feat: Bulk fixes (#1195)

remove ckeditor - not in use add more strict default password validators set Django admin as configurable URL add nginx HSTS and CSP headers enable moving from private to unlisted in the PORTAL_WORKFLOW private on default comments listing, show only comments for public media in case of a private media, dont expose any unneeded metadata
2025-11-20 05:36:03 -05:00 · 2025-02-13 13:41:53 +02:00
parent 5402ee7bc5
commit 3a8cacc847
13 changed files with 151 additions and 120 deletions
--- a/files/context_processors.py
+++ b/files/context_processors.py
@@ -34,5 +34,7 @@ def stuff(request):
    ret["RSS_URL"] = "/rss"
    ret["TRANSLATION"] = get_translation(request.LANGUAGE_CODE)
    ret["REPLACEMENTS"] = get_translation_strings(request.LANGUAGE_CODE)
+    if request.user.is_superuser:
+        ret["DJANGO_ADMIN_URL"] = settings.DJANGO_ADMIN_URL

    return ret
--- a/files/methods.py
+++ b/files/methods.py
@@ -119,12 +119,16 @@ def get_next_state(user, current_state, next_state):

    if next_state not in ["public", "private", "unlisted"]:
        next_state = settings.PORTAL_WORKFLOW  # get default state
+
    if is_mediacms_editor(user):
        # allow any transition
        return next_state

    if settings.PORTAL_WORKFLOW == "private":
-        next_state = "private"
+        if next_state in ["private", "unlisted"]:
+            next_state = next_state
+        else:
+            next_state = current_state

    if settings.PORTAL_WORKFLOW == "unlisted":
        # don't allow to make media public in this case
--- a/files/views.py
+++ b/files/views.py
@@ -675,6 +675,9 @@ class MediaActions(APIView):
    def get(self, request, friendly_token, format=None):
        # show date and reason for each time media was reported
        media = self.get_object(friendly_token)
+        if not (request.user == media.user or is_mediacms_editor(request.user) or is_mediacms_manager(request.user)):
+            return Response({"detail": "not allowed"}, status=status.HTTP_400_BAD_REQUEST)
+
        if isinstance(media, Response):
            return media

@@ -928,9 +931,10 @@ class PlaylistDetail(APIView):

        serializer = PlaylistDetailSerializer(playlist, context={"request": request})

-        playlist_media = PlaylistMedia.objects.filter(playlist=playlist).prefetch_related("media__user")
+        playlist_media = PlaylistMedia.objects.filter(playlist=playlist, media__state="public").prefetch_related("media__user")

        playlist_media = [c.media for c in playlist_media]
+
        playlist_media_serializer = MediaSerializer(playlist_media, many=True, context={"request": request})
        ret = serializer.data
        ret["playlist_media"] = playlist_media_serializer.data
@@ -1195,7 +1199,7 @@ class CommentList(APIView):
    def get(self, request, format=None):
        pagination_class = api_settings.DEFAULT_PAGINATION_CLASS
        paginator = pagination_class()
-        comments = Comment.objects.filter()
+        comments = Comment.objects.filter(media__state="public").order_by("-add_date")
        comments = comments.prefetch_related("user")
        comments = comments.prefetch_related("media")
        params = self.request.query_params