From 98626774849395bb88655794bd8ace6275f363e3 Mon Sep 17 00:00:00 2001
From: "753.network" <PrimaryInfinity@gmail.com>
Date: Mon, 21 Oct 2024 16:57:21 -0400
Subject: [PATCH 01/61] Move permission logic to PackagePermissionsMixin

Move permission logic to PackagePermissionsMixin because PackageDetailView
is a bad place for it
---
 .../thunderstore/repository/views/mixins.py   | 141 +++++++++++++++++-
 .../repository/views/package/detail.py        | 120 ---------------
 2 files changed, 138 insertions(+), 123 deletions(-)

diff --git a/django/thunderstore/repository/views/mixins.py b/django/thunderstore/repository/views/mixins.py
index 96741ac51..d2c90e3ce 100644
--- a/django/thunderstore/repository/views/mixins.py
+++ b/django/thunderstore/repository/views/mixins.py
@@ -1,14 +1,23 @@
 import dataclasses
 from typing import Dict, List, Optional, TypedDict
 
+from django.core.exceptions import PermissionDenied
 from django.http import Http404
+from django.middleware import csrf
+from django.shortcuts import redirect
+from django.utils.functional import cached_property
 from django.views.generic import DetailView
 
-from thunderstore.community.models import PackageListing
+from thunderstore.community.models import PackageCategory, PackageListing
 from thunderstore.core.types import UserType
+from thunderstore.core.utils import check_validity
 from thunderstore.plugins.registry import plugin_registry
 from thunderstore.repository.mixins import CommunityMixin
-from thunderstore.repository.views.package._utils import get_package_listing_or_404
+from thunderstore.repository.views.package._utils import (
+    can_view_listing_admin,
+    can_view_package_admin,
+    get_package_listing_or_404,
+)
 
 
 @dataclasses.dataclass
@@ -78,7 +87,133 @@ def get_tab_context(
         }
 
 
-class PackageListingDetailView(CommunityMixin, PackageTabsMixin, DetailView):
+class PackagePermissionsMixin:
+    @cached_property
+    def can_manage(self):
+        return any(
+            (
+                self.can_manage_deprecation,
+                self.can_manage_categories,
+                self.can_unlist,
+            )
+        )
+
+    @cached_property
+    def can_manage_deprecation(self):
+        return self.object.package.can_user_manage_deprecation(self.request.user)
+
+    @cached_property
+    def can_manage_categories(self) -> bool:
+        return check_validity(
+            lambda: self.object.ensure_update_categories_permission(self.request.user)
+        )
+
+    @cached_property
+    def can_deprecate(self):
+        return (
+            self.can_manage_deprecation and self.object.package.is_deprecated is False
+        )
+
+    @cached_property
+    def can_undeprecate(self):
+        return self.can_manage_deprecation and self.object.package.is_deprecated is True
+
+    @cached_property
+    def can_unlist(self):
+        return self.request.user.is_superuser
+
+    @cached_property
+    def can_moderate(self) -> bool:
+        return self.object.community.can_user_manage_packages(self.request.user)
+
+    def get_review_panel(self):
+        if not self.can_moderate:
+            return None
+        return {
+            "reviewStatus": self.object.review_status,
+            "rejectionReason": self.object.rejection_reason,
+            "internalNotes": self.object.notes,
+            "packageListingId": self.object.pk,
+        }
+
+    def format_category(cat: PackageCategory):
+        return {"name": cat.name, "slug": cat.slug}
+
+    def get_context_data(self, *args, **kwargs):
+        context = super().get_context_data(*args, **kwargs)
+        package_listing = context["object"]
+        context.update(
+            **self.get_tab_context(
+                self.request.user, package_listing, self.get_tab_name()
+            )
+        )
+
+        context["show_management_panel"] = self.can_manage
+        context["show_listing_admin_link"] = can_view_listing_admin(
+            self.request.user, package_listing
+        )
+        context["show_package_admin_link"] = can_view_package_admin(
+            self.request.user, package_listing.package
+        )
+        context["show_review_status"] = self.can_manage
+        context["show_internal_notes"] = self.can_moderate
+
+        context["management_panel_props"] = {
+            "isDeprecated": package_listing.package.is_deprecated,
+            "canDeprecate": self.can_deprecate,
+            "canUndeprecate": self.can_undeprecate,
+            "canUnlist": self.can_unlist,
+            "canUpdateCategories": self.can_manage_categories,
+            "csrfToken": csrf.get_token(self.request),
+            "currentCategories": [
+                self.format_category(x) for x in package_listing.categories.all()
+            ],
+            "availableCategories": [
+                self.format_category(x)
+                for x in package_listing.community.package_categories.all()
+            ],
+            "packageListingId": package_listing.pk,
+        }
+        context["review_panel_props"] = self.get_review_panel()
+
+        return context
+
+    def post_deprecate(self):
+        if not self.can_deprecate:
+            raise PermissionDenied()
+        self.object.package.deprecate()
+
+    def post_undeprecate(self):
+        if not self.can_undeprecate:
+            raise PermissionDenied()
+        self.object.package.undeprecate()
+
+    def post_unlist(self):
+        if not self.can_unlist:
+            raise PermissionDenied()
+        self.object.package.deactivate()
+
+    def post(self, request, **kwargs):
+        self.object = self.get_object()
+        if not self.can_manage:
+            raise PermissionDenied()
+        if "deprecate" in request.POST:
+            self.post_deprecate()
+        elif "undeprecate" in request.POST:
+            self.post_undeprecate()
+        elif "unlist" in request.POST:
+            self.post_unlist()
+        get_package_listing_or_404.clear_cache_with_args(
+            namespace=self.kwargs["owner"],
+            name=self.kwargs["name"],
+            community=self.community,
+        )
+        return redirect(self.object)
+
+
+class PackageListingDetailView(
+    PackagePermissionsMixin, CommunityMixin, PackageTabsMixin, DetailView
+):
     model = PackageListing
     object: Optional[PackageListing] = None
     tab_name: Optional[str] = None
diff --git a/django/thunderstore/repository/views/package/detail.py b/django/thunderstore/repository/views/package/detail.py
index aaa4f85fa..97080798b 100644
--- a/django/thunderstore/repository/views/package/detail.py
+++ b/django/thunderstore/repository/views/package/detail.py
@@ -1,72 +1,13 @@
-from django.core.exceptions import PermissionDenied
-from django.middleware import csrf
-from django.shortcuts import redirect
 from django.utils.decorators import method_decorator
-from django.utils.functional import cached_property
 from django.views.decorators.csrf import ensure_csrf_cookie
 
-from thunderstore.community.models import PackageCategory
-from thunderstore.core.utils import check_validity
 from thunderstore.repository.views.mixins import PackageListingDetailView
-from thunderstore.repository.views.package._utils import (
-    can_view_listing_admin,
-    can_view_package_admin,
-    get_package_listing_or_404,
-)
 
 
 @method_decorator(ensure_csrf_cookie, name="dispatch")
 class PackageDetailView(PackageListingDetailView):
     tab_name = "details"
 
-    @cached_property
-    def can_manage(self):
-        return any(
-            (
-                self.can_manage_deprecation,
-                self.can_manage_categories,
-                self.can_unlist,
-            )
-        )
-
-    @cached_property
-    def can_manage_deprecation(self):
-        return self.object.package.can_user_manage_deprecation(self.request.user)
-
-    @cached_property
-    def can_manage_categories(self) -> bool:
-        return check_validity(
-            lambda: self.object.ensure_update_categories_permission(self.request.user)
-        )
-
-    @cached_property
-    def can_deprecate(self):
-        return (
-            self.can_manage_deprecation and self.object.package.is_deprecated is False
-        )
-
-    @cached_property
-    def can_undeprecate(self):
-        return self.can_manage_deprecation and self.object.package.is_deprecated is True
-
-    @cached_property
-    def can_unlist(self):
-        return self.request.user.is_superuser
-
-    @cached_property
-    def can_moderate(self) -> bool:
-        return self.object.community.can_user_manage_packages(self.request.user)
-
-    def get_review_panel(self):
-        if not self.can_moderate:
-            return None
-        return {
-            "reviewStatus": self.object.review_status,
-            "rejectionReason": self.object.rejection_reason,
-            "internalNotes": self.object.notes,
-            "packageListingId": self.object.pk,
-        }
-
     def get_context_data(self, *args, **kwargs):
         context = super().get_context_data(*args, **kwargs)
 
@@ -83,66 +24,5 @@ def get_context_data(self, *args, **kwargs):
             )
 
         context["dependants_string"] = dependants_string
-        context["show_management_panel"] = self.can_manage
-        context["show_listing_admin_link"] = can_view_listing_admin(
-            self.request.user, package_listing
-        )
-        context["show_package_admin_link"] = can_view_package_admin(
-            self.request.user, package_listing.package
-        )
-        context["show_review_status"] = self.can_manage
-        context["show_internal_notes"] = self.can_moderate
 
-        def format_category(cat: PackageCategory):
-            return {"name": cat.name, "slug": cat.slug}
-
-        context["management_panel_props"] = {
-            "isDeprecated": package_listing.package.is_deprecated,
-            "canDeprecate": self.can_deprecate,
-            "canUndeprecate": self.can_undeprecate,
-            "canUnlist": self.can_unlist,
-            "canUpdateCategories": self.can_manage_categories,
-            "csrfToken": csrf.get_token(self.request),
-            "currentCategories": [
-                format_category(x) for x in package_listing.categories.all()
-            ],
-            "availableCategories": [
-                format_category(x)
-                for x in package_listing.community.package_categories.all()
-            ],
-            "packageListingId": package_listing.pk,
-        }
-        context["review_panel_props"] = self.get_review_panel()
         return context
-
-    def post_deprecate(self):
-        if not self.can_deprecate:
-            raise PermissionDenied()
-        self.object.package.deprecate()
-
-    def post_undeprecate(self):
-        if not self.can_undeprecate:
-            raise PermissionDenied()
-        self.object.package.undeprecate()
-
-    def post_unlist(self):
-        if not self.can_unlist:
-            raise PermissionDenied()
-        self.object.package.deactivate()
-
-    def post(self, request, **kwargs):
-        self.object = self.get_object()
-        if not self.can_manage:
-            raise PermissionDenied()
-        if "deprecate" in request.POST:
-            self.post_deprecate()
-        elif "undeprecate" in request.POST:
-            self.post_undeprecate()
-        elif "unlist" in request.POST:
-            self.post_unlist()
-        get_package_listing_or_404.clear_cache_with_args(
-            namespace=self.kwargs["owner"],
-            name=self.kwargs["name"],
-            community=self.community,
-        )
-        return redirect(self.object)

From 6e8a90b4ab2fb4a325e13cb85e4adbb0a71bdf04 Mon Sep 17 00:00:00 2001
From: "753.network" <PrimaryInfinity@gmail.com>
Date: Tue, 22 Oct 2024 16:01:24 -0400
Subject: [PATCH 02/61] Update permissions.visibility

Add more filtering functions, change default visibility to private
---
 django/thunderstore/permissions/mixins.py          | 14 +++++++++++++-
 .../thunderstore/permissions/models/visibility.py  | 12 ++++++++++++
 2 files changed, 25 insertions(+), 1 deletion(-)

diff --git a/django/thunderstore/permissions/mixins.py b/django/thunderstore/permissions/mixins.py
index 477f3bc58..c2e5b12c6 100644
--- a/django/thunderstore/permissions/mixins.py
+++ b/django/thunderstore/permissions/mixins.py
@@ -11,6 +11,18 @@ def public_list(self):
     def public_detail(self):
         return self.exclude(visibility__public_detail=False)
 
+    def owner_list(self):
+        return self.exclude(visibility__owner_list=False)
+
+    def owner_detail(self):
+        return self.exclude(visibility__owner_detail=False)
+
+    def moderator_list(self):
+        return self.exclude(visibility__moderator_list=False)
+
+    def moderator_detail(self):
+        return self.exclude(visibility__moderator_detail=False)
+
     def visible_list(self, is_owner: bool, is_moderator: bool, is_admin: bool):
         filter = Q(visibility__public_list=True)
         if is_owner:
@@ -44,7 +56,7 @@ class VisibilityMixin(models.Model):
     @transaction.atomic
     def save(self, *args, **kwargs):
         if not self.pk and not self.visibility:
-            self.visibility = VisibilityFlags.objects.create_public()
+            self.visibility = VisibilityFlags.objects.create_private()
         super().save()
 
     class Meta:
diff --git a/django/thunderstore/permissions/models/visibility.py b/django/thunderstore/permissions/models/visibility.py
index 83116055d..b01d19329 100644
--- a/django/thunderstore/permissions/models/visibility.py
+++ b/django/thunderstore/permissions/models/visibility.py
@@ -14,6 +14,18 @@ def create_public(self):
             admin_detail=True,
         )
 
+    def create_private(self):
+        return self.create(
+            public_list=False,
+            public_detail=False,
+            owner_list=True,
+            owner_detail=True,
+            moderator_list=True,
+            moderator_detail=True,
+            admin_list=True,
+            admin_detail=True,
+        )
+
 
 class VisibilityFlags(models.Model):
     objects = VisibilityFlagsQuerySet.as_manager()

From d87b821bb8d873894ac7ca0c60a98b391217dfa8 Mon Sep 17 00:00:00 2001
From: "753.network" <PrimaryInfinity@gmail.com>
Date: Tue, 22 Oct 2024 16:11:35 -0400
Subject: [PATCH 03/61] Add review_status to PackageVersion

Add review_status to PackageVersion
Add reject and approve version actions to Django admin
Add update_visibility method to PackageVersion
---
 .../repository/admin/package_version.py       | 30 +++++++++++++++
 django/thunderstore/repository/consts.py      | 11 +++++-
 .../0055_packageversion_review_status.py      | 28 ++++++++++++++
 .../repository/models/package_version.py      | 37 ++++++++++++++++++-
 4 files changed, 104 insertions(+), 2 deletions(-)
 create mode 100644 django/thunderstore/repository/migrations/0055_packageversion_review_status.py

diff --git a/django/thunderstore/repository/admin/package_version.py b/django/thunderstore/repository/admin/package_version.py
index 603fcbea1..12b679687 100644
--- a/django/thunderstore/repository/admin/package_version.py
+++ b/django/thunderstore/repository/admin/package_version.py
@@ -1,10 +1,15 @@
 from django.contrib import admin
+from django.core.cache import cache
+from django.db import transaction
 from django.db.models import BooleanField, ExpressionWrapper, Q, QuerySet
 from django.http import HttpRequest
 from django.urls import reverse
 from django.utils.safestring import mark_safe
 
+from thunderstore.cache.enums import CacheBustCondition
+from thunderstore.cache.tasks import invalidate_cache
 from thunderstore.community.models import PackageListing
+from thunderstore.repository.consts import PackageVersionReviewStatus
 from thunderstore.repository.models import PackageVersion
 from thunderstore.repository.tasks.files import extract_package_version_file_tree
 
@@ -17,11 +22,35 @@ def extract_file_list(modeladmin, request, queryset: QuerySet):
 extract_file_list.short_description = "Queue file list extraction"
 
 
+@transaction.atomic
+def reject_version(modeladmin, request, queryset: QuerySet[PackageVersion]):
+    for version in queryset:
+        version.review_status = PackageVersionReviewStatus.rejected
+        version.save(update_fields=("review_status",))
+        version.package.recache_latest()
+
+
+reject_version.short_description = "Reject"
+
+
+@transaction.atomic
+def approve_version(modeladmin, request, queryset: QuerySet[PackageVersion]):
+    for version in queryset:
+        version.review_status = PackageVersionReviewStatus.approved
+        version.save(update_fields=("review_status",))
+        version.package.recache_latest()
+
+
+approve_version.short_description = "Approve"
+
+
 @admin.register(PackageVersion)
 class PackageVersionAdmin(admin.ModelAdmin):
     model = PackageVersion
     actions = [
         extract_file_list,
+        reject_version,
+        approve_version,
     ]
     list_select_related = (
         "package",
@@ -33,6 +62,7 @@ class PackageVersionAdmin(admin.ModelAdmin):
         "package",
         "version_number",
         "is_active",
+        "review_status",
         "file_size",
         "downloads",
         "date_created",
diff --git a/django/thunderstore/repository/consts.py b/django/thunderstore/repository/consts.py
index b0ae54ee4..32dc76a3b 100644
--- a/django/thunderstore/repository/consts.py
+++ b/django/thunderstore/repository/consts.py
@@ -1,9 +1,18 @@
 import re
 
+from thunderstore.core.utils import ChoiceEnum
+
 PACKAGE_NAME_REGEX = re.compile(r"^[a-zA-Z0-9\_]+$")
 PACKAGE_VERSION_REGEX = re.compile(r"^[0-9]+\.[0-9]+\.[0-9]+$")
 
