enforce can_access_geometry on geometry endpoints

2024-12-03 17:07:07 +01:00 · 2024-12-03 17:07:07 +01:00 · 8be5f0f9fb
commit 8be5f0f9fb
parent a85ee24cd8
2 changed files with 6 additions and 3 deletions
--- a/src/c3nav/mapdata/api/mapdata.py
+++ b/src/c3nav/mapdata/api/mapdata.py
@ -9,7 +9,7 @@ from pydantic import PositiveInt
 from c3nav.api.auth import auth_responses, validate_responses
 from c3nav.api.exceptions import API404
 from c3nav.api.schema import BaseSchema
-from c3nav.mapdata.api.base import api_etag, optimize_query
+from c3nav.mapdata.api.base import api_etag, optimize_query, can_access_geometry
 from c3nav.mapdata.models import (Area, Building, Door, Hole, Level, LocationGroup, LocationGroupCategory, Source,
                                  Space, Stair, DataOverlay, DataOverlayFeature)
 from c3nav.mapdata.models.access import AccessRestriction, AccessRestrictionGroup
@ -54,9 +54,12 @@ def mapdata_list_endpoint(request,

 def mapdata_retrieve_endpoint(request, model: Type[Model], **lookups):
    try:
-        return optimize_query(
+        obj = optimize_query(
            model.qs_for_request(request) if hasattr(model, 'qs_for_request') else model.objects.all()
        ).get(**lookups)
+        if not can_access_geometry(request, obj):
+            obj.geometry = None
+        return obj
    except model.DoesNotExist:
        raise API404("%s not found" % model.__name__.lower())

--- a/src/c3nav/mapdata/schemas/model_base.py
+++ b/src/c3nav/mapdata/schemas/model_base.py
@ -225,7 +225,7 @@ class WithGeometrySchema(BaseSchema):
    @classmethod
    def get_overrides(cls, value) -> dict:
        value: GeometryMixin
-        if "geometry" in value.get_deferred_fields():
+        if "geometry" in value.get_deferred_fields() or value.geometry is None:
            return {
                **super().get_overrides(value),
                "geometry": None,