Add option to share bookmarks publicly (#503)

* Make shared view public, add user profile fallback * Allow unauthenticated access to shared bookmarks API * Link shared bookmarks in unauthenticated layout * Add public sharing setting * Only show shared bookmarks link if there are publicly shared bookmarks * Disable public sharing if sharing is disabled * Show specific helper text when public sharing is enabled * Fix tests * Add more tests * Improve setting description
2025-08-07 02:48:27 +02:00 · 2023-08-15 00:20:52 +02:00
parent 22e8750c24
commit ea240eefd9
29 changed files with 667 additions and 87 deletions
--- a/bookmarks/api/routes.py
+++ b/bookmarks/api/routes.py
@@ -1,5 +1,6 @@
 from rest_framework import viewsets, mixins, status
 from rest_framework.decorators import action
+from rest_framework.permissions import AllowAny
 from rest_framework.response import Response
 from rest_framework.routers import DefaultRouter

@@ -18,6 +19,17 @@ class BookmarkViewSet(viewsets.GenericViewSet,
                      mixins.DestroyModelMixin):
    serializer_class = BookmarkSerializer

+    def get_permissions(self):
+        # Allow unauthenticated access to shared bookmarks.
+        # The shared action should still filter bookmarks so that
+        # unauthenticated users only see bookmarks from users that have public
+        # sharing explicitly enabled
+        if self.action == 'shared':
+            return [AllowAny()]
+
+        # Otherwise use default permissions which should require authentication
+        return super().get_permissions()
+
    def get_queryset(self):
        user = self.request.user
        # For list action, use query set that applies search and tag projections
@@ -45,7 +57,8 @@ class BookmarkViewSet(viewsets.GenericViewSet,
    def shared(self, request):
        filters = BookmarkFilters(request)
        user = User.objects.filter(username=filters.user).first()
-        query_set = queries.query_shared_bookmarks(user, request.user.profile, filters.query)
+        public_only = not request.user.is_authenticated
+        query_set = queries.query_shared_bookmarks(user, request.user_profile, filters.query, public_only)
        page = self.paginate_queryset(query_set)
        serializer = self.get_serializer_class()
        data = serializer(page, many=True).data