-
 PACKAGE_REFERENCE_COMPONENT_REGEX = re.compile(
     r"^[a-zA-Z0-9]+([a-zA-Z0-9\_]+[a-zA-Z0-9])?$"
 )
+
+
+class PackageVersionReviewStatus(ChoiceEnum):
+    pending = "pending"
+    approved = "approved"
+    rejected = "rejected"
+    skipped = "skipped"
+    immune = "immune"
diff --git a/django/thunderstore/repository/migrations/0055_packageversion_review_status.py b/django/thunderstore/repository/migrations/0055_packageversion_review_status.py
new file mode 100644
index 000000000..413aab4a8
--- /dev/null
+++ b/django/thunderstore/repository/migrations/0055_packageversion_review_status.py
@@ -0,0 +1,28 @@
+# Generated by Django 3.1.7 on 2024-09-30 15:00
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("repository", "0054_alter_chunked_package_cache_index"),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name="packageversion",
+            name="review_status",
+            field=models.CharField(
+                choices=[
+                    ("pending", "pending"),
+                    ("approved", "approved"),
+                    ("rejected", "rejected"),
+                    ("skipped", "skipped"),
+                    ("immune", "immune"),
+                ],
+                default="skipped",
+                max_length=512,
+            ),
+        ),
+    ]
diff --git a/django/thunderstore/repository/models/package_version.py b/django/thunderstore/repository/models/package_version.py
index 23a434172..2f1d84874 100644
--- a/django/thunderstore/repository/models/package_version.py
+++ b/django/thunderstore/repository/models/package_version.py
@@ -14,7 +14,10 @@
 
 from thunderstore.core.mixins import AdminLinkMixin
 from thunderstore.permissions.mixins import VisibilityMixin, VisibilityQuerySet
-from thunderstore.repository.consts import PACKAGE_NAME_REGEX
+from thunderstore.repository.consts import (
+    PACKAGE_NAME_REGEX,
+    PackageVersionReviewStatus,
+)
 from thunderstore.repository.models import Package
 from thunderstore.repository.package_formats import PackageFormats
 from thunderstore.utils.decorators import run_after_commit
@@ -39,6 +42,9 @@ class PackageVersionQuerySet(VisibilityQuerySet):
     def active(self) -> "QuerySet[PackageVersion]":  # TODO: Generic type
         return self.exclude(is_active=False)
 
+    def filter_by_review_status(self):
+        return self.exclude(review_status__in=["pending", "rejected"])
+
     def chunked_enumerate(self, chunk_size=1000) -> Iterator["PackageVersion"]:
         """
         Enumerate over all the results without fetching everything at once.
@@ -120,6 +126,13 @@ class PackageVersion(VisibilityMixin, AdminLinkMixin):
     readme = models.TextField()
     changelog = models.TextField(blank=True, null=True)
 
+    # TODO: Default should be pending once all versions require automated scanning before appearing to users
+    review_status = models.CharField(
+        default=PackageVersionReviewStatus.skipped,
+        choices=PackageVersionReviewStatus.as_choices(),
+        max_length=512,
+    )
+
     # <packagename>.zip
     file = models.FileField(
         upload_to=get_version_zip_filepath,
@@ -148,6 +161,11 @@ def validate(self):
 
     def save(self, *args, **kwargs):
         self.validate()
+
+        old_review_status = PackageVersion.objects.get(pk=self.pk).review_status
+        if old_review_status != self.review_status:
+            self.update_visibility()
+
         return super().save(*args, **kwargs)
 
     class Meta:
@@ -297,6 +315,23 @@ def log_download_event(version_id: int, client_ip: Optional[str]):
 
         log_version_download.delay(version_id, timezone.now().isoformat())
 
+    def update_visibility(self):
+        self.visibility.public_detail = True
+        self.visibility.public_list = True
+        self.visibility.owner_detail = True
+        self.visibility.owner_list = True
+        self.visibility.moderator_detail = True
+        self.visibility.moderator_list = True
+
+        if (
+            self.review_status == PackageVersionReviewStatus.rejected
+            or self.review_status == PackageVersionReviewStatus.pending
+        ):
+            self.visibility.public_detail = False
+            self.visibility.public_list = False
+
+        self.visibility.save()
+
 
 signals.post_save.connect(PackageVersion.post_save, sender=PackageVersion)
 signals.post_delete.connect(PackageVersion.post_delete, sender=PackageVersion)

From 2231be9ad40fe92e5b25b87d5814d0121df45a74 Mon Sep 17 00:00:00 2001
From: "753.network" <PrimaryInfinity@gmail.com>
Date: Tue, 22 Oct 2024 16:27:07 -0400
Subject: [PATCH 04/61] Update Package version information

Update available_versions to exclude private versions
Update recache latest to only save if latest isn't None
---
 django/thunderstore/repository/models/package.py | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/django/thunderstore/repository/models/package.py b/django/thunderstore/repository/models/package.py
index 5abe5bf58..393b4eea8 100644
--- a/django/thunderstore/repository/models/package.py
+++ b/django/thunderstore/repository/models/package.py
@@ -162,8 +162,10 @@ def display_name(self):
     @cached_property
     def available_versions(self):
         # TODO: Caching
-        versions = self.versions.filter(is_active=True).values_list(
-            "pk", "version_number"
+        versions = (
+            self.versions.filter(is_active=True)
+            .public_list()
+            .values_list("pk", "version_number")
         )
         ordered = sorted(versions, key=lambda version: StrictVersion(version[1]))
         pk_list = [version[0] for version in reversed(ordered)]
@@ -272,7 +274,7 @@ def recache_latest(self):
         if hasattr(self, "available_versions"):
             del self.available_versions  # Bust the version cache
         self.latest = self.available_versions.first()
-        if old_latest != self.latest:
+        if old_latest != self.latest and self.latest is not None:
             self.save()
 
     def handle_created_version(self, version):

From 2d1f67307d2b91709d336a6d3e5985a17460de93 Mon Sep 17 00:00:00 2001
From: "753.network" <PrimaryInfinity@gmail.com>
Date: Tue, 22 Oct 2024 16:42:47 -0400
Subject: [PATCH 05/61] Add visibility to PackageListing

Add VisibilityMixin to PackageListing
Add VisibilityQuerySet to PackageListingQueryset
Add visibility logic to ensure_can_be_viewed_by_user
Add update_visibility method to PackageListing
Use listing.update_visibility in recache_latest
---
 .../0030_packagelisting_visibility.py         | 25 +++++++++
 .../community/models/package_listing.py       | 53 ++++++++++++++++++-
 .../thunderstore/repository/models/package.py |  2 +
 3 files changed, 78 insertions(+), 2 deletions(-)
 create mode 100644 django/thunderstore/community/migrations/0030_packagelisting_visibility.py

diff --git a/django/thunderstore/community/migrations/0030_packagelisting_visibility.py b/django/thunderstore/community/migrations/0030_packagelisting_visibility.py
new file mode 100644
index 000000000..d1ed2e079
--- /dev/null
+++ b/django/thunderstore/community/migrations/0030_packagelisting_visibility.py
@@ -0,0 +1,25 @@
+# Generated by Django 3.1.7 on 2024-10-03 19:34
+
+import django.db.models.deletion
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("permissions", "0001_initial"),
+        ("community", "0029_packagelisting_is_auto_imported"),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name="packagelisting",
+            name="visibility",
+            field=models.OneToOneField(
+                blank=True,
+                null=True,
+                on_delete=django.db.models.deletion.PROTECT,
+                to="permissions.visibilityflags",
+            ),
+        ),
+    ]
diff --git a/django/thunderstore/community/models/package_listing.py b/django/thunderstore/community/models/package_listing.py
index e0b7a3263..9988b90cb 100644
--- a/django/thunderstore/community/models/package_listing.py
+++ b/django/thunderstore/community/models/package_listing.py
@@ -15,6 +15,7 @@
 from thunderstore.core.types import UserType
 from thunderstore.core.utils import check_validity
 from thunderstore.frontend.url_reverse import get_community_url_reverse_args
+from thunderstore.permissions.mixins import VisibilityMixin, VisibilityQuerySet
 from thunderstore.permissions.utils import validate_user
 from thunderstore.webhooks.audit import (
     AuditAction,
@@ -27,7 +28,7 @@
     from thunderstore.community.models import PackageCategory
 
 
-class PackageListingQueryset(models.QuerySet):
+class PackageListingQueryset(VisibilityQuerySet):
     def active(self):
         return self.exclude(package__is_active=False).exclude(
             ~Q(package__versions__is_active=True)
@@ -46,7 +47,7 @@ def filter_by_community_approval_rule(self):
 # TODO: Add a db constraint that ensures a package listing and it's categories
 #       belong to the same community. This might require actually specifying
 #       the intermediate model in code rather than letting Django handle it
-class PackageListing(TimestampMixin, AdminLinkMixin, models.Model):
+class PackageListing(TimestampMixin, VisibilityMixin, AdminLinkMixin, models.Model):
     """
     Represents a package's relation to how it's displayed on the site and APIs
     """
@@ -101,6 +102,11 @@ def validate(self):
 
     def save(self, *args, **kwargs):
         self.validate()
+
+        old_review_status = PackageListing.objects.get(pk=self.pk).review_status
+        if old_review_status != self.review_status:
+            self.update_visibility()
+
         return super().save(*args, **kwargs)
 
     def __str__(self):
@@ -342,6 +348,21 @@ def get_has_perms() -> bool:
                 )
             )
 
+        if not self.visibility:
+            raise ValidationError("Insufficient permissions to view")
+
+        if not self.visibility.public_detail:
+            if not (
+                self.visibility.owner_detail
+                and self.package.owner.can_user_access(user)
+            ):
+                if not (
+                    self.visibility.moderator_detail
+                    and self.community.can_user_manage_packages(user)
+                ):
+                    if not (self.visibility.admin_detail and user.is_superuser):
+                        raise ValidationError("Insufficient permissions to view")
+
         if self.community.require_package_listing_approval:
             if (
                 self.review_status != PackageListingReviewStatus.approved
@@ -358,6 +379,34 @@ def get_has_perms() -> bool:
     def can_be_viewed_by_user(self, user: Optional[UserType]) -> bool:
         return check_validity(lambda: self.ensure_can_be_viewed_by_user(user))
 
+    def update_visibility(self):
+        self.visibility.public_detail = True
+        self.visibility.public_list = True
+        self.visibility.owner_detail = True
+        self.visibility.owner_list = True
+        self.visibility.moderator_detail = True
+        self.visibility.moderator_list = True
+
+        if self.review_status == PackageListingReviewStatus.rejected:
+            self.visibility.public_detail = False
+            self.visibility.public_list = False
+
+        versions = self.package.versions.filter(is_active=True).all()
+        if versions.exclude(visibility__public_detail=False).count() == 0:
+            self.visibility.public_detail = False
+        if versions.exclude(visibility__public_list=False).count() == 0:
+            self.visibility.public_list = False
+        if versions.exclude(visibility__owner_detail=False).count() == 0:
+            self.visibility.owner_detail = False
+        if versions.exclude(visibility__owner_list=False).count() == 0:
+            self.visibility.owner_list = False
+        if versions.exclude(visibility__moderator_detail=False).count() == 0:
+            self.visibility.moderator_detail = False
+        if versions.exclude(visibility__moderator_list=False).count() == 0:
+            self.visibility.moderator_list = False
+
+        self.visibility.save()
+
 
 signals.post_save.connect(PackageListing.post_save, sender=PackageListing)
 signals.post_delete.connect(PackageListing.post_delete, sender=PackageListing)
diff --git a/django/thunderstore/repository/models/package.py b/django/thunderstore/repository/models/package.py
index 393b4eea8..d753747c5 100644
--- a/django/thunderstore/repository/models/package.py
+++ b/django/thunderstore/repository/models/package.py
@@ -276,6 +276,8 @@ def recache_latest(self):
         self.latest = self.available_versions.first()
         if old_latest != self.latest and self.latest is not None:
             self.save()
+        for listing in self.community_listings.all():
+            listing.update_visibility()
 
     def handle_created_version(self, version):
         self.date_updated = timezone.now()

From fd7dd2a511927814d2147e8e41bbe9c554ae7c63 Mon Sep 17 00:00:00 2001
From: "753.network" <PrimaryInfinity@gmail.com>
Date: Tue, 22 Oct 2024 16:50:55 -0400
Subject: [PATCH 06/61] Add migrations to populate visibility

Add migrations to populate visibility field for PackageVersion and
PackageListing
---
 ...efault_visibility_for_existing_listings.py | 63 +++++++++++++++++++
 ...efault_visibility_for_existing_versions.py | 52 +++++++++++++++
 2 files changed, 115 insertions(+)
 create mode 100644 django/thunderstore/community/migrations/0031_create_default_visibility_for_existing_listings.py
 create mode 100644 django/thunderstore/repository/migrations/0056_create_default_visibility_for_existing_versions.py

diff --git a/django/thunderstore/community/migrations/0031_create_default_visibility_for_existing_listings.py b/django/thunderstore/community/migrations/0031_create_default_visibility_for_existing_listings.py
new file mode 100644
index 000000000..5e57bd652
--- /dev/null
+++ b/django/thunderstore/community/migrations/0031_create_default_visibility_for_existing_listings.py
@@ -0,0 +1,63 @@
+from django.db import migrations
+
+from thunderstore.community.consts import PackageListingReviewStatus
+
+
+def create_default_visibility_for_existing_records(apps, schema_editor):
+    PackageListing = apps.get_model("community", "PackageListing")
+    VisibilityFlags = apps.get_model("permissions", "VisibilityFlags")
+
+    for instance in PackageListing.objects.filter(visibility__isnull=True):
+        visibility_flags = VisibilityFlags.objects.create(
+            public_list=False,
+            public_detail=False,
+            owner_list=True,
+            owner_detail=True,
+            moderator_list=True,
+            moderator_detail=True,
+            admin_list=True,
+            admin_detail=True,
+        )
+        instance.visibility = visibility_flags
+        instance.save()
+        update_visibility(instance)
+
+
+def update_visibility(listing):
+    listing.visibility.public_detail = True
+    listing.visibility.public_list = True
+    listing.visibility.owner_detail = True
+    listing.visibility.owner_list = True
+    listing.visibility.moderator_detail = True
+    listing.visibility.moderator_list = True
+
+    if listing.review_status == PackageListingReviewStatus.rejected:
+        listing.visibility.public_detail = False
+        listing.visibility.public_list = False
+
+    versions = listing.package.versions.filter(is_active=True).all()
+    if versions.exclude(visibility__public_detail=False).count() == 0:
+        listing.visibility.public_detail = False
+    if versions.exclude(visibility__public_list=False).count() == 0:
+        listing.visibility.public_list = False
+    if versions.exclude(visibility__owner_detail=False).count() == 0:
+        listing.visibility.owner_detail = False
+    if versions.exclude(visibility__owner_list=False).count() == 0:
+        listing.visibility.owner_list = False
+    if versions.exclude(visibility__moderator_detail=False).count() == 0:
+        listing.visibility.moderator_detail = False
+    if versions.exclude(visibility__moderator_list=False).count() == 0:
+        listing.visibility.moderator_list = False
+
+    listing.visibility.save()
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("community", "0030_packagelisting_visibility"),
+    ]
+
+    operations = [
+        migrations.RunPython(create_default_visibility_for_existing_records),
+    ]
diff --git a/django/thunderstore/repository/migrations/0056_create_default_visibility_for_existing_versions.py b/django/thunderstore/repository/migrations/0056_create_default_visibility_for_existing_versions.py
new file mode 100644
index 000000000..5dee13dfe
--- /dev/null
+++ b/django/thunderstore/repository/migrations/0056_create_default_visibility_for_existing_versions.py
@@ -0,0 +1,52 @@
+from django.db import migrations
+
+from thunderstore.repository.consts import PackageVersionReviewStatus
+
+
+def create_default_visibility_for_existing_records(apps, schema_editor):
+    PackageVersion = apps.get_model("repository", "PackageVersion")
+    VisibilityFlags = apps.get_model("permissions", "VisibilityFlags")
+
+    for instance in PackageVersion.objects.filter(visibility__isnull=True):
+        visibility_flags = VisibilityFlags.objects.create(
+            public_list=False,
+            public_detail=False,
+            owner_list=True,
+            owner_detail=True,
+            moderator_list=True,
+            moderator_detail=True,
+            admin_list=True,
+            admin_detail=True,
+        )
+        instance.visibility = visibility_flags
+        instance.save()
+        update_visibility(instance)
+
+
+def update_visibility(version):
+    version.visibility.public_detail = True
+    version.visibility.public_list = True
+    version.visibility.owner_detail = True
+    version.visibility.owner_list = True
+    version.visibility.moderator_detail = True
+    version.visibility.moderator_list = True
+
+    if (
+        version.review_status == PackageVersionReviewStatus.rejected
+        or version.review_status == PackageVersionReviewStatus.pending
+    ):
+        version.visibility.public_detail = False
+        version.visibility.public_list = False
+
+    version.visibility.save()
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("repository", "0055_packageversion_review_status"),
+    ]
+
+    operations = [
+        migrations.RunPython(create_default_visibility_for_existing_records),
+    ]

