ensure that track is visible to the journey owner

author: Daniel Schadt <kingdread@gmx.de> 2025-12-30 20:38:06 +0100
committer: Daniel Schadt <kingdread@gmx.de> 2025-12-30 20:38:06 +0100
commit: e3e7ecb833c74d038a77685e5911716a81dfd7f2 (patch)
tree: b0e03c698f451ce6b257d9c27419bc9bfe37a180
parent: da47944101e171da37a95f1ee5226423ae592d0f (diff)
download: fietsboek-e3e7ecb833c74d038a77685e5911716a81dfd7f2.tar.gz
fietsboek-e3e7ecb833c74d038a77685e5911716a81dfd7f2.tar.bz2
fietsboek-e3e7ecb833c74d038a77685e5911716a81dfd7f2.zip
1 files changed, 12 insertions, 4 deletions
diff --git a/fietsboek/views/journey.py b/fietsboek/views/journey.py
index 8621f4a..70b62c3 100644
--- a/fietsboek/views/journey.py
+++ b/fietsboek/views/journey.py
@@ -117,7 +117,7 @@ def do_journey_new(request: Request):
     request.dbsession.add(journey)
     request.dbsession.flush()
 
-    track_ids = _extract_valid_tracks(request)
+    track_ids = _extract_valid_tracks(request, set())
     journey.set_track_ids(track_ids)
 
     request.data_manager.initialize_journey(journey.id)
@@ -150,7 +150,7 @@ def do_journey_edit(request: Request):
     journey.description = request.params.get("journeyDescription")
     journey.visibility = _extract_visibility(request)
 
-    track_ids = _extract_valid_tracks(request)
+    track_ids = _extract_valid_tracks(request, {track.id for track in journey.tracks})
     journey.set_track_ids(track_ids)
 
     request.dbsession.add(journey)
@@ -166,7 +166,7 @@ def _extract_visibility(request: Request) -> Visibility:
         raise HTTPBadRequest("Invalid visibility")
 
 
-def _extract_valid_tracks(request: Request) -> list[int]:
+def _extract_valid_tracks(request: Request, current_ids: set[int]) -> list[int]:
     user: User = request.identity
 
     if not request.params.get("journeyTitle"):
@@ -183,9 +183,17 @@ def _extract_valid_tracks(request: Request) -> list[int]:
 
     for track_id in track_ids:
         query = select(Track).filter_by(id=track_id)
-        track = request.dbsession.execute(query).one_or_none()
+        track: Track = request.dbsession.execute(query).scalar_one_or_none()
         if track is None:
             raise HTTPBadRequest("Invalid track ID")
+        # We don't really want users to add tracks to journeys that they can't
+        # see, because that leaks information (e.g., you create a journey and
+        # add a single tracks, that gives you the clear path).
+        # However, if a track used to be visible and now is no longer, we don't
+        # want editing to fail, so we allow a non-visible track if it is already
+        # in the journey.
+        if not track.is_visible_to(user) and track_id not in current_ids:
+            raise HTTPBadRequest("Invalid track ID")
 
     return track_ids
author	Daniel Schadt <kingdread@gmx.de>	2025-12-30 20:38:06 +0100
committer	Daniel Schadt <kingdread@gmx.de>	2025-12-30 20:38:06 +0100
commit	e3e7ecb833c74d038a77685e5911716a81dfd7f2 (patch)
tree	b0e03c698f451ce6b257d9c27419bc9bfe37a180
parent	da47944101e171da37a95f1ee5226423ae592d0f (diff)
download	fietsboek-e3e7ecb833c74d038a77685e5911716a81dfd7f2.tar.gz fietsboek-e3e7ecb833c74d038a77685e5911716a81dfd7f2.tar.bz2 fietsboek-e3e7ecb833c74d038a77685e5911716a81dfd7f2.zip