From ebaf82fb5e2f200b1d6247dedc7bcf2927be8560 Mon Sep 17 00:00:00 2001
From: Your Name <you@example.com>
Date: Sun, 31 Dec 2023 13:02:37 -0500
Subject: [PATCH] anonymous user may see collection list if owner allows

---
 journal/models/common.py      | 35 +++++++++++++++--------------------
 journal/templates/review.html |  2 +-
 journal/views/collection.py   | 10 +++++++++-
 users/views.py                | 11 +++++++++++
 4 files changed, 36 insertions(+), 22 deletions(-)

diff --git a/journal/models/common.py b/journal/models/common.py
index 5642a0bd..d5bf48f1 100644
--- a/journal/models/common.py
+++ b/journal/models/common.py
@@ -29,12 +29,11 @@ class VisibilityType(models.IntegerChoices):
 
 
 def q_owned_piece_visible_to_user(viewing_user: User, owner: APIdentity):
-    if (
-        not viewing_user
-        or not viewing_user.is_authenticated
-        or not viewing_user.identity
-    ):
-        return Q(owner=owner, visibility=0)
+    if not viewing_user or not viewing_user.is_authenticated:
+        if owner.anonymous_viewable:
+            return Q(owner=owner, visibility=0)
+        else:
+            return Q(pk__in=[])
     viewer = viewing_user.identity
     if viewer == owner:
         return Q(owner=owner)
@@ -47,11 +46,7 @@ def q_owned_piece_visible_to_user(viewing_user: User, owner: APIdentity):
 
 
 def max_visiblity_to_user(viewing_user: User, owner: APIdentity):
-    if (
-        not viewing_user
-        or not viewing_user.is_authenticated
-        or not viewing_user.identity
-    ):
+    if not viewing_user or not viewing_user.is_authenticated:
         return 0
     viewer = viewing_user.identity
     if viewer == owner:
@@ -62,20 +57,20 @@ def max_visiblity_to_user(viewing_user: User, owner: APIdentity):
         return 0
 
 
-def q_piece_visible_to_user(user: User):
-    if not user or not user.is_authenticated or not user.identity:
+def q_piece_visible_to_user(viewing_user: User):
+    if not viewing_user or not viewing_user.is_authenticated:
         return Q(visibility=0, owner__anonymous_viewable=True)
+    viewer = viewing_user.identity
     return (
         Q(visibility=0)
-        | Q(owner_id__in=user.identity.following, visibility=1)
-        | Q(owner_id=user.identity.pk)
-    ) & ~Q(owner_id__in=user.identity.ignoring)
+        | Q(owner_id__in=viewer.following, visibility=1)
+        | Q(owner_id=viewer.pk)
+    ) & ~Q(owner_id__in=viewer.ignoring)
 
 
-def q_piece_in_home_feed_of_user(user: User):
-    return Q(owner_id__in=user.identity.following, visibility__lt=2) | Q(
-        owner_id=user.identity.pk
-    )
+def q_piece_in_home_feed_of_user(viewing_user: User):
+    viewer = viewing_user.identity
+    return Q(owner_id__in=viewer.following, visibility__lt=2) | Q(viewer.pk)
 
 
 def q_item_in_category(item_category: ItemCategory | AvailableItemCategory):
diff --git a/journal/templates/review.html b/journal/templates/review.html
index e5b61dbc..8aba901e 100644
--- a/journal/templates/review.html
+++ b/journal/templates/review.html
@@ -63,7 +63,7 @@
               {{ review.html_content | safe }}
             {% else %}
               <p class="empty">
-                <span>作者已设置为<a href="{% url 'users:login' %}?next={{ request.path }}">登录</a>后可查看</span>
+                <span>作者已设置仅限<a href="{% url 'users:login' %}?next={{ request.path }}">登录</a>用户查看</span>
               </p>
             {% endif %}
           </div>
diff --git a/journal/views/collection.py b/journal/views/collection.py
index fe6fe66b..27cafc74 100644
--- a/journal/views/collection.py
+++ b/journal/views/collection.py
@@ -12,7 +12,11 @@ from common.utils import AuthedHttpRequest, get_uuid_or_404
 from mastodon.api import boost_toot_later, share_collection
 from users.models import User
 from users.models.apidentity import APIdentity
-from users.views import render_user_blocked, render_user_not_found
+from users.views import (
+    render_user_blocked,
+    render_user_noanonymous,
+    render_user_not_found,
+)
 
 from ..forms import *
 from ..models import *
@@ -310,6 +314,8 @@ def collection_edit(request: AuthedHttpRequest, collection_uuid=None):
 @target_identity_required
 def user_collection_list(request: AuthedHttpRequest, user_name):
     target = request.target_identity
+    if not request.user.is_authenticated and not target.anonymous_viewable:
+        return render_user_noanonymous(request)
     collections = (
         Collection.objects.filter(owner=target)
         .filter(q_owned_piece_visible_to_user(request.user, target))
@@ -330,6 +336,8 @@ def user_collection_list(request: AuthedHttpRequest, user_name):
 @target_identity_required
 def user_liked_collection_list(request: AuthedHttpRequest, user_name):
     target = request.target_identity
+    if not request.user.is_authenticated and not target.anonymous_viewable:
+        return render_user_noanonymous(request)
     collections = Collection.objects.filter(
         interactions__identity=target,
         interactions__interaction_type="like",
diff --git a/users/views.py b/users/views.py
index 5902339b..4a77750a 100644
--- a/users/views.py
+++ b/users/views.py
@@ -49,6 +49,17 @@ def render_user_blocked(request):
     )
 
 
+def render_user_noanonymous(request):
+    msg = _("作者已设置仅限登录用户查看")
+    return render(
+        request,
+        "common/error.html",
+        {
+            "msg": msg,
+        },
+    )
+
+
 def query_identity(request, handle):
     try:
         i = APIdentity.get_by_handler(handle)