From eb0ed55d4eae2f6f335289561999820f175f9b6a Mon Sep 17 00:00:00 2001
From: "753.network" <PrimaryInfinity@gmail.com>
Date: Tue, 22 Oct 2024 16:53:05 -0400
Subject: [PATCH 07/61] Add visibility filter to PackageListSearchView

Add visibility filter to PackageListSearchView so searches do not return
packages that are not publicly listed
---
 django/thunderstore/repository/views/package/list.py | 1 +
 1 file changed, 1 insertion(+)

diff --git a/django/thunderstore/repository/views/package/list.py b/django/thunderstore/repository/views/package/list.py
index 46e5c75eb..f12adafb3 100644
--- a/django/thunderstore/repository/views/package/list.py
+++ b/django/thunderstore/repository/views/package/list.py
@@ -271,6 +271,7 @@ def get_queryset(self):
             queryset = queryset.exclude(package__is_deprecated=True)
 
         queryset = self.filter_approval_status(queryset)
+        queryset = queryset.public_list()
 
         search_query = self.get_search_query()
         if search_query:

From b8f56a39a97d88cc9714e21f9e4d48b20c2a6bc5 Mon Sep 17 00:00:00 2001
From: "753.network" <PrimaryInfinity@gmail.com>
Date: Tue, 22 Oct 2024 18:45:54 -0400
Subject: [PATCH 08/61] Fix PackageListing/Version save()

Fix PackageListing/Version save() which would fail for new instances
---
 django/thunderstore/community/models/package_listing.py  | 7 ++++---
 django/thunderstore/repository/models/package_version.py | 7 ++++---
 2 files changed, 8 insertions(+), 6 deletions(-)

diff --git a/django/thunderstore/community/models/package_listing.py b/django/thunderstore/community/models/package_listing.py
index 9988b90cb..0da9da831 100644
--- a/django/thunderstore/community/models/package_listing.py
+++ b/django/thunderstore/community/models/package_listing.py
@@ -103,9 +103,10 @@ def validate(self):
     def save(self, *args, **kwargs):
         self.validate()
 
-        old_review_status = PackageListing.objects.get(pk=self.pk).review_status
-        if old_review_status != self.review_status:
-            self.update_visibility()
+        old_self = PackageListing.objects.filter(pk=self.pk).first()
+        if old_self is not None:
+            if old_self.review_status != self.review_status:
+                self.update_visibility()
 
         return super().save(*args, **kwargs)
 
diff --git a/django/thunderstore/repository/models/package_version.py b/django/thunderstore/repository/models/package_version.py
index 2f1d84874..3490eb497 100644
--- a/django/thunderstore/repository/models/package_version.py
+++ b/django/thunderstore/repository/models/package_version.py
@@ -162,9 +162,10 @@ def validate(self):
     def save(self, *args, **kwargs):
         self.validate()
 
-        old_review_status = PackageVersion.objects.get(pk=self.pk).review_status
-        if old_review_status != self.review_status:
-            self.update_visibility()
+        old_self = PackageVersion.objects.filter(pk=self.pk).first()
+        if old_self is not None:
+            if old_self.review_status != self.review_status:
+                self.update_visibility()
 
         return super().save(*args, **kwargs)
 

From 032a69642bb6c9a3f36063d00b68ea9a60da60a4 Mon Sep 17 00:00:00 2001
From: "753.network" <PrimaryInfinity@gmail.com>
Date: Tue, 22 Oct 2024 18:47:55 -0400
Subject: [PATCH 09/61] Update listing templates

Add unavailable_versions property to Package
Update PackageListing Detail and Versions pages to show
unavailability information
---
 .../community/packagelisting_detail.html      | 10 ++++++--
 .../community/packagelisting_versions.html    | 18 ++++++++++++-
 .../thunderstore/repository/models/package.py | 25 +++++++++++++++++++
 3 files changed, 50 insertions(+), 3 deletions(-)

diff --git a/django/thunderstore/community/templates/community/packagelisting_detail.html b/django/thunderstore/community/templates/community/packagelisting_detail.html
index ef854a324..0072a31c4 100644
--- a/django/thunderstore/community/templates/community/packagelisting_detail.html
+++ b/django/thunderstore/community/templates/community/packagelisting_detail.html
@@ -49,7 +49,7 @@
 </script>
 {% endif %}
 
-{% cache_until "any_package_updated" "mod-detail-header" 300 object.package.pk community_identifier %}
+{% cache_until "any_package_updated" "mod-detail-header" 300 object.package.pk community_identifier object.package.latest.pk %}
 
 <nav class="mt-3" aria-label="breadcrumb">
   <ol class="breadcrumb">
@@ -68,6 +68,12 @@
 
 {% endcache %}
 
+{% if show_review_status and object.package.unavailable_versions %}
+    <div class="alert alert-danger" role="alert">
+        One or more versions of this package are awaiting approval.
+    </div>
+{% endif %}
+
 {% if show_review_status and object.is_rejected %}
 <div class="card text-white bg-danger mt-2">
     <div class="card-body">
@@ -114,7 +120,7 @@ <h4 class="card-title">
 
 <div class="card bg-light mt-2">
     {% include "community/includes/package_tabs.html" with tabs=tabs %}
-    {% cache_until "any_package_updated" "mod-detail-content" 300 object.package.pk community_identifier %}
+    {% cache_until "any_package_updated" "mod-detail-content" 300 object.package.pk community_identifier object.package.latest.pk %}
     {% include "community/includes/package_header.html" with object=object %}
     <div class="card-body pb-1">
         <table class="table mb-0">
diff --git a/django/thunderstore/community/templates/community/packagelisting_versions.html b/django/thunderstore/community/templates/community/packagelisting_versions.html
index 835e4dfe8..16ee7fb72 100644
--- a/django/thunderstore/community/templates/community/packagelisting_versions.html
+++ b/django/thunderstore/community/templates/community/packagelisting_versions.html
@@ -19,7 +19,7 @@
 {% endblock %}
 
 {% block content %}
-{% cache_until "any_package_updated" "mod-detail-version-history" 300 object.package.pk community_identifier %}
+{% cache_until "any_package_updated" "mod-detail-version-history" 300 object.package.pk community_identifier object.package.available_versions %}
 
 <nav class="mt-3" aria-label="breadcrumb">
     <ol class="breadcrumb">
@@ -51,4 +51,20 @@ <h2 class="mb-0">Available versions</h2>
 </div>
 
 {% endcache %}
+
+{% if show_management_panel and object.package.unavailable_versions %}
+<div class="card bg-light mt-2 mb-2">
+    <div class="card-header">
+        <h2 class="mb-0">Unavailable versions</h2>
+    </div>
+    <div class="card-body pb-1">
+        <p>
+            The versions below are awaiting approval. If this takes more than 24 hours, please reach out to the moderators in
+            <a href="https://discord.thunderstore.io/">our Discord server</a>.
+        </p>
+        {% include "community/includes/version_table.html" with versions=object.package.unavailable_versions %}
+    </div>
+</div>
+{% endif %}
+
 {% endblock %}
diff --git a/django/thunderstore/repository/models/package.py b/django/thunderstore/repository/models/package.py
index d753747c5..fd541dcca 100644
--- a/django/thunderstore/repository/models/package.py
+++ b/django/thunderstore/repository/models/package.py
@@ -162,6 +162,8 @@ def display_name(self):
     @cached_property
     def available_versions(self):
         # TODO: Caching
+        if hasattr(self, "unavailable_versions"):
+            del self.unavailable_versions
         versions = (
             self.versions.filter(is_active=True)
             .public_list()
@@ -184,6 +186,29 @@ def available_versions(self):
             )
         )
 
+    @cached_property
+    def unavailable_versions(self):
+        # TODO: Caching
+        versions = self.versions.filter(
+            is_active=True, review_status__in=["pending", "rejected"]
+        ).values_list("pk", "version_number")
+        ordered = sorted(versions, key=lambda version: StrictVersion(version[1]))
+        pk_list = [version[0] for version in reversed(ordered)]
+        preserved = Case(*[When(pk=pk, then=pos) for pos, pk in enumerate(pk_list)])
+        return (
+            self.versions.filter(pk__in=pk_list)
+            .order_by(preserved)
+            .prefetch_related(
+                "dependencies",
+                "dependencies__package",
+                "dependencies__package__owner",
+            )
+            .select_related(
+                "package",
+                "package__owner",
+            )
+        )
+
     @cached_property
     def downloads(self):
         # TODO: Caching

From ef6ff6b67191d88dff2a29505d01d1e17cd4532d Mon Sep 17 00:00:00 2001
From: "753.network" <PrimaryInfinity@gmail.com>
Date: Fri, 25 Oct 2024 11:03:58 -0400
Subject: [PATCH 10/61] Fix visibility / recaching

Fix latest recaching by finding any active version if the first available version
is None
Ensure package versions are saved before trying to create the listing
Fix visibility by updating only when the related model is saved
Move recache_latest from approve/reject to after update_visibility
---
 .../community/models/package_listing.py         | 12 +++++++++---
 .../repository/admin/package_version.py         |  2 --
 .../thunderstore/repository/models/package.py   |  8 ++++----
 .../repository/models/package_version.py        | 17 +++++++++++++----
 .../thunderstore/repository/package_upload.py   |  5 +++--
 5 files changed, 29 insertions(+), 15 deletions(-)

diff --git a/django/thunderstore/community/models/package_listing.py b/django/thunderstore/community/models/package_listing.py
index 0da9da831..30e5db697 100644
--- a/django/thunderstore/community/models/package_listing.py
+++ b/django/thunderstore/community/models/package_listing.py
@@ -16,6 +16,7 @@
 from thunderstore.core.utils import check_validity
 from thunderstore.frontend.url_reverse import get_community_url_reverse_args
 from thunderstore.permissions.mixins import VisibilityMixin, VisibilityQuerySet
+from thunderstore.permissions.models import VisibilityFlags
 from thunderstore.permissions.utils import validate_user
 from thunderstore.webhooks.audit import (
     AuditAction,
@@ -104,9 +105,10 @@ def save(self, *args, **kwargs):
         self.validate()
 
         old_self = PackageListing.objects.filter(pk=self.pk).first()
-        if old_self is not None:
-            if old_self.review_status != self.review_status:
-                self.update_visibility()
+        if old_self is None:
+            self.update_visibility()
+        elif old_self.review_status != self.review_status:
+            self.update_visibility()
 
         return super().save(*args, **kwargs)
 
@@ -380,7 +382,11 @@ def get_has_perms() -> bool:
     def can_be_viewed_by_user(self, user: Optional[UserType]) -> bool:
         return check_validity(lambda: self.ensure_can_be_viewed_by_user(user))
 
+    @transaction.atomic
     def update_visibility(self):
+        if not self.visibility:
+            self.visibility = VisibilityFlags.objects.create_private()
+
         self.visibility.public_detail = True
         self.visibility.public_list = True
         self.visibility.owner_detail = True
diff --git a/django/thunderstore/repository/admin/package_version.py b/django/thunderstore/repository/admin/package_version.py
index 12b679687..dfb9bfb06 100644
--- a/django/thunderstore/repository/admin/package_version.py
+++ b/django/thunderstore/repository/admin/package_version.py
@@ -27,7 +27,6 @@ def reject_version(modeladmin, request, queryset: QuerySet[PackageVersion]):
     for version in queryset:
         version.review_status = PackageVersionReviewStatus.rejected
         version.save(update_fields=("review_status",))
-        version.package.recache_latest()
 
 
 reject_version.short_description = "Reject"
@@ -38,7 +37,6 @@ def approve_version(modeladmin, request, queryset: QuerySet[PackageVersion]):
     for version in queryset:
         version.review_status = PackageVersionReviewStatus.approved
         version.save(update_fields=("review_status",))
-        version.package.recache_latest()
 
 
 approve_version.short_description = "Approve"
diff --git a/django/thunderstore/repository/models/package.py b/django/thunderstore/repository/models/package.py
index fd541dcca..2e939af69 100644
--- a/django/thunderstore/repository/models/package.py
+++ b/django/thunderstore/repository/models/package.py
@@ -190,7 +190,7 @@ def available_versions(self):
     def unavailable_versions(self):
         # TODO: Caching
         versions = self.versions.filter(
-            is_active=True, review_status__in=["pending", "rejected"]
+            is_active=True, visibility__public_list=False, visibility__owner_list=True
         ).values_list("pk", "version_number")
         ordered = sorted(versions, key=lambda version: StrictVersion(version[1]))
         pk_list = [version[0] for version in reversed(ordered)]
@@ -299,10 +299,10 @@ def recache_latest(self):
         if hasattr(self, "available_versions"):
             del self.available_versions  # Bust the version cache
         self.latest = self.available_versions.first()
-        if old_latest != self.latest and self.latest is not None:
+        if self.latest is None:
+            self.latest = self.versions.filter(is_active=True).first()
+        if old_latest != self.latest:
             self.save()
-        for listing in self.community_listings.all():
-            listing.update_visibility()
 
     def handle_created_version(self, version):
         self.date_updated = timezone.now()
diff --git a/django/thunderstore/repository/models/package_version.py b/django/thunderstore/repository/models/package_version.py
index 3490eb497..44afbecaa 100644
--- a/django/thunderstore/repository/models/package_version.py
+++ b/django/thunderstore/repository/models/package_version.py
@@ -6,7 +6,7 @@
 from django.core.cache import cache
 from django.core.exceptions import ValidationError
 from django.core.files.storage import get_storage_class
-from django.db import models
+from django.db import models, transaction
 from django.db.models import Manager, Q, QuerySet, Sum, signals
 from django.urls import reverse
 from django.utils import timezone
@@ -14,6 +14,7 @@
 
 from thunderstore.core.mixins import AdminLinkMixin
 from thunderstore.permissions.mixins import VisibilityMixin, VisibilityQuerySet
+from thunderstore.permissions.models import VisibilityFlags
 from thunderstore.repository.consts import (
     PACKAGE_NAME_REGEX,
     PackageVersionReviewStatus,
@@ -163,9 +164,10 @@ def save(self, *args, **kwargs):
         self.validate()
 
         old_self = PackageVersion.objects.filter(pk=self.pk).first()
-        if old_self is not None:
-            if old_self.review_status != self.review_status:
-                self.update_visibility()
+        if old_self is None:
+            self.update_visibility()
+        elif old_self.review_status != self.review_status:
+            self.update_visibility()
 
         return super().save(*args, **kwargs)
 
@@ -316,7 +318,11 @@ def log_download_event(version_id: int, client_ip: Optional[str]):
 
         log_version_download.delay(version_id, timezone.now().isoformat())
 
+    @transaction.atomic
     def update_visibility(self):
+        if not self.visibility:
+            self.visibility = VisibilityFlags.objects.create_private()
+
         self.visibility.public_detail = True
         self.visibility.public_list = True
         self.visibility.owner_detail = True
@@ -332,6 +338,9 @@ def update_visibility(self):
             self.visibility.public_list = False
 
         self.visibility.save()
+        for listing in self.package.community_listings.all():
+            listing.update_visibility()
+        self.package.recache_latest()
 
 
 signals.post_save.connect(PackageVersion.post_save, sender=PackageVersion)
diff --git a/django/thunderstore/repository/package_upload.py b/django/thunderstore/repository/package_upload.py
index b2249719d..356996f03 100644
--- a/django/thunderstore/repository/package_upload.py
+++ b/django/thunderstore/repository/package_upload.py
@@ -196,6 +196,9 @@ def save(self, *args, **kwargs) -> PackageVersion:
             zip_data=self.cleaned_data["file"],
         )
 
+        self.instance.icon.save("icon.png", self.icon)
+        instance = super().save()
+
         community_categories = self.cleaned_data.get("community_categories", {})
         for community in self.cleaned_data.get("communities", []):
             categories = community_categories.get(community.identifier, [])
@@ -211,8 +214,6 @@ def save(self, *args, **kwargs) -> PackageVersion:
                 community=community,
             )
 
-        self.instance.icon.save("icon.png", self.icon)
-        instance = super().save()
         for reference in self.manifest["dependencies"]:
             instance.dependencies.add(reference.instance)
 

From e809e8e679865c90af28d70b60413e20db20c9e5 Mon Sep 17 00:00:00 2001
From: "753.network" <PrimaryInfinity@gmail.com>
Date: Fri, 25 Oct 2024 11:04:50 -0400
Subject: [PATCH 11/61] Add authentication to package version page

Add authentication to package version page so users can't view rejected
versions without proper permissions
---
 .../repository/models/package_version.py      | 28 +++++++++++++++++++
 .../repository/views/package/version.py       |  9 ++++--
 2 files changed, 34 insertions(+), 3 deletions(-)

diff --git a/django/thunderstore/repository/models/package_version.py b/django/thunderstore/repository/models/package_version.py
index 44afbecaa..45325a977 100644
--- a/django/thunderstore/repository/models/package_version.py
+++ b/django/thunderstore/repository/models/package_version.py
@@ -12,7 +12,10 @@
 from django.utils import timezone
 from django.utils.functional import cached_property
 
