add api to get a collection and review with known id

Author: mein Name

journal/apis/collection.py

@@ -17,6 +17,7 @@
 class CollectionSchema(Schema):
     uuid: str
     url: str
+    api_url: str
     visibility: int = Field(ge=0, le=2)
     post_id: int | None = Field(alias="latest_post_id")
     created_time: datetime
@@ -50,7 +51,7 @@ class CollectionItemInSchema(Schema):
     tags=["collection"],
 )
 @paginate(PageNumberPagination)
-def list_collections(request):
+def list_user_collections(request):
     """
     Get collections created by current user
     """
@@ -63,7 +64,7 @@ def list_collections(request):
     response={200: CollectionSchema, 401: Result, 403: Result, 404: Result},
     tags=["collection"],
 )
-def get_collection(request, collection_uuid: str):
+def get_user_collection(request, collection_uuid: str):
     """
     Get collections by its uuid
     """
@@ -75,6 +76,48 @@ def get_collection(request, collection_uuid: str):
     return c
 
 
+@api.get(
+    "/collection/{collection_uuid}",
+    response={200: CollectionSchema, 401: Result, 403: Result, 404: Result},
+    tags=["collection"],
+    auth=None,
+)
+def get_collection(request, collection_uuid: str):
+    """
+    Get details of a collection
+    """
+    c = Collection.get_by_url(collection_uuid)
+    if not c:
+        return 404, {"message": "Collection not found"}
+    if not c.is_visible_to(request.user):
+        return 403, {"message": "Permission denied"}
+    return c
+
+
+@api.get(
+    "/collection/{collection_uuid}/item/",
+    response={200: List[CollectionItemSchema], 401: Result, 403: Result, 404: Result},
+    tags=["collection"],
+    auth=None,
+)
+@paginate(PageNumberPagination)
+def collection_list_items(request, collection_uuid: str):
+    """
+    Get items in a collection collections
+    """
+    c = Collection.get_by_url(collection_uuid)
+    if not c:
+        return 404, {"message": "Collection not found"}
+    if not c.is_visible_to(request.user):
+        return 403, {"message": "Permission denied"}
+    if c.is_dynamic:
+        items = c.query_result.items if c.query_result else []
+        members = [{"item": i, "note": ""} for i in items]
+        return members
+    else:
+        return c.ordered_members
+
+
 @api.post(
     "/me/collection/",
     response={200: CollectionSchema, 401: Result, 403: Result, 404: Result},
@@ -140,7 +183,7 @@ def delete_collection(request, collection_uuid: str):
     tags=["collection"],
 )
 @paginate(PageNumberPagination)
-def collection_list_items(request, collection_uuid: str):
+def user_collection_list_items(request, collection_uuid: str):
     """
     Get items in a collection collections
     """

journal/apis/review.py

@@ -16,6 +16,7 @@
 
 class ReviewSchema(Schema):
     url: str
+    api_url: str
     visibility: int = Field(ge=0, le=2)
     post_id: int | None = Field(alias="latest_post_id")
     item: ItemSchema
@@ -113,3 +114,24 @@ def delete_review(request, item_uuid: str):
         return 404, {"message": "Item not found"}
     Review.update_item_review(item, request.user.identity, None, None)
     return 200, {"message": "OK"}
+
+
+@api.get(
+    "/review/{review_uuid}",
+    response={200: ReviewSchema, 401: Result, 403: Result, 404: Result},
+    tags=["review"],
+    auth=None,
+)
+def get_any_review(request, review_uuid: str):
+    """
+    Get a review by its uuid with permission checks.
+
+    Returns the review if it is visible to the requesting user based on
+    its visibility and the relationship to the owner; otherwise 403.
+    """
+    r = Review.get_by_url(review_uuid)
+    if not r:
+        return 404, {"message": "Review not found"}
+    if not r.is_visible_to(request.user):
+        return 403, {"message": "Permission denied"}
+    return r

journal/models/mixins.py

@@ -25,15 +25,15 @@ class UserOwnedObjectMixin:
 
     def is_visible_to(
         self: "Piece",  # type: ignore
-        viewing_user: "User",
+        viewing_user: "User | None",
     ) -> bool:
         owner = self.owner
         if not owner or not owner.is_active:
             return False
         if owner.user == viewing_user:
             return True
-        if not viewing_user.is_authenticated:
-            return self.visibility == 0
+        if not viewing_user or not viewing_user.is_authenticated:
+            return self.visibility == 0 and owner.anonymous_viewable
         viewer = viewing_user.identity
         if not viewer:
             return False