Fix all songs leaking songs from other tenants

pehala · Dec 1, 2023 · 61f9be1 · 61f9be1
1 parent d717e52
commit 61f9be1
Show file tree

Hide file tree

Showing 3 changed files with 13 additions and 6 deletions.
diff --git a/backend/urls.py b/backend/urls.py
@@ -6,13 +6,13 @@
     SongUpdateView,
     SongDeleteView,
     IndexSongListView,
-    SongListView,
+    AllSongListView,
 )
 
 urlpatterns = [
     path("", IndexSongListView.as_view(), name="index"),
     path("add", SongCreateView.as_view(), name="add"),
     path("edit/<int:pk>", SongUpdateView.as_view(), name="edit"),
     path("delete/<int:pk>", SongDeleteView.as_view(), name="delete"),
-    path("all", SongListView.as_view(), name="all"),
+    path("all", AllSongListView.as_view(), name="all"),
 ]
diff --git a/backend/views.py b/backend/views.py
@@ -24,7 +24,7 @@ def transform_song(song: Song, number: int) -> Dict:
     return transformed
 
 
-class SongListView(ListView):
+class BaseSongListView(ListView):
     """Lists songs in the one page application"""
 
     model = Song
@@ -34,7 +34,7 @@ class SongListView(ListView):
     FIELDS = ["id", "name", "capo", "author", "link", "prerendered"]
 
     def get_queryset(self):
-        queryset = super().get_queryset()
+        queryset = super().get_queryset().filter(categories__tenant=self.request.tenant)
         if not self.request.user.is_superuser:
             queryset = queryset.filter(archived=False)
         return queryset
@@ -61,6 +61,13 @@ def get_context_data(self, *, object_list=None, **kwargs):
         return context_data
 
 
+class AllSongListView(BaseSongListView):
+    """Returns all songs for this specific tenant"""
+
+    def get_queryset(self):
+        return super().get_queryset().filter(categories__tenant=self.request.tenant)
+
+
 class IndexSongListView(RedirectView):
     """Shows first available category"""
 

diff --git a/category/views.py b/category/views.py
@@ -16,14 +16,14 @@
 from analytics.views import AnalyticsMixin
 from backend.auth.mixins import LocalAdminRequired, SuperAdminRequired
 from backend.models import Song
-from backend.views import SongListView, RegenerateViewMixin
+from backend.views import BaseSongListView, RegenerateViewMixin
 from category.forms import CategoryForm, NameForm, ChooseTenantForm
 from category.models import Category
 from pdf.models.request import PDFRequest, RequestType, Status
 from pdf.utils import request_pdf_regeneration
 
 
-class CategorySongsListView(SongListView, AnalyticsMixin):
+class CategorySongsListView(BaseSongListView, AnalyticsMixin):
     """Shows all songs in a category"""
 
     def get_key(self):