+from thunderstore.community.models import Community
 from thunderstore.core.mixins import AdminLinkMixin
+from thunderstore.core.types import UserType
+from thunderstore.core.utils import check_validity
 from thunderstore.permissions.mixins import VisibilityMixin, VisibilityQuerySet
 from thunderstore.permissions.models import VisibilityFlags
 from thunderstore.repository.consts import (
@@ -318,6 +321,31 @@ def log_download_event(version_id: int, client_ip: Optional[str]):
 
         log_version_download.delay(version_id, timezone.now().isoformat())
 
+    def ensure_can_be_viewed_by_user(
+        self, user: Optional[UserType], community: Community
+    ) -> None:
+        if not self.visibility:
+            raise ValidationError("Insufficient permissions to view")
+
+        if not self.visibility.public_detail:
+            if not (
+                self.visibility.owner_detail
+                and self.package.owner.can_user_access(user)
+            ):
+                if not (
+                    self.visibility.moderator_detail
+                    and community.can_user_manage_packages(user)
+                ):
+                    if not (self.visibility.admin_detail and user.is_superuser):
+                        raise ValidationError("Insufficient permissions to view")
+
+    def can_be_viewed_by_user(
+        self, user: Optional[UserType], community: Community
+    ) -> bool:
+        return check_validity(
+            lambda: self.ensure_can_be_viewed_by_user(user, community)
+        )
+
     @transaction.atomic
     def update_visibility(self):
         if not self.visibility:
diff --git a/django/thunderstore/repository/views/package/version.py b/django/thunderstore/repository/views/package/version.py
index 6a4c1baa5..98e8ad285 100644
--- a/django/thunderstore/repository/views/package/version.py
+++ b/django/thunderstore/repository/views/package/version.py
@@ -18,7 +18,7 @@ class PackageVersionDetailView(CommunityMixin, DetailView):
     def get_object(self, *args, **kwargs):
         owner = self.kwargs["owner"]
         name = self.kwargs["name"]
-        version = self.kwargs["version"]
+        version_number = self.kwargs["version"]
         listing = get_object_or_404(
             PackageListing,
             package__owner__name=owner,
@@ -29,11 +29,14 @@ def get_object(self, *args, **kwargs):
             raise Http404("Package is waiting for approval or has been rejected")
         if not listing.package.is_active:
             raise Http404("Main package is deactivated")
-        return get_object_or_404(
+        version = get_object_or_404(
             PackageVersion,
             package=listing.package,
-            version_number=version,
+            version_number=version_number,
         )
+        if not version.can_be_viewed_by_user(self.request.user, listing.community):
+            raise Http404("Package is waiting for approval or has been rejected")
+        return version
 
     def get_context_data(self, *args, **kwargs):
         context = super().get_context_data(*args, **kwargs)

From 2b14873e9ad2d8e46d8fe6d58f4906ed88786ccb Mon Sep 17 00:00:00 2001
From: "753.network" <PrimaryInfinity@gmail.com>
Date: Fri, 25 Oct 2024 15:41:00 -0400
Subject: [PATCH 12/61] Add version review buttons to versions table

Add version review buttons to versions table
Add version reject/approve audit events
Add APIs for rejecting/approving versions
---
 .../community/includes/version_table.html     | 77 +++++++++++++++++-
 .../community/packagelisting_versions.html    |  2 +-
 .../repository/api/experimental/urls.py       | 14 ++++
 .../api/experimental/views/package_version.py | 44 +++++++++-
 .../repository/models/package_version.py      | 81 +++++++++++++++++++
 .../thunderstore/repository/views/mixins.py   |  1 +
 django/thunderstore/webhooks/audit.py         |  2 +
 7 files changed, 215 insertions(+), 6 deletions(-)

diff --git a/django/thunderstore/community/templates/community/includes/version_table.html b/django/thunderstore/community/templates/community/includes/version_table.html
index 0d2ca1c38..d4a6f019f 100644
--- a/django/thunderstore/community/templates/community/includes/version_table.html
+++ b/django/thunderstore/community/templates/community/includes/version_table.html
@@ -4,16 +4,87 @@
         <th>Version number</th>
         <th>Downloads</th>
         <th>Actions</th>
+        {% if can_moderate %}
+            <th>Moderation</th>
+        {% endif %}
     </tr>
     {% for version in versions %}
         <tr>
             <td>{{ version.date_created|date:"Y-n-j" }}</td>
             <td>{{ version.version_number }}</td>
             <td>{{ version.downloads }}</td>
-            <td class="d-flex gap-1">
-                <a href="{{ version.full_download_url }}" type="button" class="btn btn-primary">Download</a>
-                <a href="{{ version.install_url }}" type="button" class="btn btn-primary">Install</a>
+            <td>
+                <div class="d-flex gap-1">
+                    <a href="{{ version.full_download_url }}" type="button" class="btn btn-primary">Download</a>
+                    <a href="{{ version.install_url }}" type="button" class="btn btn-primary">Install</a>
+                </div>
             </td>
+            {% if can_moderate %}
+                <td>
+                    <div class="d-flex gap-1">
+                        <button class="btn btn-danger" onclick="reviewVersion({{ version.pk }}, false)">REJECT</button>
+                        <button class="btn btn-success" onclick="reviewVersion({{ version.pk }}, true)">APPROVE</button>
+                    </div>
+                </td>
+            {% endif %}
         </tr>
     {% endfor %}
 </table>
+
+{% if can_moderate %}
+    <script>
+        function reviewVersion(version, approve) {
+            let apiURL = '/api/experimental/package-version/' + version;
+            if(approve)
+            {
+                apiURL += '/approve/';
+            }
+            else
+            {
+                apiURL += '/reject/';
+            }
+
+            fetch(apiURL, {
+                method: 'POST',
+                headers: {
+                    'authorization': `Session ${getCookie("sessionid")}`,
+                    'X-CSRFToken': getCookie("csrftoken"),
+                },
+            })
+                .then(response => {
+                    if (!response.ok) {
+                        throw new Error('Network response was not ok');
+                    }
+                    return response;
+                })
+                .then(data => {
+                    console.log('Success:', data);
+                    alert('Successfully reviewed package version');
+                    location.reload();
+                })
+                .catch(error => {
+                    console.error('Error:', error);
+                    alert('Failed to review package version');
+                    location.reload();
+                });
+        }
+
+        function getCookie(name) {
+            let cookieValue = null;
+            if (document.cookie && document.cookie !== "") {
+                let cookies = document.cookie.split(";");
+                for (let i = 0; i < cookies.length; i++) {
+                    let cookie = cookies[i].trim();
+
+                    if (cookie.substring(0, name.length + 1) === name + "=") {
+                        cookieValue = decodeURIComponent(
+                            cookie.substring(name.length + 1)
+                        );
+                        break;
+                    }
+                }
+            }
+            return cookieValue;
+        }
+    </script>
+{% endif %}
diff --git a/django/thunderstore/community/templates/community/packagelisting_versions.html b/django/thunderstore/community/templates/community/packagelisting_versions.html
index 16ee7fb72..d308d65c5 100644
--- a/django/thunderstore/community/templates/community/packagelisting_versions.html
+++ b/django/thunderstore/community/templates/community/packagelisting_versions.html
@@ -19,7 +19,7 @@
 {% endblock %}
 
 {% block content %}
-{% cache_until "any_package_updated" "mod-detail-version-history" 300 object.package.pk community_identifier object.package.available_versions %}
+{% cache_until "any_package_updated" "mod-detail-version-history" 300 object.package.pk community_identifier can_moderate object.package.available_versions %}
 
 <nav class="mt-3" aria-label="breadcrumb">
     <ol class="breadcrumb">
diff --git a/django/thunderstore/repository/api/experimental/urls.py b/django/thunderstore/repository/api/experimental/urls.py
index 62016a72f..a8d417b9b 100644
--- a/django/thunderstore/repository/api/experimental/urls.py
+++ b/django/thunderstore/repository/api/experimental/urls.py
@@ -11,6 +11,10 @@
 from thunderstore.repository.api.experimental.views.package_index import (
     PackageIndexApiView,
 )
+from thunderstore.repository.api.experimental.views.package_version import (
+    PackageVersionApproveApiView,
+    PackageVersionRejectApiView,
+)
 from thunderstore.repository.api.experimental.views.submit import SubmitPackageApiView
 from thunderstore.repository.api.experimental.views.submit_async import (
     CreateAsyncPackageSubmissionApiView,
@@ -90,4 +94,14 @@
         IconValidatorApiView.as_view(),
         name="submission.validate.icon",
     ),
+    path(
+        "package-version/<int:pk>/approve/",
+        PackageVersionApproveApiView.as_view(),
+        name="package-version.approve",
+    ),
+    path(
+        "package-version/<int:pk>/reject/",
+        PackageVersionRejectApiView.as_view(),
+        name="package-version.reject",
+    ),
 ]
diff --git a/django/thunderstore/repository/api/experimental/views/package_version.py b/django/thunderstore/repository/api/experimental/views/package_version.py
index 5fd4bc66f..878b52263 100644
--- a/django/thunderstore/repository/api/experimental/views/package_version.py
+++ b/django/thunderstore/repository/api/experimental/views/package_version.py
@@ -1,6 +1,8 @@
 from drf_yasg.utils import swagger_auto_schema
-from rest_framework.exceptions import ValidationError
-from rest_framework.generics import RetrieveAPIView, get_object_or_404
+from rest_framework import permissions, status
+from rest_framework.authentication import BasicAuthentication, SessionAuthentication
+from rest_framework.exceptions import PermissionDenied, ValidationError
+from rest_framework.generics import GenericAPIView, RetrieveAPIView, get_object_or_404
 from rest_framework.response import Response
 
 from thunderstore.cache.cache import ManualCacheCommunityMixin
@@ -107,3 +109,41 @@ def retrieve(self, request, *args, **kwargs):
         instance = self.get_object()
         serializer = self.get_serializer({"markdown": instance.readme})
         return Response(serializer.data)
+
+
+class PackageVersionRejectApiView(GenericAPIView):
+    queryset = PackageVersion.objects
+
+    @swagger_auto_schema(
+        operation_id="experimental.package_version.reject",
+        tags=["experimental"],
+    )
+    def post(self, request, *args, **kwargs):
+        version: PackageVersion = self.get_object()
+
+        try:
+            version.reject(
+                agent=request.user,
+            )
+            return Response(status=status.HTTP_200_OK)
+        except PermissionError:
+            raise PermissionDenied()
+
+
+class PackageVersionApproveApiView(GenericAPIView):
+    queryset = PackageVersion.objects
+
+    @swagger_auto_schema(
+        operation_id="experimental.package_version.approve",
+        tags=["experimental"],
+    )
+    def post(self, request, *args, **kwargs):
+        version: PackageVersion = self.get_object()
+
+        try:
+            version.approve(
+                agent=request.user,
+            )
+            return Response(status=status.HTTP_200_OK)
+        except PermissionError:
+            raise PermissionDenied()
diff --git a/django/thunderstore/repository/models/package_version.py b/django/thunderstore/repository/models/package_version.py
index 45325a977..611a6de7d 100644
--- a/django/thunderstore/repository/models/package_version.py
+++ b/django/thunderstore/repository/models/package_version.py
@@ -12,6 +12,7 @@
 from django.utils import timezone
 from django.utils.functional import cached_property
 
+from thunderstore.community.consts import PackageListingReviewStatus
 from thunderstore.community.models import Community
 from thunderstore.core.mixins import AdminLinkMixin
 from thunderstore.core.types import UserType
@@ -25,6 +26,12 @@
 from thunderstore.repository.models import Package
 from thunderstore.repository.package_formats import PackageFormats
 from thunderstore.utils.decorators import run_after_commit
+from thunderstore.webhooks.audit import (
+    AuditAction,
+    AuditEvent,
+    AuditEventField,
+    fire_audit_event,
+)
 from thunderstore.webhooks.models.release import Webhook
 
 if TYPE_CHECKING:
@@ -321,6 +328,80 @@ def log_download_event(version_id: int, client_ip: Optional[str]):
 
         log_version_download.delay(version_id, timezone.now().isoformat())
 
+    def build_audit_event(
+        self,
+        *,
+        action: AuditAction,
+        user_id: Optional[int],
+        message: Optional[str] = None,
+    ) -> AuditEvent:
+        return AuditEvent(
+            timestamp=timezone.now(),
+            user_id=user_id,
+            action=action,
+            message=message,
+            related_url=self.package.get_view_on_site_url(),
+            fields=[
+                AuditEventField(
+                    name="Package",
+                    value=self.package.full_package_name,
+                ),
+            ],
+        )
+
+    @transaction.atomic
+    def reject(
+        self,
+        agent: Optional[UserType],
+        is_system: bool = False,
+    ):
+        if self.review_status == PackageVersionReviewStatus.immune:
+            raise PermissionError()
+
+        if is_system or self.can_user_manage_approval_status(agent):
+            self.review_status = PackageVersionReviewStatus.rejected
+            self.save(update_fields=("review_status",))
+
+            fire_audit_event(
+                self.build_audit_event(
+                    action=AuditAction.VERSION_REJECTED,
+                    user_id=agent.pk if agent else None,
+                )
+            )
+        else:
+            raise PermissionError()
+
+    @transaction.atomic
+    def approve(
+        self,
+        agent: Optional[UserType],
+        is_system: bool = False,
+    ):
+        if self.review_status == PackageVersionReviewStatus.immune:
+            raise PermissionError()
+
+        if is_system or self.can_user_manage_approval_status(agent):
+            self.review_status = PackageVersionReviewStatus.approved
+            self.save(update_fields=("review_status",))
+
+            fire_audit_event(
+                self.build_audit_event(
+                    action=AuditAction.VERSION_APPROVED,
+                    user_id=agent.pk if agent else None,
+                )
+            )
+        else:
+            raise PermissionError()
+
+    def can_user_manage_approval_status(self, user: Optional[UserType]) -> bool:
+        if self.review_status == PackageVersionReviewStatus.immune:
+            return False
+
+        for listing in self.package.community_listings.all():
+            if listing.can_user_manage_approval_status(user):
+                return True
+        return False
+
     def ensure_can_be_viewed_by_user(
         self, user: Optional[UserType], community: Community
     ) -> None:
diff --git a/django/thunderstore/repository/views/mixins.py b/django/thunderstore/repository/views/mixins.py
index d2c90e3ce..2f91f8937 100644
--- a/django/thunderstore/repository/views/mixins.py
+++ b/django/thunderstore/repository/views/mixins.py
@@ -157,6 +157,7 @@ def get_context_data(self, *args, **kwargs):
         )
         context["show_review_status"] = self.can_manage
         context["show_internal_notes"] = self.can_moderate
+        context["can_moderate"] = self.can_moderate
 
         context["management_panel_props"] = {
             "isDeprecated": package_listing.package.is_deprecated,
diff --git a/django/thunderstore/webhooks/audit.py b/django/thunderstore/webhooks/audit.py
index c77667339..8960a2970 100644
--- a/django/thunderstore/webhooks/audit.py
+++ b/django/thunderstore/webhooks/audit.py
@@ -10,6 +10,8 @@ class AuditAction(str, Enum):
     PACKAGE_REJECTED = "PACKAGE_REJECTED"
     PACKAGE_APPROVED = "PACKAGE_APPROVED"
     PACKAGE_WARNING = "PACKAGE_WARNING"
+    VERSION_REJECTED = "VERSION_REJECTED"
+    VERSION_APPROVED = "VERSION_APPROVED"
 
 
 class AuditEventField(BaseModel):

From a6d6ef6c0f1efb935e9cc8a258ced1745ce7332f Mon Sep 17 00:00:00 2001
From: "753.network" <PrimaryInfinity@gmail.com>
Date: Fri, 25 Oct 2024 18:21:43 -0400
Subject: [PATCH 13/61] Ensure APIs only return public listings

Ensure APIs only return public listings
---
 django/thunderstore/api/cyberstorm/views/package_listing.py | 1 +
 django/thunderstore/repository/cache.py                     | 1 +
 2 files changed, 2 insertions(+)

diff --git a/django/thunderstore/api/cyberstorm/views/package_listing.py b/django/thunderstore/api/cyberstorm/views/package_listing.py
index 5a8722cde..839120994 100644
--- a/django/thunderstore/api/cyberstorm/views/package_listing.py
+++ b/django/thunderstore/api/cyberstorm/views/package_listing.py
@@ -146,6 +146,7 @@ def get_custom_package_listing(
     qs = (
         PackageListing.objects.active()
         .filter_by_community_approval_rule()
+        .public_list()
         .select_related(
             "community",
             "package__latest",
diff --git a/django/thunderstore/repository/cache.py b/django/thunderstore/repository/cache.py
index f3ea879bf..dc92252a1 100644
--- a/django/thunderstore/repository/cache.py
+++ b/django/thunderstore/repository/cache.py
@@ -32,6 +32,7 @@ def get_package_listing_base_queryset(
     return (
         PackageListing.objects.active()
         .filter_by_community_approval_rule()
+        .public_list()
         .exclude(~Q(community__identifier=community_identifier))
     )
 

