describing a custom location should honor access restrictions

src/c3nav/mapdata/api/map.py

@@ -270,7 +270,8 @@ def get_position_by_id(request, position_id: AnyPositionID):
             location = Position.objects.get(secret=position_id[2:])
         except Position.DoesNotExist:
             raise API404()
-    return location.serialize_position()
+
+    return location.serialize_position(request=request)
 
 
 class UpdatePositionSchema(BaseSchema):
@@ -314,7 +315,7 @@ def set_position(request, position_id: AnyPositionID, update: UpdatePositionSche
     location.last_coordinates_update = timezone.now()
     location.save()
 
-    return location.serialize_position()
+    return location.serialize_position(request=request)
 
 
 @map_api_router.get('/projection/', summary='get proj4 string',

src/c3nav/mapdata/models/locations.py

@@ -515,7 +515,9 @@ class LabelSettings(SerializableMixin, models.Model):
 
 
 class CustomLocationProxyMixin:
-    def get_custom_location(self):
+    request = None
+
+    def get_custom_location(self, request=None):
         raise NotImplementedError
 
     @property
@@ -534,7 +536,7 @@ class CustomLocationProxyMixin:
     def level(self):
         return self.get_custom_location().level
 
-    def serialize_position(self):
+    def serialize_position(self, request=None):
         raise NotImplementedError
 
 
@@ -560,8 +562,8 @@ class DynamicLocation(CustomLocationProxyMixin, SpecificLocation, models.Model):
     def register_change(self, force=False):
         pass
 
-    def serialize_position(self):
-        custom_location = self.get_custom_location()
+    def serialize_position(self, request=None):
+        custom_location = self.get_custom_location(request=request)
         if custom_location is None:
             return {
                 'available': False,
@@ -587,11 +589,13 @@ class DynamicLocation(CustomLocationProxyMixin, SpecificLocation, models.Model):
         })
         return result
 
-    def get_custom_location(self):
+    def get_custom_location(self, request=None):
         if not self.position_secret:
             return None
         try:
-            return Position.objects.get(secret=self.position_secret).get_custom_location()
+            return Position.objects.get(secret=self.position_secret).get_custom_location(
+                requests=request if request is not None else self.request
+            )
         except Position.DoesNotExist:
             return None
 
@@ -633,7 +637,9 @@ class Position(CustomLocationProxyMixin, models.Model):
                 self.coordinates = None
                 self.last_coordinates_update = end_time
 
-    def get_custom_location(self):
+    def get_custom_location(self, request=None):
+        if request is not None:
+            self.request = request  # todo: this is ugly, yes
         return self.coordinates
 
     @classmethod
@@ -647,8 +653,8 @@ class Position(CustomLocationProxyMixin, models.Model):
             cache.set(cache_key, result, 600)
         return result
 
-    def serialize_position(self):
-        custom_location = self.get_custom_location()
+    def serialize_position(self, request=None):
+        custom_location = self.get_custom_location(request=request)
         if custom_location is None:
             return {
                 'id': 'p:%s' % self.secret,

src/c3nav/mapdata/views.py

@@ -169,7 +169,7 @@ def preview_location(request, slug):
         geometries = [loc.geometry for loc in location.locations if loc.level_id == level]
         highlight = True
     elif isinstance(location, Position):
-        loc = location.get_custom_location()
+        loc = location.get_custom_location(request=request)
         if not loc:
             raise Http404
         geometries = [Point(loc.x, loc.y)]