From ed6d23c53614b5b1563e1b100fa14434136d0c33 Mon Sep 17 00:00:00 2001
From: marcsello <punkosdmarcell@rocketmail.com>
Date: Sat, 28 Nov 2020 23:08:07 +0100
Subject: [PATCH] Fixed user can download their own files

---
 src/templates/item.html     |  4 ++--
 src/utils/__init__.py       |  3 ++-
 src/utils/common_queries.py | 15 +++++++++++++++
 src/views/contentview.py    | 17 +++++++++--------
 src/views/itemview.py       | 14 +++++---------
 5 files changed, 33 insertions(+), 20 deletions(-)
 create mode 100644 src/utils/common_queries.py

diff --git a/src/templates/item.html b/src/templates/item.html
index 594a62f..4c6824d 100644
--- a/src/templates/item.html
+++ b/src/templates/item.html
@@ -4,14 +4,14 @@
         <h3 class="card-header">Animation by {{ item.uploader.name }}</h3>
         <div class="card-body">
             <h4>
-                <p class="card-text">{{ item.name }}</p>
+                {{ item.name }}
             </h4>
 
             <img src="{{ url_for('ContentView:preview', id_=item.id) }}" class="card-img" style="padding: 30px"
                  alt="{{ item.name }}">
 
             <div class="card-text text-center">
-                {% if purchased %}
+                {% if can_download %}
                     <a href="{{ url_for('ContentView:caff', id_=item.id) }}" class="btn btn-lg btn-success"
                        target="_self">Download</a>
                 {% else %}
diff --git a/src/utils/__init__.py b/src/utils/__init__.py
index de5a089..3b5967b 100644
--- a/src/utils/__init__.py
+++ b/src/utils/__init__.py
@@ -4,4 +4,5 @@ from .config import Config
 from .storage import storage
 from .md5stuffs import calculate_md5_sum_for_file, write_file_from_stream_to_file_like_while_calculating_md5
 from .exceptions import FileIntegrityError
-from .caff_previewer import create_caff_preview
\ No newline at end of file
+from .caff_previewer import create_caff_preview
+from .common_queries import user_can_access_caff
\ No newline at end of file
diff --git a/src/utils/common_queries.py b/src/utils/common_queries.py
new file mode 100644
index 0000000..8c2d551
--- /dev/null
+++ b/src/utils/common_queries.py
@@ -0,0 +1,15 @@
+from flask_security import current_user
+from models import db, Purchase, Item
+
+
+def user_can_access_caff(item: Item) -> bool:
+    if not current_user.is_authenticated:
+        return False
+    else:
+
+        if item.uploader == current_user:
+            return True
+        else:
+            p = Purchase.query.filter(
+                db.and_(Purchase.purchaser_id == current_user.id, Purchase.item_id == item.id)).first()
+            return bool(p)
diff --git a/src/views/contentview.py b/src/views/contentview.py
index 602d544..503f9da 100644
--- a/src/views/contentview.py
+++ b/src/views/contentview.py
@@ -7,7 +7,9 @@ from flask_security import login_required, current_user
 from utils import storage
 from minio.error import NoSuchKey
 
-from models import db, Item, Purchase
+from utils import user_can_access_caff
+
+from models import db, Item
 
 
 class ContentView(FlaskView):
@@ -29,22 +31,21 @@ class ContentView(FlaskView):
 
     def preview(self, id_: int):
         i = Item.query.get_or_404(id_)
-
         return self._stream_from_minio(current_app.config['MINIO_PREVIEW_BUCKET_NAME'], i.id)
 
     @login_required
     def caff(self, id_: int):
-        p = Purchase.query.filter(db.and_(Purchase.purchaser_id == current_user.id, Purchase.item_id == id_)).first()
+        item = Item.query.get_or_404(id_)
 
-        if not p:
+        if not user_can_access_caff(item):
             abort(403)
 
         allowed_chars = string.ascii_lowercase + string.ascii_uppercase + string.digits
-        filename = ''.join(filter(lambda x: x in allowed_chars, p.item.name)).lower()
+        filename = ''.join(filter(lambda x: x in allowed_chars, item.name)).lower()
 
         if not filename:
-            filename = str(p.item.id)
+            filename = str(item.id)
 
-        filename += f'_{p.id}.caff'
+        filename += '.caff'
 
-        return self._stream_from_minio(current_app.config['MINIO_CAFF_BUCKET_NAME'], p.item.id, filename)
+        return self._stream_from_minio(current_app.config['MINIO_CAFF_BUCKET_NAME'], item.id, filename)
diff --git a/src/views/itemview.py b/src/views/itemview.py
index 4e8eb5c..1d8f636 100644
--- a/src/views/itemview.py
+++ b/src/views/itemview.py
@@ -3,7 +3,9 @@ from flask import render_template, request, flash, redirect, url_for, current_ap
 from flask_classful import FlaskView
 from flask_security import current_user, login_required
 
-from models import db, Comment, Item, Purchase
+from utils import user_can_access_caff
+
+from models import db, Comment, Item
 import bleach
 
 """
@@ -20,15 +22,9 @@ class ItemView(FlaskView):
 
     def get(self, id_: int):
         item = Item.query.get_or_404(id_)
+        can_download = user_can_access_caff(item)
 
-        if not current_user.is_authenticated:
-            purchased = False
-        else:
-            p = Purchase.query.filter(
-                db.and_(Purchase.purchaser_id == current_user.id, Purchase.item_id == id_)).first()
-            purchased = bool(p)
-
-        return render_template('item.html', item=item, purchased=purchased)
+        return render_template('item.html', item=item, can_download=can_download)
 
     @login_required
     def post(self, id_: int):