From 3539db30e2100e3a025a50286ddce7bc04e5e533 Mon Sep 17 00:00:00 2001
From: "753.network" <PrimaryInfinity@gmail.com>
Date: Mon, 28 Oct 2024 21:54:05 -0400
Subject: [PATCH 14/61] Make APIs return only public_list instance

Update cyberstorm.package.versions and
experimental.frontend.community.packages
return only public_list instances
---
 .../thunderstore/api/cyberstorm/views/package_version_list.py   | 2 +-
 .../frontend/api/experimental/views/community_package_list.py   | 1 +
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/django/thunderstore/api/cyberstorm/views/package_version_list.py b/django/thunderstore/api/cyberstorm/views/package_version_list.py
index 0dc69c957..2ba5248fc 100644
--- a/django/thunderstore/api/cyberstorm/views/package_version_list.py
+++ b/django/thunderstore/api/cyberstorm/views/package_version_list.py
@@ -27,4 +27,4 @@ def get_queryset(self):
             name__iexact=self.kwargs["package_name"],
         )
 
-        return package.versions.active()
+        return package.available_versions
diff --git a/django/thunderstore/frontend/api/experimental/views/community_package_list.py b/django/thunderstore/frontend/api/experimental/views/community_package_list.py
index e1682dbe6..4e8b1d555 100644
--- a/django/thunderstore/frontend/api/experimental/views/community_package_list.py
+++ b/django/thunderstore/frontend/api/experimental/views/community_package_list.py
@@ -91,6 +91,7 @@ def get_queryset(self, community: Community) -> QuerySet[Package]:
             .filter(
                 community_listings__community__pk=community.pk,
                 community_listings__review_status__in=review_statuses,
+                community_listings__visibility__public_list=True,
             )
             .prefetch_related(
                 community_listings,

From db2298bb1ecb0a9775448ee74833dbf613dccca0 Mon Sep 17 00:00:00 2001
From: "753.network" <PrimaryInfinity@gmail.com>
Date: Tue, 29 Oct 2024 00:30:41 -0400
Subject: [PATCH 15/61] Small fixes to satisfy tests

Add check for None to PackageListing's ensure_can_be_viewed_by_user
Move format_category back inside get_context_data
Filter review queue to moderator_list instead of public_list
---
 .../community/models/package_listing.py       | 19 ++++++++++---------
 .../thunderstore/repository/views/mixins.py   | 10 +++++-----
 .../repository/views/package/list.py          | 12 +++++++++++-
 3 files changed, 26 insertions(+), 15 deletions(-)

diff --git a/django/thunderstore/community/models/package_listing.py b/django/thunderstore/community/models/package_listing.py
index 30e5db697..000dfd600 100644
--- a/django/thunderstore/community/models/package_listing.py
+++ b/django/thunderstore/community/models/package_listing.py
@@ -354,17 +354,18 @@ def get_has_perms() -> bool:
         if not self.visibility:
             raise ValidationError("Insufficient permissions to view")
 
-        if not self.visibility.public_detail:
-            if not (
-                self.visibility.owner_detail
-                and self.package.owner.can_user_access(user)
-            ):
+        if user is not None:
+            if not self.visibility.public_detail:
                 if not (
-                    self.visibility.moderator_detail
-                    and self.community.can_user_manage_packages(user)
+                    self.visibility.owner_detail
+                    and self.package.owner.can_user_access(user)
                 ):
-                    if not (self.visibility.admin_detail and user.is_superuser):
-                        raise ValidationError("Insufficient permissions to view")
+                    if not (
+                        self.visibility.moderator_detail
+                        and self.community.can_user_manage_packages(user)
+                    ):
+                        if not (self.visibility.admin_detail and user.is_superuser):
+                            raise ValidationError("Insufficient permissions to view")
 
         if self.community.require_package_listing_approval:
             if (
diff --git a/django/thunderstore/repository/views/mixins.py b/django/thunderstore/repository/views/mixins.py
index 2f91f8937..196ef0059 100644
--- a/django/thunderstore/repository/views/mixins.py
+++ b/django/thunderstore/repository/views/mixins.py
@@ -136,9 +136,6 @@ def get_review_panel(self):
             "packageListingId": self.object.pk,
         }
 
-    def format_category(cat: PackageCategory):
-        return {"name": cat.name, "slug": cat.slug}
-
     def get_context_data(self, *args, **kwargs):
         context = super().get_context_data(*args, **kwargs)
         package_listing = context["object"]
@@ -159,6 +156,9 @@ def get_context_data(self, *args, **kwargs):
         context["show_internal_notes"] = self.can_moderate
         context["can_moderate"] = self.can_moderate
 
+        def format_category(cat: PackageCategory):
+            return {"name": cat.name, "slug": cat.slug}
+
         context["management_panel_props"] = {
             "isDeprecated": package_listing.package.is_deprecated,
             "canDeprecate": self.can_deprecate,
@@ -167,10 +167,10 @@ def get_context_data(self, *args, **kwargs):
             "canUpdateCategories": self.can_manage_categories,
             "csrfToken": csrf.get_token(self.request),
             "currentCategories": [
-                self.format_category(x) for x in package_listing.categories.all()
+                format_category(x) for x in package_listing.categories.all()
             ],
             "availableCategories": [
-                self.format_category(x)
+                format_category(x)
                 for x in package_listing.community.package_categories.all()
             ],
             "packageListingId": package_listing.pk,
diff --git a/django/thunderstore/repository/views/package/list.py b/django/thunderstore/repository/views/package/list.py
index f12adafb3..4e14902d7 100644
--- a/django/thunderstore/repository/views/package/list.py
+++ b/django/thunderstore/repository/views/package/list.py
@@ -220,6 +220,11 @@ def filter_approval_status(
                 review_status=PackageListingReviewStatus.rejected,
             )
 
+    def filter_visibility(
+        self, queryset: QuerySet[PackageListing]
+    ) -> QuerySet[PackageListing]:
+        return queryset.public_list()
+
     def get_queryset(self):
         listing_ref = PackageListing.objects.filter(pk=OuterRef("pk"))
 
@@ -271,7 +276,7 @@ def get_queryset(self):
             queryset = queryset.exclude(package__is_deprecated=True)
 
         queryset = self.filter_approval_status(queryset)
-        queryset = queryset.public_list()
+        queryset = self.filter_visibility(queryset)
 
         search_query = self.get_search_query()
         if search_query:
@@ -437,6 +442,11 @@ def filter_approval_status(
     ) -> QuerySet[PackageListing]:
         return queryset
 
+    def filter_visibility(
+        self, queryset: QuerySet[PackageListing]
+    ) -> QuerySet[PackageListing]:
+        return queryset.moderator_list()
+
     def get_community_cache_vary(self) -> str:
         return ".".join(self.community_ids)
 

From f2e8a8f630ccc48ea3673911032957c9b481a8d0 Mon Sep 17 00:00:00 2001
From: "753.network" <PrimaryInfinity@gmail.com>
Date: Tue, 29 Oct 2024 00:48:12 -0400
Subject: [PATCH 16/61] Add tests for listing/version visibility

Add VisibilityFlagsFactory
Add test for returning only visible packages
Add test for returning only packages with an available version
Add test for returning only visible versions
Add test for ensuring latest is visible if possible
---
 .../tests/test_package_version_list.py        | 54 ++++++++++++++++
 .../tests/test_community_package_list.py      | 61 +++++++++++++++++++
 django/thunderstore/permissions/factories.py  | 17 ++++++
 3 files changed, 132 insertions(+)
 create mode 100644 django/thunderstore/permissions/factories.py

diff --git a/django/thunderstore/api/cyberstorm/tests/test_package_version_list.py b/django/thunderstore/api/cyberstorm/tests/test_package_version_list.py
index e8bd57d9f..cb79265ff 100644
--- a/django/thunderstore/api/cyberstorm/tests/test_package_version_list.py
+++ b/django/thunderstore/api/cyberstorm/tests/test_package_version_list.py
@@ -1,6 +1,8 @@
 import pytest
 from rest_framework.test import APIClient
 
+from thunderstore.permissions.factories import VisibilityFlagsFactory
+from thunderstore.repository.consts import PackageVersionReviewStatus
 from thunderstore.repository.factories import PackageVersionFactory
 from thunderstore.repository.models import Package
 
@@ -48,3 +50,55 @@ def test_package_version_list_api_view__returns_versions(
 
     assert len(actual) == 1
     assert actual[0]["version_number"] == expected.version_number
+
+
+@pytest.mark.django_db
+def test_only_visible_versions_are_returned(
+    api_client: APIClient,
+) -> None:
+    version1 = PackageVersionFactory(version_number="1.0.0")
+    version1.visibility = VisibilityFlagsFactory(public_list=True)
+    version1.save()
+
+    version2 = PackageVersionFactory(package=version1.package, version_number="2.0.0")
+    version2.visibility = VisibilityFlagsFactory(public_list=False)
+    version2.save()
+
+    response = api_client.get(
+        f"/api/cyberstorm/package/{version1.package.namespace}/{version1.package.name}/versions/",
+    )
+    actual = response.json()
+
+    assert len(actual) == 1
+    assert actual[0]["version_number"] == version1.version_number
+
+
+@pytest.mark.django_db
+def test_latest_is_visible_if_possible(
+    api_client: APIClient,
+) -> None:
+    version1 = PackageVersionFactory(version_number="1.0.0")
+    version1.visibility = VisibilityFlagsFactory(public_list=True)
+    version1.save()
+
+    version2 = PackageVersionFactory(package=version1.package, version_number="2.0.0")
+    version2.visibility = VisibilityFlagsFactory(public_list=True)
+    version2.save()
+
+    version1.package.recache_latest()
+
+    assert version1.package.latest == version2
+
+    version2.review_status = PackageVersionReviewStatus.rejected
+    version2.save()
+
+    version1.package.recache_latest()
+
+    assert version1.package.latest == version1
+
+    version1.review_status = PackageVersionReviewStatus.rejected
+    version1.save()
+
+    version1.package.recache_latest()
+
+    assert version1.package.latest == version1
diff --git a/django/thunderstore/frontend/api/experimental/tests/test_community_package_list.py b/django/thunderstore/frontend/api/experimental/tests/test_community_package_list.py
index 0d46a464e..52c223f17 100644
--- a/django/thunderstore/frontend/api/experimental/tests/test_community_package_list.py
+++ b/django/thunderstore/frontend/api/experimental/tests/test_community_package_list.py
@@ -11,6 +11,8 @@
 from thunderstore.community.models import PackageCategory, PackageListingSection
 from thunderstore.community.models.package_listing import PackageListing
 from thunderstore.frontend.api.experimental.views import CommunityPackageListApiView
+from thunderstore.permissions.factories import VisibilityFlagsFactory
+from thunderstore.repository.consts import PackageVersionReviewStatus
 from thunderstore.repository.factories import (
     PackageRatingFactory,
     PackageVersionFactory,
@@ -109,6 +111,65 @@ def test_only_approved_packages_are_returned_when_approval_is_required(
     __assert_packages_by_listings(data, listing2)
 
 
+@pytest.mark.django_db
+def test_only_visible_packages_are_returned(api_client: APIClient) -> None:
+    listing1 = PackageListingFactory()
+    listing1.visibility = VisibilityFlagsFactory(public_list=True)
+    listing1.save()
+
+    listing2 = PackageListingFactory(
+        community_=listing1.community,
+    )
+    listing2.visibility = VisibilityFlagsFactory(public_list=True)
+    listing2.save()
+
+    listing3 = PackageListingFactory(
+        community_=listing1.community,
+    )
+    listing3.visibility = VisibilityFlagsFactory(public_list=False)
+    listing3.save()
+
+    data = __query_api(api_client, listing1.community.identifier)
+
+    assert len(data["packages"]) == 2
+    __assert_packages_by_listings(data, [listing2, listing1])
+
+
+@pytest.mark.django_db
+def test_packages_with_only_rejected_versions_are_not_returned(
+    api_client: APIClient,
+) -> None:
+    listing1 = PackageListingFactory()
+    listing1.visibility = VisibilityFlagsFactory(public_list=True)
+    listing1.save()
+
+    listing2 = PackageListingFactory(community_=listing1.community)
+    listing2.visibility = VisibilityFlagsFactory(public_list=True)
+    listing2.save()
+    PackageVersionFactory(
+        package=listing2.package,
+        version_number="2.0.0",
+    )
+
+    listing3 = PackageListingFactory(community_=listing1.community)
+    listing3.visibility = VisibilityFlagsFactory(public_list=True)
+    listing3.save()
+
+    listing1.package.latest.review_status = PackageVersionReviewStatus.rejected
+    listing1.package.latest.save()
+
+    listing2.package.latest.review_status = PackageVersionReviewStatus.rejected
+    listing2.package.latest.save()
+
+    listing2.package.recache_latest()  # can't wait for post_save() here
+    listing2.package.latest.review_status = PackageVersionReviewStatus.rejected
+    listing2.package.latest.save()
+
+    data = __query_api(api_client, listing1.community.identifier)
+
+    assert len(data["packages"]) == 1
+
+
 @pytest.mark.django_db
 def test_deprecated_packages_are_returned_only_when_requested(
     api_client: APIClient,
diff --git a/django/thunderstore/permissions/factories.py b/django/thunderstore/permissions/factories.py
new file mode 100644
index 000000000..52ec4a6eb
--- /dev/null
+++ b/django/thunderstore/permissions/factories.py
@@ -0,0 +1,17 @@
+from factory.django import DjangoModelFactory
+
+from thunderstore.permissions.models import VisibilityFlags
+
+
+class VisibilityFlagsFactory(DjangoModelFactory):
+    class Meta:
+        model = VisibilityFlags
+
+    public_list = True
+    public_detail = True
+    owner_list = True
+    owner_detail = True
+    moderator_list = True
+    moderator_detail = True
+    admin_list = True
+    admin_detail = True

From 304fafce28efef8617509ccf3539e70e54caa468 Mon Sep 17 00:00:00 2001
From: "753.network" <PrimaryInfinity@gmail.com>
Date: Tue, 29 Oct 2024 10:45:03 -0400
Subject: [PATCH 17/61] Update webhook audits

Update webhook audits to display approval, rejection, and warnings for
listings, versions, and packages
---
 .../community/models/package_listing.py          |  4 ++--
 .../repository/models/package_version.py         |  4 ++++
 django/thunderstore/webhooks/audit.py            |  6 ++++--
 django/thunderstore/webhooks/models/audit.py     | 16 +++++++++++++---
 .../webhooks/tasks/tests/test_audit.py           |  8 ++++++--
 5 files changed, 29 insertions(+), 9 deletions(-)

diff --git a/django/thunderstore/community/models/package_listing.py b/django/thunderstore/community/models/package_listing.py
index 000dfd600..75c859fec 100644
--- a/django/thunderstore/community/models/package_listing.py
+++ b/django/thunderstore/community/models/package_listing.py
@@ -221,7 +221,7 @@ def reject(
             message = "\n\n".join(filter(bool, (rejection_reason, internal_notes)))
             fire_audit_event(
                 self.build_audit_event(
-                    action=AuditAction.PACKAGE_REJECTED,
+                    action=AuditAction.LISTING_REJECTED,
                     user_id=agent.pk if agent else None,
                     message=message,
                 )
@@ -247,7 +247,7 @@ def approve(
             )
             fire_audit_event(
                 self.build_audit_event(
-                    action=AuditAction.PACKAGE_APPROVED,
+                    action=AuditAction.LISTING_APPROVED,
                     user_id=agent.pk if agent else None,
                     message=internal_notes,
                 )
diff --git a/django/thunderstore/repository/models/package_version.py b/django/thunderstore/repository/models/package_version.py
index 611a6de7d..f59546f8c 100644
--- a/django/thunderstore/repository/models/package_version.py
+++ b/django/thunderstore/repository/models/package_version.py
@@ -354,6 +354,7 @@ def reject(
         self,
         agent: Optional[UserType],
         is_system: bool = False,
+        message: Optional[str] = None,
     ):
         if self.review_status == PackageVersionReviewStatus.immune:
             raise PermissionError()
@@ -366,6 +367,7 @@ def reject(
                 self.build_audit_event(
                     action=AuditAction.VERSION_REJECTED,
                     user_id=agent.pk if agent else None,
+                    message=message,
                 )
             )
         else:
@@ -376,6 +378,7 @@ def approve(
         self,
         agent: Optional[UserType],
         is_system: bool = False,
+        message: Optional[str] = None,
     ):
         if self.review_status == PackageVersionReviewStatus.immune:
             raise PermissionError()
@@ -388,6 +391,7 @@ def approve(
                 self.build_audit_event(
                     action=AuditAction.VERSION_APPROVED,
                     user_id=agent.pk if agent else None,
+                    message=message,
                 )
             )
         else:
diff --git a/django/thunderstore/webhooks/audit.py b/django/thunderstore/webhooks/audit.py
index 8960a2970..e1f40ccf5 100644
--- a/django/thunderstore/webhooks/audit.py
+++ b/django/thunderstore/webhooks/audit.py
@@ -7,11 +7,13 @@
 
 
 class AuditAction(str, Enum):
-    PACKAGE_REJECTED = "PACKAGE_REJECTED"
-    PACKAGE_APPROVED = "PACKAGE_APPROVED"
     PACKAGE_WARNING = "PACKAGE_WARNING"
+    LISTING_REJECTED = "LISTING_REJECTED"
+    LISTING_APPROVED = "LISTING_APPROVED"
+    LISTING_WARNING = "LISTING_WARNING"
     VERSION_REJECTED = "VERSION_REJECTED"
     VERSION_APPROVED = "VERSION_APPROVED"
+    VERSION_WARNING = "VERSION_WARNING"
 
 
 class AuditEventField(BaseModel):
diff --git a/django/thunderstore/webhooks/models/audit.py b/django/thunderstore/webhooks/models/audit.py
index 569b85d14..9c8ade1ab 100644
--- a/django/thunderstore/webhooks/models/audit.py
+++ b/django/thunderstore/webhooks/models/audit.py
@@ -40,11 +40,21 @@ def get_for_event(cls, event: AuditEvent) -> QuerySet["AuditWebhook"]:
 
