server: add privilege posts:view:unsafe

2025-07-17 08:26:24 +00:00 · 2025-02-15 23:55:21 +00:00
parent 376f687c38
commit 778db7d510
3 changed files with 28 additions and 1 deletions
--- a/server/config.yaml.dist
+++ b/server/config.yaml.dist
@ -100,6 +100,7 @@ privileges:
    'posts:reverse_search':         regular
    'posts:view':                   anonymous
    'posts:view:featured':          anonymous
+    'posts:view:unsafe':            regular
    'posts:edit:content':           power
    'posts:edit:flags':             regular
    'posts:edit:notes':             regular
--- a/server/szurubooru/api/post_api.py
+++ b/server/szurubooru/api/post_api.py
@ -114,6 +114,8 @@ def create_snapshots_for_post(
 def get_post(ctx: rest.Context, params: Dict[str, str]) -> rest.Response:
    auth.verify_privilege(ctx.user, "posts:view")
    post = _get_post(params)
+    if post.safety == model.Post.SAFETY_UNSAFE:
+        auth.verify_privilege(ctx.user, "posts:view:unsafe")
    return _serialize_post(ctx, post)


--- a/server/szurubooru/tests/api/test_post_retrieving.py
+++ b/server/szurubooru/tests/api/test_post_retrieving.py
@ -14,6 +14,7 @@ def inject_config(config_injector):
            "privileges": {
                "posts:list": model.User.RANK_REGULAR,
                "posts:view": model.User.RANK_REGULAR,
+                "posts:view:unsafe": model.User.RANK_REGULAR,
            },
        }
    )
@ -73,7 +74,10 @@ def test_trying_to_use_special_tokens_without_logging_in(
 ):
    config_injector(
        {
-            "privileges": {"posts:list": "anonymous"},
+            "privileges": {
+                "posts:list": "anonymous",
+                "posts:list:unsafe": "regular",
+            },
        }
    )
    with pytest.raises(errors.SearchError):
@ -125,3 +129,23 @@ def test_trying_to_retrieve_single_without_privileges(
            context_factory(user=user_factory(rank=model.User.RANK_ANONYMOUS)),
            {"post_id": 999},
        )
+
+
+def test_trying_to_retrieve_unsafe_without_privileges(
+    user_factory, context_factory, post_factory, config_injector
+):
+    config_injector(
+        {
+            "privileges": {
+                "posts:view": "anonymous",
+                "posts:view:unsafe": "regular",
+            },
+        }
+    )
+    db.session.add(post_factory(id=1, safety=model.Post.SAFETY_UNSAFE))
+    db.session.flush()
+    with pytest.raises(errors.AuthError):
+        api.post_api.get_post(
+            context_factory(user=user_factory(rank=model.User.RANK_ANONYMOUS)),
+            {"post_id": 1},
+        )