexts, partials, turbo
+from bookmarks.views import access, contexts, partials, turbo
 
 
 @login_required
@@ -190,10 +188,7 @@ def new(request: HttpRequest):
 
 @login_required
 def edit(request: HttpRequest, bookmark_id: int):
-    try:
-        bookmark = Bookmark.objects.get(pk=bookmark_id, owner=request.user)
-    except Bookmark.DoesNotExist:
-        raise Http404("Bookmark does not exist")
+    bookmark = access.bookmark_write(request, bookmark_id)
     return_url = get_safe_return_url(
         request.GET.get("return_url"), reverse("linkding:bookmarks.index")
     )
@@ -216,58 +211,34 @@ def edit(request: HttpRequest, bookmark_id: int):
 
 
 def remove(request: HttpRequest, bookmark_id: int | str):
-    try:
-        bookmark = Bookmark.objects.get(pk=bookmark_id, owner=request.user)
-    except Bookmark.DoesNotExist:
-        raise Http404("Bookmark does not exist")
-
+    bookmark = access.bookmark_write(request, bookmark_id)
     bookmark.delete()
 
 
 def archive(request: HttpRequest, bookmark_id: int | str):
-    try:
-        bookmark = Bookmark.objects.get(pk=bookmark_id, owner=request.user)
-    except Bookmark.DoesNotExist:
-        raise Http404("Bookmark does not exist")
-
+    bookmark = access.bookmark_write(request, bookmark_id)
     archive_bookmark(bookmark)
 
 
 def unarchive(request: HttpRequest, bookmark_id: int | str):
-    try:
-        bookmark = Bookmark.objects.get(pk=bookmark_id, owner=request.user)
-    except Bookmark.DoesNotExist:
-        raise Http404("Bookmark does not exist")
-
+    bookmark = access.bookmark_write(request, bookmark_id)
     unarchive_bookmark(bookmark)
 
 
 def unshare(request: HttpRequest, bookmark_id: int | str):
-    try:
-        bookmark = Bookmark.objects.get(pk=bookmark_id, owner=request.user)
-    except Bookmark.DoesNotExist:
-        raise Http404("Bookmark does not exist")
-
+    bookmark = access.bookmark_write(request, bookmark_id)
     bookmark.shared = False
     bookmark.save()
 
 
 def mark_as_read(request: HttpRequest, bookmark_id: int | str):
-    try:
-        bookmark = Bookmark.objects.get(pk=bookmark_id, owner=request.user)
-    except Bookmark.DoesNotExist:
-        raise Http404("Bookmark does not exist")
-
+    bookmark = access.bookmark_write(request, bookmark_id)
     bookmark.unread = False
     bookmark.save()
 
 
 def create_html_snapshot(request: HttpRequest, bookmark_id: int | str):
-    try:
-        bookmark = Bookmark.objects.get(pk=bookmark_id, owner=request.user)
-    except Bookmark.DoesNotExist:
-        raise Http404("Bookmark does not exist")
-
+    bookmark = access.bookmark_write(request, bookmark_id)
     tasks.create_html_snapshot(bookmark)
 
 
@@ -275,11 +246,7 @@ def upload_asset(request: HttpRequest, bookmark_id: int | str):
     if settings.LD_DISABLE_ASSET_UPLOAD:
         return HttpResponseForbidden("Asset upload is disabled")
 
-    try:
-        bookmark = Bookmark.objects.get(pk=bookmark_id, owner=request.user)
-    except Bookmark.DoesNotExist:
-        raise Http404("Bookmark does not exist")
-
+    bookmark = access.bookmark_write(request, bookmark_id)
     file = request.FILES.get("upload_asset_file")
     if not file:
         return HttpResponseBadRequest("No file provided")
@@ -288,20 +255,12 @@ def upload_asset(request: HttpRequest, bookmark_id: int | str):
 
 
 def remove_asset(request: HttpRequest, asset_id: int | str):
-    try:
-        asset = BookmarkAsset.objects.get(pk=asset_id, bookmark__owner=request.user)
-    except BookmarkAsset.DoesNotExist:
-        raise Http404("Asset does not exist")
-
+    asset = access.asset_write(request, asset_id)
     asset.delete()
 
 
 def update_state(request: HttpRequest, bookmark_id: int | str):
-    try:
-        bookmark = Bookmark.objects.get(pk=bookmark_id, owner=request.user)
-    except Bookmark.DoesNotExist:
-        raise Http404("Bookmark does not exist")
-
+    bookmark = access.bookmark_write(request, bookmark_id)
     bookmark.is_archived = request.POST.get("is_archived") == "on"
     bookmark.unread = request.POST.get("unread") == "on"
     bookmark.shared = request.POST.get("shared") == "on"

bookmarks/views/contexts.py

@@ -20,6 +20,7 @@ from bookmarks.models import (
 )
 from bookmarks.services.wayback import generate_fallback_webarchive_url
 from bookmarks.type_defs import HttpRequest
+from bookmarks.views import access
 
 CJK_RE = re.compile(r"[\u4e00-\u9fff]+")
 
@@ -444,22 +445,10 @@ def get_details_context(
         return None
 
     try:
-        bookmark = Bookmark.objects.get(pk=int(bookmark_id))
-    except Bookmark.DoesNotExist:
+        bookmark = access.bookmark_read(request, bookmark_id)
+    except Http404:
         # just ignore, might end up in a situation where the bookmark was deleted
         # in between navigating back and forth
         return None
 
-    is_owner = bookmark.owner == request.user
-    is_shared = (
-        request.user.is_authenticated
-        and bookmark.shared
-        and bookmark.owner.profile.enable_sharing
-    )
-    is_public_shared = bookmark.shared and bookmark.owner.profile.enable_public_sharing
-    if not is_owner and not is_shared and not is_public_shared:
-        raise Http404("Bookmark does not exist")
-    if request.method == "POST" and not is_owner:
-        raise Http404("Bookmark does not exist")
-
     return context_type(request, bookmark)

bookmarks/views/toasts.py

@@ -1,18 +1,14 @@
 from django.contrib.auth.decorators import login_required
-from django.http import HttpResponseRedirect, Http404
+from django.http import HttpResponseRedirect
 from django.urls import reverse
 
-from bookmarks.models import Toast
 from bookmarks.utils import get_safe_return_url
+from bookmarks.views import access
 
 
 @login_required
 def acknowledge(request):
-    toast_id = request.POST["toast"]
-    try:
-        toast = Toast.objects.get(pk=toast_id, owner=request.user)
-    except Toast.DoesNotExist:
-        raise Http404("Toast does not exist")
+    toast = access.toast_write(request, request.POST["toast"])
     toast.acknowledged = True
     toast.save()