     @staticmethod
     def get_event_color(action: AuditAction) -> int:
-        if action == AuditAction.PACKAGE_APPROVED:
+        if (
+            action == AuditAction.LISTING_APPROVED
+            or action == AuditAction.VERSION_APPROVED
+        ):
             return 5763719
-        if action == AuditAction.PACKAGE_REJECTED:
+        if (
+            action == AuditAction.LISTING_REJECTED
+            or action == AuditAction.VERSION_REJECTED
+        ):
             return 15548997
-        if action == AuditAction.PACKAGE_WARNING:
+        if (
+            action == AuditAction.PACKAGE_WARNING
+            or action == AuditAction.LISTING_WARNING
+            or action == AuditAction.VERSION_WARNING
+        ):
             return 16705372
         return 9807270
 
diff --git a/django/thunderstore/webhooks/tasks/tests/test_audit.py b/django/thunderstore/webhooks/tasks/tests/test_audit.py
index 8b4eac65e..14fab5acb 100644
--- a/django/thunderstore/webhooks/tasks/tests/test_audit.py
+++ b/django/thunderstore/webhooks/tasks/tests/test_audit.py
@@ -13,9 +13,13 @@
 @pytest.mark.parametrize(
     "action",
     (
-        AuditAction.PACKAGE_APPROVED,
-        AuditAction.PACKAGE_REJECTED,
         AuditAction.PACKAGE_WARNING,
+        AuditAction.LISTING_REJECTED,
+        AuditAction.LISTING_APPROVED,
+        AuditAction.LISTING_WARNING,
+        AuditAction.VERSION_REJECTED,
+        AuditAction.VERSION_APPROVED,
+        AuditAction.VERSION_WARNING,
     ),
 )
 @pytest.mark.parametrize("message", (None, "Test message"))

From 7c5313e0c5dc6d918fda7c32db7b40c148d50d38 Mon Sep 17 00:00:00 2001
From: "753.network" <PrimaryInfinity@gmail.com>
Date: Mon, 21 Oct 2024 16:57:21 -0400
Subject: [PATCH 18/61] Move permission logic to PackagePermissionsMixin

Move permission logic to PackagePermissionsMixin because PackageDetailView
is a bad place for it
---
 .../thunderstore/repository/views/mixins.py   | 141 +++++++++++++++++-
 .../repository/views/package/detail.py        | 120 ---------------
 2 files changed, 138 insertions(+), 123 deletions(-)

diff --git a/django/thunderstore/repository/views/mixins.py b/django/thunderstore/repository/views/mixins.py
index 96741ac51..d2c90e3ce 100644
--- a/django/thunderstore/repository/views/mixins.py
+++ b/django/thunderstore/repository/views/mixins.py
@@ -1,14 +1,23 @@
 import dataclasses
 from typing import Dict, List, Optional, TypedDict
 
+from django.core.exceptions import PermissionDenied
 from django.http import Http404
+from django.middleware import csrf
+from django.shortcuts import redirect
+from django.utils.functional import cached_property
 from django.views.generic import DetailView
 
-from thunderstore.community.models import PackageListing
+from thunderstore.community.models import PackageCategory, PackageListing
 from thunderstore.core.types import UserType
+from thunderstore.core.utils import check_validity
 from thunderstore.plugins.registry import plugin_registry
 from thunderstore.repository.mixins import CommunityMixin
-from thunderstore.repository.views.package._utils import get_package_listing_or_404
+from thunderstore.repository.views.package._utils import (
+    can_view_listing_admin,
+    can_view_package_admin,
+    get_package_listing_or_404,
+)
 
 
 @dataclasses.dataclass
@@ -78,7 +87,133 @@ def get_tab_context(
         }
 
 
-class PackageListingDetailView(CommunityMixin, PackageTabsMixin, DetailView):
+class PackagePermissionsMixin:
+    @cached_property
+    def can_manage(self):
+        return any(
+            (
+                self.can_manage_deprecation,
+                self.can_manage_categories,
+                self.can_unlist,
+            )
+        )
+
+    @cached_property
+    def can_manage_deprecation(self):
+        return self.object.package.can_user_manage_deprecation(self.request.user)
+
+    @cached_property
+    def can_manage_categories(self) -> bool:
+        return check_validity(
+            lambda: self.object.ensure_update_categories_permission(self.request.user)
+        )
+
+    @cached_property
+    def can_deprecate(self):
+        return (
+            self.can_manage_deprecation and self.object.package.is_deprecated is False
+        )
+
+    @cached_property
+    def can_undeprecate(self):
+        return self.can_manage_deprecation and self.object.package.is_deprecated is True
+
+    @cached_property
+    def can_unlist(self):
+        return self.request.user.is_superuser
+
+    @cached_property
+    def can_moderate(self) -> bool:
+        return self.object.community.can_user_manage_packages(self.request.user)
+
+    def get_review_panel(self):
+        if not self.can_moderate:
+            return None
+        return {
+            "reviewStatus": self.object.review_status,
+            "rejectionReason": self.object.rejection_reason,
+            "internalNotes": self.object.notes,
+            "packageListingId": self.object.pk,
+        }
+
+    def format_category(cat: PackageCategory):
+        return {"name": cat.name, "slug": cat.slug}
+
+    def get_context_data(self, *args, **kwargs):
+        context = super().get_context_data(*args, **kwargs)
+        package_listing = context["object"]
+        context.update(
+            **self.get_tab_context(
+                self.request.user, package_listing, self.get_tab_name()
+            )
+        )
+
+        context["show_management_panel"] = self.can_manage
+        context["show_listing_admin_link"] = can_view_listing_admin(
+            self.request.user, package_listing
+        )
+        context["show_package_admin_link"] = can_view_package_admin(
+            self.request.user, package_listing.package
+        )
+        context["show_review_status"] = self.can_manage
+        context["show_internal_notes"] = self.can_moderate
+
+        context["management_panel_props"] = {
+            "isDeprecated": package_listing.package.is_deprecated,
+            "canDeprecate": self.can_deprecate,
+            "canUndeprecate": self.can_undeprecate,
+            "canUnlist": self.can_unlist,
+            "canUpdateCategories": self.can_manage_categories,
+            "csrfToken": csrf.get_token(self.request),
+            "currentCategories": [
+                self.format_category(x) for x in package_listing.categories.all()
+            ],
+            "availableCategories": [
+                self.format_category(x)
+                for x in package_listing.community.package_categories.all()
+            ],
+            "packageListingId": package_listing.pk,
+        }
+        context["review_panel_props"] = self.get_review_panel()
+
+        return context
+
+    def post_deprecate(self):
+        if not self.can_deprecate:
+            raise PermissionDenied()
+        self.object.package.deprecate()
+
+    def post_undeprecate(self):
+        if not self.can_undeprecate:
+            raise PermissionDenied()
+        self.object.package.undeprecate()
+
+    def post_unlist(self):
+        if not self.can_unlist:
+            raise PermissionDenied()
+        self.object.package.deactivate()
+
+    def post(self, request, **kwargs):
+        self.object = self.get_object()
+        if not self.can_manage:
+            raise PermissionDenied()
+        if "deprecate" in request.POST:
+            self.post_deprecate()
+        elif "undeprecate" in request.POST:
+            self.post_undeprecate()
+        elif "unlist" in request.POST:
+            self.post_unlist()
+        get_package_listing_or_404.clear_cache_with_args(
+            namespace=self.kwargs["owner"],
+            name=self.kwargs["name"],
+            community=self.community,
+        )
+        return redirect(self.object)
+
+
+class PackageListingDetailView(
+    PackagePermissionsMixin, CommunityMixin, PackageTabsMixin, DetailView
+):
     model = PackageListing
     object: Optional[PackageListing] = None
     tab_name: Optional[str] = None
diff --git a/django/thunderstore/repository/views/package/detail.py b/django/thunderstore/repository/views/package/detail.py
index aaa4f85fa..97080798b 100644
--- a/django/thunderstore/repository/views/package/detail.py
+++ b/django/thunderstore/repository/views/package/detail.py
@@ -1,72 +1,13 @@
-from django.core.exceptions import PermissionDenied
-from django.middleware import csrf
-from django.shortcuts import redirect
 from django.utils.decorators import method_decorator
-from django.utils.functional import cached_property
 from django.views.decorators.csrf import ensure_csrf_cookie
 
-from thunderstore.community.models import PackageCategory
-from thunderstore.core.utils import check_validity
 from thunderstore.repository.views.mixins import PackageListingDetailView
-from thunderstore.repository.views.package._utils import (
-    can_view_listing_admin,
-    can_view_package_admin,
-    get_package_listing_or_404,
-)
 
 
 @method_decorator(ensure_csrf_cookie, name="dispatch")
 class PackageDetailView(PackageListingDetailView):
     tab_name = "details"
 
-    @cached_property
-    def can_manage(self):
-        return any(
-            (
-                self.can_manage_deprecation,
-                self.can_manage_categories,
-                self.can_unlist,
-            )
-        )
-
-    @cached_property
-    def can_manage_deprecation(self):
-        return self.object.package.can_user_manage_deprecation(self.request.user)
-
-    @cached_property
-    def can_manage_categories(self) -> bool:
-        return check_validity(
-            lambda: self.object.ensure_update_categories_permission(self.request.user)
-        )
-
-    @cached_property
-    def can_deprecate(self):
-        return (
-            self.can_manage_deprecation and self.object.package.is_deprecated is False
-        )
-
-    @cached_property
-    def can_undeprecate(self):
-        return self.can_manage_deprecation and self.object.package.is_deprecated is True
-
-    @cached_property
-    def can_unlist(self):
-        return self.request.user.is_superuser
-
-    @cached_property
-    def can_moderate(self) -> bool:
-        return self.object.community.can_user_manage_packages(self.request.user)
-
-    def get_review_panel(self):
-        if not self.can_moderate:
-            return None
-        return {
-            "reviewStatus": self.object.review_status,
-            "rejectionReason": self.object.rejection_reason,
-            "internalNotes": self.object.notes,
-            "packageListingId": self.object.pk,
-        }
-
     def get_context_data(self, *args, **kwargs):
         context = super().get_context_data(*args, **kwargs)
 
@@ -83,66 +24,5 @@ def get_context_data(self, *args, **kwargs):
             )
 
         context["dependants_string"] = dependants_string
-        context["show_management_panel"] = self.can_manage
-        context["show_listing_admin_link"] = can_view_listing_admin(
-            self.request.user, package_listing
-        )
-        context["show_package_admin_link"] = can_view_package_admin(
-            self.request.user, package_listing.package
-        )
-        context["show_review_status"] = self.can_manage
-        context["show_internal_notes"] = self.can_moderate
 
-        def format_category(cat: PackageCategory):
-            return {"name": cat.name, "slug": cat.slug}
-
-        context["management_panel_props"] = {
-            "isDeprecated": package_listing.package.is_deprecated,
-            "canDeprecate": self.can_deprecate,
-            "canUndeprecate": self.can_undeprecate,
-            "canUnlist": self.can_unlist,
-            "canUpdateCategories": self.can_manage_categories,
-            "csrfToken": csrf.get_token(self.request),
-            "currentCategories": [
-                format_category(x) for x in package_listing.categories.all()
-            ],
-            "availableCategories": [
-                format_category(x)
-                for x in package_listing.community.package_categories.all()
-            ],
-            "packageListingId": package_listing.pk,
-        }
-        context["review_panel_props"] = self.get_review_panel()
         return context
-
-    def post_deprecate(self):
-        if not self.can_deprecate:
-            raise PermissionDenied()
-        self.object.package.deprecate()
-
-    def post_undeprecate(self):
-        if not self.can_undeprecate:
-            raise PermissionDenied()
-        self.object.package.undeprecate()
-
-    def post_unlist(self):
-        if not self.can_unlist:
-            raise PermissionDenied()
-        self.object.package.deactivate()
-
-    def post(self, request, **kwargs):
-        self.object = self.get_object()
-        if not self.can_manage:
-            raise PermissionDenied()
-        if "deprecate" in request.POST:
-            self.post_deprecate()
-        elif "undeprecate" in request.POST:
-            self.post_undeprecate()
-        elif "unlist" in request.POST:
-            self.post_unlist()
-        get_package_listing_or_404.clear_cache_with_args(
-            namespace=self.kwargs["owner"],
-            name=self.kwargs["name"],
-            community=self.community,
-        )
-        return redirect(self.object)

From 793f0b240b030cde5054f43a6cbad7dd7efa2c8e Mon Sep 17 00:00:00 2001
From: "753.network" <PrimaryInfinity@gmail.com>
Date: Tue, 22 Oct 2024 16:01:24 -0400
Subject: [PATCH 19/61] Update permissions.visibility

Add more filtering functions, change default visibility to private
---
 django/thunderstore/permissions/mixins.py          | 14 +++++++++++++-
 .../thunderstore/permissions/models/visibility.py  | 12 ++++++++++++
 2 files changed, 25 insertions(+), 1 deletion(-)

diff --git a/django/thunderstore/permissions/mixins.py b/django/thunderstore/permissions/mixins.py
index 477f3bc58..c2e5b12c6 100644
--- a/django/thunderstore/permissions/mixins.py
+++ b/django/thunderstore/permissions/mixins.py
@@ -11,6 +11,18 @@ def public_list(self):
     def public_detail(self):
         return self.exclude(visibility__public_detail=False)
 
+    def owner_list(self):
+        return self.exclude(visibility__owner_list=False)
+
+    def owner_detail(self):
+        return self.exclude(visibility__owner_detail=False)
+
+    def moderator_list(self):
+        return self.exclude(visibility__moderator_list=False)
+
+    def moderator_detail(self):
+        return self.exclude(visibility__moderator_detail=False)
+
     def visible_list(self, is_owner: bool, is_moderator: bool, is_admin: bool):
         filter = Q(visibility__public_list=True)
         if is_owner:
@@ -44,7 +56,7 @@ class VisibilityMixin(models.Model):
     @transaction.atomic
     def save(self, *args, **kwargs):
         if not self.pk and not self.visibility:
-            self.visibility = VisibilityFlags.objects.create_public()
+            self.visibility = VisibilityFlags.objects.create_private()
         super().save()
 
     class Meta:
diff --git a/django/thunderstore/permissions/models/visibility.py b/django/thunderstore/permissions/models/visibility.py
index 83116055d..b01d19329 100644
--- a/django/thunderstore/permissions/models/visibility.py
+++ b/django/thunderstore/permissions/models/visibility.py
@@ -14,6 +14,18 @@ def create_public(self):
             admin_detail=True,
         )
 
+    def create_private(self):
+        return self.create(
+            public_list=False,
+            public_detail=False,
+            owner_list=True,
+            owner_detail=True,
+            moderator_list=True,
+            moderator_detail=True,
+            admin_list=True,
+            admin_detail=True,
+        )
+
 
 class VisibilityFlags(models.Model):
     objects = VisibilityFlagsQuerySet.as_manager()

From 4f6054a9a784269891c023f733d2682c78b2edd5 Mon Sep 17 00:00:00 2001
From: "753.network" <PrimaryInfinity@gmail.com>
Date: Tue, 22 Oct 2024 16:11:35 -0400
Subject: [PATCH 20/61] Add review_status to PackageVersion

Add review_status to PackageVersion
Add reject and approve version actions to Django admin
Add update_visibility method to PackageVersion
---
 .../repository/admin/package_version.py       | 30 +++++++++++++++
 django/thunderstore/repository/consts.py      | 11 +++++-
 .../0055_packageversion_review_status.py      | 28 ++++++++++++++
 .../repository/models/package_version.py      | 37 ++++++++++++++++++-
 4 files changed, 104 insertions(+), 2 deletions(-)
 create mode 100644 django/thunderstore/repository/migrations/0055_packageversion_review_status.py

diff --git a/django/thunderstore/repository/admin/package_version.py b/django/thunderstore/repository/admin/package_version.py
index 603fcbea1..12b679687 100644
--- a/django/thunderstore/repository/admin/package_version.py
+++ b/django/thunderstore/repository/admin/package_version.py
@@ -1,10 +1,15 @@
 from django.contrib import admin
+from django.core.cache import cache
+from django.db import transaction
 from django.db.models import BooleanField, ExpressionWrapper, Q, QuerySet
 from django.http import HttpRequest
 from django.urls import reverse
 from django.utils.safestring import mark_safe
 
+from thunderstore.cache.enums import CacheBustCondition
+from thunderstore.cache.tasks import invalidate_cache
 from thunderstore.community.models import PackageListing
+from thunderstore.repository.consts import PackageVersionReviewStatus
 from thunderstore.repository.models import PackageVersion
 from thunderstore.repository.tasks.files import extract_package_version_file_tree
 
@@ -17,11 +22,35 @@ def extract_file_list(modeladmin, request, queryset: QuerySet):
 extract_file_list.short_description = "Queue file list extraction"
 
 
+@transaction.atomic
+def reject_version(modeladmin, request, queryset: QuerySet[PackageVersion]):
+    for version in queryset:
+        version.review_status = PackageVersionReviewStatus.rejected
+        version.save(update_fields=("review_status",))
+        version.package.recache_latest()
+
+
+reject_version.short_description = "Reject"
+
+
+@transaction.atomic
+def approve_version(modeladmin, request, queryset: QuerySet[PackageVersion]):
+    for version in queryset:
+        version.review_status = PackageVersionReviewStatus.approved
+        version.save(update_fields=("review_status",))
+        version.package.recache_latest()
+
+
+approve_version.short_description = "Approve"
+
+
 @admin.register(PackageVersion)
 class PackageVersionAdmin(admin.ModelAdmin):
     model = PackageVersion
     actions = [
         extract_file_list,
+        reject_version,
+        approve_version,
     ]
     list_select_related = (
         "package",
@@ -33,6 +62,7 @@ class PackageVersionAdmin(admin.ModelAdmin):
         "package",
         "version_number",
         "is_active",
+        "review_status",
         "file_size",
         "downloads",
         "date_created",
diff --git a/django/thunderstore/repository/consts.py b/django/thunderstore/repository/consts.py
index b0ae54ee4..32dc76a3b 100644
--- a/django/thunderstore/repository/consts.py
+++ b/django/thunderstore/repository/consts.py
@@ -1,9 +1,18 @@
 import re
 
+from thunderstore.core.utils import ChoiceEnum
+
 PACKAGE_NAME_REGEX = re.compile(r"^[a-zA-Z0-9\_]+$")
 PACKAGE_VERSION_REGEX = re.compile(r"^[0-9]+\.[0-9]+\.[0-9]+$")
 
-
 PACKAGE_REFERENCE_COMPONENT_REGEX = re.compile(
     r"^[a-zA-Z0-9]+([a-zA-Z0-9\_]+[a-zA-Z0-9])?$"
 )
+
+
+class PackageVersionReviewStatus(ChoiceEnum):
+    pending = "pending"
+    approved = "approved"
+    rejected = "rejected"
+    skipped = "skipped"
+    immune = "immune"
diff --git a/django/thunderstore/repository/migrations/0055_packageversion_review_status.py b/django/thunderstore/repository/migrations/0055_packageversion_review_status.py
new file mode 100644
index 000000000..413aab4a8
--- /dev/null
+++ b/django/thunderstore/repository/migrations/0055_packageversion_review_status.py
@@ -0,0 +1,28 @@
+# Generated by Django 3.1.7 on 2024-09-30 15:00
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("repository", "0054_alter_chunked_package_cache_index"),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name="packageversion",
+            name="review_status",
+            field=models.CharField(
+                choices=[
+                    ("pending", "pending"),
+                    ("approved", "approved"),
+                    ("rejected", "rejected"),
+                    ("skipped", "skipped"),
+                    ("immune", "immune"),
+                ],
+                default="skipped",
+                max_length=512,
+            ),
+        ),
+    ]
diff --git a/django/thunderstore/repository/models/package_version.py b/django/thunderstore/repository/models/package_version.py
index 23a434172..2f1d84874 100644
--- a/django/thunderstore/repository/models/package_version.py
+++ b/django/thunderstore/repository/models/package_version.py
@@ -14,7 +14,10 @@
 
 from thunderstore.core.mixins import AdminLinkMixin
 from thunderstore.permissions.mixins import VisibilityMixin, VisibilityQuerySet
-from thunderstore.repository.consts import PACKAGE_NAME_REGEX
+from thunderstore.repository.consts import (
+    PACKAGE_NAME_REGEX,
+    PackageVersionReviewStatus,
+)
 from thunderstore.repository.models import Package
 from thunderstore.repository.package_formats import PackageFormats
 from thunderstore.utils.decorators import run_after_commit
@@ -39,6 +42,9 @@ class PackageVersionQuerySet(VisibilityQuerySet):
     def active(self) -> "QuerySet[PackageVersion]":  # TODO: Generic type
         return self.exclude(is_active=False)
 
+    def filter_by_review_status(self):
+        return self.exclude(review_status__in=["pending", "rejected"])
+
     def chunked_enumerate(self, chunk_size=1000) -> Iterator["PackageVersion"]:
         """
         Enumerate over all the results without fetching everything at once.
@@ -120,6 +126,13 @@ class PackageVersion(VisibilityMixin, AdminLinkMixin):
     readme = models.TextField()
     changelog = models.TextField(blank=True, null=True)
 
+    # TODO: Default should be pending once all versions require automated scanning before appearing to users
+    review_status = models.CharField(
+        default=PackageVersionReviewStatus.skipped,
+        choices=PackageVersionReviewStatus.as_choices(),
+        max_length=512,
+    )
+
     # <packagename>.zip
     file = models.FileField(
         upload_to=get_version_zip_filepath,
@@ -148,6 +161,11 @@ def validate(self):
 
     def save(self, *args, **kwargs):
         self.validate()
+
+        old_review_status = PackageVersion.objects.get(pk=self.pk).review_status
+        if old_review_status != self.review_status:
+            self.update_visibility()
+
         return super().save(*args, **kwargs)
 
     class Meta:
@@ -297,6 +315,23 @@ def log_download_event(version_id: int, client_ip: Optional[str]):
 
         log_version_download.delay(version_id, timezone.now().isoformat())
 
+    def update_visibility(self):
+        self.visibility.public_detail = True
+        self.visibility.public_list = True
+        self.visibility.owner_detail = True
+        self.visibility.owner_list = True
+        self.visibility.moderator_detail = True
+        self.visibility.moderator_list = True
+
+        if (
+            self.review_status == PackageVersionReviewStatus.rejected
+            or self.review_status == PackageVersionReviewStatus.pending
+        ):
+            self.visibility.public_detail = False
+            self.visibility.public_list = False
+
+        self.visibility.save()
+
 
 signals.post_save.connect(PackageVersion.post_save, sender=PackageVersion)
 signals.post_delete.connect(PackageVersion.post_delete, sender=PackageVersion)

From 504256b8ca4e8e25b922a41874e975872ef29c91 Mon Sep 17 00:00:00 2001
From: "753.network" <PrimaryInfinity@gmail.com>
Date: Tue, 22 Oct 2024 16:27:07 -0400
Subject: [PATCH 21/61] Update Package version information

Update available_versions to exclude private versions
Update recache latest to only save if latest isn't None
---
 django/thunderstore/repository/models/package.py | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/django/thunderstore/repository/models/package.py b/django/thunderstore/repository/models/package.py
index 5abe5bf58..393b4eea8 100644
--- a/django/thunderstore/repository/models/package.py
+++ b/django/thunderstore/repository/models/package.py
@@ -162,8 +162,10 @@ def display_name(self):
     @cached_property
     def available_versions(self):
         # TODO: Caching
-        versions = self.versions.filter(is_active=True).values_list(
-            "pk", "version_number"
+        versions = (
+            self.versions.filter(is_active=True)
+            .public_list()
+            .values_list("pk", "version_number")
         )
         ordered = sorted(versions, key=lambda version: StrictVersion(version[1]))
         pk_list = [version[0] for version in reversed(ordered)]
@@ -272,7 +274,7 @@ def recache_latest(self):
         if hasattr(self, "available_versions"):
             del self.available_versions  # Bust the version cache
         self.latest = self.available_versions.first()
-        if old_latest != self.latest:
+        if old_latest != self.latest and self.latest is not None:
             self.save()
 
     def handle_created_version(self, version):

From dde92a860ee60ffc83befcd0f1e1a669e62d2f27 Mon Sep 17 00:00:00 2001
From: "753.network" <PrimaryInfinity@gmail.com>
Date: Tue, 22 Oct 2024 16:42:47 -0400
Subject: [PATCH 22/61] Add visibility to PackageListing

Add VisibilityMixin to PackageListing
Add VisibilityQuerySet to PackageListingQueryset
Add visibility logic to ensure_can_be_viewed_by_user
Add update_visibility method to PackageListing
Use listing.update_visibility in recache_latest
---
 .../0030_packagelisting_visibility.py         | 25 +++++++++
 .../community/models/package_listing.py       | 53 ++++++++++++++++++-
 .../thunderstore/repository/models/package.py |  2 +
 3 files changed, 78 insertions(+), 2 deletions(-)
 create mode 100644 django/thunderstore/community/migrations/0030_packagelisting_visibility.py

diff --git a/django/thunderstore/community/migrations/0030_packagelisting_visibility.py b/django/thunderstore/community/migrations/0030_packagelisting_visibility.py
new file mode 100644
index 000000000..d1ed2e079
--- /dev/null
+++ b/django/thunderstore/community/migrations/0030_packagelisting_visibility.py
@@ -0,0 +1,25 @@
+# Generated by Django 3.1.7 on 2024-10-03 19:34
+
+import django.db.models.deletion
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("permissions", "0001_initial"),
+        ("community", "0029_packagelisting_is_auto_imported"),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name="packagelisting",
+            name="visibility",
+            field=models.OneToOneField(
+                blank=True,
+                null=True,
+                on_delete=django.db.models.deletion.PROTECT,
+                to="permissions.visibilityflags",
+            ),
+        ),
+    ]
diff --git a/django/thunderstore/community/models/package_listing.py b/django/thunderstore/community/models/package_listing.py
index e0b7a3263..9988b90cb 100644
--- a/django/thunderstore/community/models/package_listing.py
+++ b/django/thunderstore/community/models/package_listing.py
@@ -15,6 +15,7 @@
 from thunderstore.core.types import UserType
 from thunderstore.core.utils import check_validity
 from thunderstore.frontend.url_reverse import get_community_url_reverse_args
+from thunderstore.permissions.mixins import VisibilityMixin, VisibilityQuerySet
 from thunderstore.permissions.utils import validate_user
 from thunderstore.webhooks.audit import (
     AuditAction,
@@ -27,7 +28,7 @@
     from thunderstore.community.models import PackageCategory
 
 
-class PackageListingQueryset(models.QuerySet):
+class PackageListingQueryset(VisibilityQuerySet):
     def active(self):
         return self.exclude(package__is_active=False).exclude(
             ~Q(package__versions__is_active=True)
@@ -46,7 +47,7 @@ def filter_by_community_approval_rule(self):
 # TODO: Add a db constraint that ensures a package listing and it's categories
 #       belong to the same community. This might require actually specifying
 #       the intermediate model in code rather than letting Django handle it
-class PackageListing(TimestampMixin, AdminLinkMixin, models.Model):
+class PackageListing(TimestampMixin, VisibilityMixin, AdminLinkMixin, models.Model):
     """
     Represents a package's relation to how it's displayed on the site and APIs
     """
@@ -101,6 +102,11 @@ def validate(self):
 
     def save(self, *args, **kwargs):
         self.validate()
+
+        old_review_status = PackageListing.objects.get(pk=self.pk).review_status
+        if old_review_status != self.review_status:
+            self.update_visibility()
+
         return super().save(*args, **kwargs)
 
     def __str__(self):
@@ -342,6 +348,21 @@ def get_has_perms() -> bool:
                 )
             )
 
+        if not self.visibility:
+            raise ValidationError("Insufficient permissions to view")
+
+        if not self.visibility.public_detail:
+            if not (
+                self.visibility.owner_detail
+                and self.package.owner.can_user_access(user)
+            ):
+                if not (
+                    self.visibility.moderator_detail
+                    and self.community.can_user_manage_packages(user)
+                ):
+                    if not (self.visibility.admin_detail and user.is_superuser):
+                        raise ValidationError("Insufficient permissions to view")
+
         if self.community.require_package_listing_approval:
             if (
                 self.review_status != PackageListingReviewStatus.approved
@@ -358,6 +379,34 @@ def get_has_perms() -> bool:
     def can_be_viewed_by_user(self, user: Optional[UserType]) -> bool:
         return check_validity(lambda: self.ensure_can_be_viewed_by_user(user))
 
+    def update_visibility(self):
+        self.visibility.public_detail = True
+        self.visibility.public_list = True
+        self.visibility.owner_detail = True
+        self.visibility.owner_list = True
+        self.visibility.moderator_detail = True
+        self.visibility.moderator_list = True
+
+        if self.review_status == PackageListingReviewStatus.rejected:
+            self.visibility.public_detail = False
+            self.visibility.public_list = False
+
+        versions = self.package.versions.filter(is_active=True).all()
+        if versions.exclude(visibility__public_detail=False).count() == 0:
+            self.visibility.public_detail = False
+        if versions.exclude(visibility__public_list=False).count() == 0:
+            self.visibility.public_list = False
+        if versions.exclude(visibility__owner_detail=False).count() == 0:
+            self.visibility.owner_detail = False
+        if versions.exclude(visibility__owner_list=False).count() == 0:
+            self.visibility.owner_list = False
+        if versions.exclude(visibility__moderator_detail=False).count() == 0:
+            self.visibility.moderator_detail = False
+        if versions.exclude(visibility__moderator_list=False).count() == 0:
+            self.visibility.moderator_list = False
+
+        self.visibility.save()
+
 
 signals.post_save.connect(PackageListing.post_save, sender=PackageListing)
 signals.post_delete.connect(PackageListing.post_delete, sender=PackageListing)
diff --git a/django/thunderstore/repository/models/package.py b/django/thunderstore/repository/models/package.py
index 393b4eea8..d753747c5 100644
--- a/django/thunderstore/repository/models/package.py
+++ b/django/thunderstore/repository/models/package.py
@@ -276,6 +276,8 @@ def recache_latest(self):
         self.latest = self.available_versions.first()
         if old_latest != self.latest and self.latest is not None:
             self.save()
+        for listing in self.community_listings.all():
+            listing.update_visibility()
 
     def handle_created_version(self, version):
         self.date_updated = timezone.now()

From 191952d403d637b4933f4df157fa71c214428ef6 Mon Sep 17 00:00:00 2001
From: "753.network" <PrimaryInfinity@gmail.com>
Date: Tue, 22 Oct 2024 16:50:55 -0400
Subject: [PATCH 23/61] Add migrations to populate visibility

Add migrations to populate visibility field for PackageVersion and
PackageListing
---
 ...efault_visibility_for_existing_listings.py | 63 +++++++++++++++++++
 ...efault_visibility_for_existing_versions.py | 52 +++++++++++++++
 2 files changed, 115 insertions(+)
 create mode 100644 django/thunderstore/community/migrations/0031_create_default_visibility_for_existing_listings.py
 create mode 100644 django/thunderstore/repository/migrations/0056_create_default_visibility_for_existing_versions.py

diff --git a/django/thunderstore/community/migrations/0031_create_default_visibility_for_existing_listings.py b/django/thunderstore/community/migrations/0031_create_default_visibility_for_existing_listings.py
new file mode 100644
index 000000000..5e57bd652
--- /dev/null
+++ b/django/thunderstore/community/migrations/0031_create_default_visibility_for_existing_listings.py
@@ -0,0 +1,63 @@
+from django.db import migrations
+
+from thunderstore.community.consts import PackageListingReviewStatus
+
+
+def create_default_visibility_for_existing_records(apps, schema_editor):
+    PackageListing = apps.get_model("community", "PackageListing")
+    VisibilityFlags = apps.get_model("permissions", "VisibilityFlags")
+
+    for instance in PackageListing.objects.filter(visibility__isnull=True):
+        visibility_flags = VisibilityFlags.objects.create(
+            public_list=False,
+            public_detail=False,
+            owner_list=True,
+            owner_detail=True,
+            moderator_list=True,
+            moderator_detail=True,
+            admin_list=True,
+            admin_detail=True,
+        )
+        instance.visibility = visibility_flags
+        instance.save()
+        update_visibility(instance)
+
+
+def update_visibility(listing):
+    listing.visibility.public_detail = True
+    listing.visibility.public_list = True
+    listing.visibility.owner_detail = True
+    listing.visibility.owner_list = True
+    listing.visibility.moderator_detail = True
+    listing.visibility.moderator_list = True
+
+    if listing.review_status == PackageListingReviewStatus.rejected:
+        listing.visibility.public_detail = False
+        listing.visibility.public_list = False
+
+    versions = listing.package.versions.filter(is_active=True).all()
+    if versions.exclude(visibility__public_detail=False).count() == 0:
+        listing.visibility.public_detail = False
+    if versions.exclude(visibility__public_list=False).count() == 0:
+        listing.visibility.public_list = False
+    if versions.exclude(visibility__owner_detail=False).count() == 0:
+        listing.visibility.owner_detail = False
+    if versions.exclude(visibility__owner_list=False).count() == 0:
+        listing.visibility.owner_list = False
+    if versions.exclude(visibility__moderator_detail=False).count() == 0:
+        listing.visibility.moderator_detail = False
+    if versions.exclude(visibility__moderator_list=False).count() == 0:
+        listing.visibility.moderator_list = False
+
+    listing.visibility.save()
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("community", "0030_packagelisting_visibility"),
+    ]
+
+    operations = [
+        migrations.RunPython(create_default_visibility_for_existing_records),
+    ]
diff --git a/django/thunderstore/repository/migrations/0056_create_default_visibility_for_existing_versions.py b/django/thunderstore/repository/migrations/0056_create_default_visibility_for_existing_versions.py
new file mode 100644
index 000000000..5dee13dfe
--- /dev/null
+++ b/django/thunderstore/repository/migrations/0056_create_default_visibility_for_existing_versions.py
@@ -0,0 +1,52 @@
+from django.db import migrations
+
+from thunderstore.repository.consts import PackageVersionReviewStatus
+
+
+def create_default_visibility_for_existing_records(apps, schema_editor):
+    PackageVersion = apps.get_model("repository", "PackageVersion")
+    VisibilityFlags = apps.get_model("permissions", "VisibilityFlags")
+
+    for instance in PackageVersion.objects.filter(visibility__isnull=True):
+        visibility_flags = VisibilityFlags.objects.create(
+            public_list=False,
+            public_detail=False,
+            owner_list=True,
+            owner_detail=True,
+            moderator_list=True,
+            moderator_detail=True,
+            admin_list=True,
+            admin_detail=True,
+        )
+        instance.visibility = visibility_flags
+        instance.save()
+        update_visibility(instance)
+
+
+def update_visibility(version):
+    version.visibility.public_detail = True
+    version.visibility.public_list = True
+    version.visibility.owner_detail = True
+    version.visibility.owner_list = True
+    version.visibility.moderator_detail = True
+    version.visibility.moderator_list = True
+
+    if (
+        version.review_status == PackageVersionReviewStatus.rejected
+        or version.review_status == PackageVersionReviewStatus.pending
+    ):
+        version.visibility.public_detail = False
+        version.visibility.public_list = False
+
+    version.visibility.save()
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("repository", "0055_packageversion_review_status"),
+    ]
+
+    operations = [
+        migrations.RunPython(create_default_visibility_for_existing_records),
+    ]

From c48a020b1f3a6c6f023605d7d1157a7d0dbd6a4e Mon Sep 17 00:00:00 2001
From: "753.network" <PrimaryInfinity@gmail.com>
Date: Tue, 22 Oct 2024 16:53:05 -0400
Subject: [PATCH 24/61] Add visibility filter to PackageListSearchView

Add visibility filter to PackageListSearchView so searches do not return
packages that are not publicly listed
---
 django/thunderstore/repository/views/package/list.py | 1 +
 1 file changed, 1 insertion(+)

diff --git a/django/thunderstore/repository/views/package/list.py b/django/thunderstore/repository/views/package/list.py
index 46e5c75eb..f12adafb3 100644
--- a/django/thunderstore/repository/views/package/list.py
+++ b/django/thunderstore/repository/views/package/list.py
@@ -271,6 +271,7 @@ def get_queryset(self):
             queryset = queryset.exclude(package__is_deprecated=True)
 
         queryset = self.filter_approval_status(queryset)
+        queryset = queryset.public_list()
 
         search_query = self.get_search_query()
         if search_query:

From 82d1a4e0c589a3affcf8975320c255f87bc3a8a5 Mon Sep 17 00:00:00 2001
From: "753.network" <PrimaryInfinity@gmail.com>
Date: Tue, 22 Oct 2024 18:45:54 -0400
Subject: [PATCH 25/61] Fix PackageListing/Version save()

Fix PackageListing/Version save() which would fail for new instances
---
 django/thunderstore/community/models/package_listing.py  | 7 ++++---
 django/thunderstore/repository/models/package_version.py | 7 ++++---
 2 files changed, 8 insertions(+), 6 deletions(-)

diff --git a/django/thunderstore/community/models/package_listing.py b/django/thunderstore/community/models/package_listing.py
index 9988b90cb..0da9da831 100644
--- a/django/thunderstore/community/models/package_listing.py
+++ b/django/thunderstore/community/models/package_listing.py
@@ -103,9 +103,10 @@ def validate(self):
     def save(self, *args, **kwargs):
         self.validate()
 
-        old_review_status = PackageListing.objects.get(pk=self.pk).review_status
-        if old_review_status != self.review_status:
-            self.update_visibility()
+        old_self = PackageListing.objects.filter(pk=self.pk).first()
+        if old_self is not None:
+            if old_self.review_status != self.review_status:
+                self.update_visibility()
 
         return super().save(*args, **kwargs)
 
diff --git a/django/thunderstore/repository/models/package_version.py b/django/thunderstore/repository/models/package_version.py
index 2f1d84874..3490eb497 100644
--- a/django/thunderstore/repository/models/package_version.py
+++ b/django/thunderstore/repository/models/package_version.py
@@ -162,9 +162,10 @@ def validate(self):
     def save(self, *args, **kwargs):
         self.validate()
 
-        old_review_status = PackageVersion.objects.get(pk=self.pk).review_status
-        if old_review_status != self.review_status:
-            self.update_visibility()
+        old_self = PackageVersion.objects.filter(pk=self.pk).first()
+        if old_self is not None:
+            if old_self.review_status != self.review_status:
+                self.update_visibility()
 
         return super().save(*args, **kwargs)
 

From bb4554d82094f9f04404df041978dabdb6e5a70b Mon Sep 17 00:00:00 2001
From: "753.network" <PrimaryInfinity@gmail.com>
Date: Tue, 22 Oct 2024 18:47:55 -0400
Subject: [PATCH 26/61] Update listing templates

Add unavailable_versions property to Package
Update PackageListing Detail and Versions pages to show
unavailability information
---
 .../community/packagelisting_detail.html      | 10 ++++++--
 .../community/packagelisting_versions.html    | 18 ++++++++++++-
 .../thunderstore/repository/models/package.py | 25 +++++++++++++++++++
 3 files changed, 50 insertions(+), 3 deletions(-)

diff --git a/django/thunderstore/community/templates/community/packagelisting_detail.html b/django/thunderstore/community/templates/community/packagelisting_detail.html
index ef854a324..0072a31c4 100644
--- a/django/thunderstore/community/templates/community/packagelisting_detail.html
+++ b/django/thunderstore/community/templates/community/packagelisting_detail.html
@@ -49,7 +49,7 @@
 </script>
 {% endif %}
 
-{% cache_until "any_package_updated" "mod-detail-header" 300 object.package.pk community_identifier %}
+{% cache_until "any_package_updated" "mod-detail-header" 300 object.package.pk community_identifier object.package.latest.pk %}
 
 <nav class="mt-3" aria-label="breadcrumb">
   <ol class="breadcrumb">
@@ -68,6 +68,12 @@
 
 {% endcache %}
 
+{% if show_review_status and object.package.unavailable_versions %}
+    <div class="alert alert-danger" role="alert">
+        One or more versions of this package are awaiting approval.
+    </div>
+{% endif %}
+
 {% if show_review_status and object.is_rejected %}
 <div class="card text-white bg-danger mt-2">
     <div class="card-body">
@@ -114,7 +120,7 @@ <h4 class="card-title">
 
 <div class="card bg-light mt-2">
     {% include "community/includes/package_tabs.html" with tabs=tabs %}
-    {% cache_until "any_package_updated" "mod-detail-content" 300 object.package.pk community_identifier %}
+    {% cache_until "any_package_updated" "mod-detail-content" 300 object.package.pk community_identifier object.package.latest.pk %}
     {% include "community/includes/package_header.html" with object=object %}
     <div class="card-body pb-1">
         <table class="table mb-0">
diff --git a/django/thunderstore/community/templates/community/packagelisting_versions.html b/django/thunderstore/community/templates/community/packagelisting_versions.html
index 835e4dfe8..16ee7fb72 100644
--- a/django/thunderstore/community/templates/community/packagelisting_versions.html
+++ b/django/thunderstore/community/templates/community/packagelisting_versions.html
@@ -19,7 +19,7 @@
 {% endblock %}
 
 {% block content %}
-{% cache_until "any_package_updated" "mod-detail-version-history" 300 object.package.pk community_identifier %}
+{% cache_until "any_package_updated" "mod-detail-version-history" 300 object.package.pk community_identifier object.package.available_versions %}
 
 <nav class="mt-3" aria-label="breadcrumb">
     <ol class="breadcrumb">
@@ -51,4 +51,20 @@ <h2 class="mb-0">Available versions</h2>
 </div>
 
 {% endcache %}
+
+{% if show_management_panel and object.package.unavailable_versions %}
+<div class="card bg-light mt-2 mb-2">
+    <div class="card-header">
+        <h2 class="mb-0">Unavailable versions</h2>
+    </div>
+    <div class="card-body pb-1">
+        <p>
+            The versions below are awaiting approval. If this takes more than 24 hours, please reach out to the moderators in
+            <a href="https://discord.thunderstore.io/">our Discord server</a>.
+        </p>
+        {% include "community/includes/version_table.html" with versions=object.package.unavailable_versions %}
+    </div>
+</div>
+{% endif %}
+
 {% endblock %}
diff --git a/django/thunderstore/repository/models/package.py b/django/thunderstore/repository/models/package.py
index d753747c5..fd541dcca 100644
--- a/django/thunderstore/repository/models/package.py
+++ b/django/thunderstore/repository/models/package.py
@@ -162,6 +162,8 @@ def display_name(self):
     @cached_property
     def available_versions(self):
         # TODO: Caching
+        if hasattr(self, "unavailable_versions"):
+            del self.unavailable_versions
         versions = (
             self.versions.filter(is_active=True)
             .public_list()
@@ -184,6 +186,29 @@ def available_versions(self):
             )
         )
 
+    @cached_property
+    def unavailable_versions(self):
+        # TODO: Caching
+        versions = self.versions.filter(
+            is_active=True, review_status__in=["pending", "rejected"]
+        ).values_list("pk", "version_number")
+        ordered = sorted(versions, key=lambda version: StrictVersion(version[1]))
+        pk_list = [version[0] for version in reversed(ordered)]
+        preserved = Case(*[When(pk=pk, then=pos) for pos, pk in enumerate(pk_list)])
+        return (
+            self.versions.filter(pk__in=pk_list)
+            .order_by(preserved)
+            .prefetch_related(
+                "dependencies",
+                "dependencies__package",
+                "dependencies__package__owner",
+            )
+            .select_related(
+                "package",
+                "package__owner",
+            )
+        )
+
     @cached_property
     def downloads(self):
         # TODO: Caching

From 2f4e6cb82d80e121722b53bce70a347d4df5bdad Mon Sep 17 00:00:00 2001
From: "753.network" <PrimaryInfinity@gmail.com>
Date: Fri, 25 Oct 2024 11:03:58 -0400
Subject: [PATCH 27/61] Fix visibility / recaching

Fix latest recaching by finding any active version if the first available version
is None
Ensure package versions are saved before trying to create the listing
Fix visibility by updating only when the related model is saved
Move recache_latest from approve/reject to after update_visibility
---
 .../community/models/package_listing.py         | 12 +++++++++---
 .../repository/admin/package_version.py         |  2 --
 .../thunderstore/repository/models/package.py   |  8 ++++----
 .../repository/models/package_version.py        | 17 +++++++++++++----
 .../thunderstore/repository/package_upload.py   |  5 +++--
 5 files changed, 29 insertions(+), 15 deletions(-)

diff --git a/django/thunderstore/community/models/package_listing.py b/django/thunderstore/community/models/package_listing.py
index 0da9da831..30e5db697 100644
--- a/django/thunderstore/community/models/package_listing.py
+++ b/django/thunderstore/community/models/package_listing.py
@@ -16,6 +16,7 @@
 from thunderstore.core.utils import check_validity
 from thunderstore.frontend.url_reverse import get_community_url_reverse_args
 from thunderstore.permissions.mixins import VisibilityMixin, VisibilityQuerySet
+from thunderstore.permissions.models import VisibilityFlags
 from thunderstore.permissions.utils import validate_user
 from thunderstore.webhooks.audit import (
     AuditAction,
@@ -104,9 +105,10 @@ def save(self, *args, **kwargs):
         self.validate()
 
         old_self = PackageListing.objects.filter(pk=self.pk).first()
-        if old_self is not None:
-            if old_self.review_status != self.review_status:
-                self.update_visibility()
+        if old_self is None:
+            self.update_visibility()
+        elif old_self.review_status != self.review_status:
+            self.update_visibility()
 
         return super().save(*args, **kwargs)
 
@@ -380,7 +382,11 @@ def get_has_perms() -> bool:
     def can_be_viewed_by_user(self, user: Optional[UserType]) -> bool:
         return check_validity(lambda: self.ensure_can_be_viewed_by_user(user))
 
+    @transaction.atomic
     def update_visibility(self):
+        if not self.visibility:
+            self.visibility = VisibilityFlags.objects.create_private()
+
         self.visibility.public_detail = True
         self.visibility.public_list = True
         self.visibility.owner_detail = True
diff --git a/django/thunderstore/repository/admin/package_version.py b/django/thunderstore/repository/admin/package_version.py
index 12b679687..dfb9bfb06 100644
--- a/django/thunderstore/repository/admin/package_version.py
+++ b/django/thunderstore/repository/admin/package_version.py
@@ -27,7 +27,6 @@ def reject_version(modeladmin, request, queryset: QuerySet[PackageVersion]):
     for version in queryset:
         version.review_status = PackageVersionReviewStatus.rejected
         version.save(update_fields=("review_status",))
-        version.package.recache_latest()
 
 
 reject_version.short_description = "Reject"
@@ -38,7 +37,6 @@ def approve_version(modeladmin, request, queryset: QuerySet[PackageVersion]):
     for version in queryset:
         version.review_status = PackageVersionReviewStatus.approved
         version.save(update_fields=("review_status",))
-        version.package.recache_latest()
 
 
 approve_version.short_description = "Approve"
diff --git a/django/thunderstore/repository/models/package.py b/django/thunderstore/repository/models/package.py
index fd541dcca..2e939af69 100644
--- a/django/thunderstore/repository/models/package.py
+++ b/django/thunderstore/repository/models/package.py
@@ -190,7 +190,7 @@ def available_versions(self):
     def unavailable_versions(self):
         # TODO: Caching
         versions = self.versions.filter(
-            is_active=True, review_status__in=["pending", "rejected"]
+            is_active=True, visibility__public_list=False, visibility__owner_list=True
         ).values_list("pk", "version_number")
         ordered = sorted(versions, key=lambda version: StrictVersion(version[1]))
         pk_list = [version[0] for version in reversed(ordered)]
@@ -299,10 +299,10 @@ def recache_latest(self):
         if hasattr(self, "available_versions"):
             del self.available_versions  # Bust the version cache
         self.latest = self.available_versions.first()
-        if old_latest != self.latest and self.latest is not None:
+        if self.latest is None:
+            self.latest = self.versions.filter(is_active=True).first()
+        if old_latest != self.latest:
             self.save()
-        for listing in self.community_listings.all():
-            listing.update_visibility()
 
     def handle_created_version(self, version):
         self.date_updated = timezone.now()
diff --git a/django/thunderstore/repository/models/package_version.py b/django/thunderstore/repository/models/package_version.py
index 3490eb497..44afbecaa 100644
--- a/django/thunderstore/repository/models/package_version.py
+++ b/django/thunderstore/repository/models/package_version.py
@@ -6,7 +6,7 @@
 from django.core.cache import cache
 from django.core.exceptions import ValidationError
 from django.core.files.storage import get_storage_class
-from django.db import models
+from django.db import models, transaction
 from django.db.models import Manager, Q, QuerySet, Sum, signals
 from django.urls import reverse
 from django.utils import timezone
@@ -14,6 +14,7 @@
 
 from thunderstore.core.mixins import AdminLinkMixin
 from thunderstore.permissions.mixins import VisibilityMixin, VisibilityQuerySet
+from thunderstore.permissions.models import VisibilityFlags
 from thunderstore.repository.consts import (
     PACKAGE_NAME_REGEX,
     PackageVersionReviewStatus,
@@ -163,9 +164,10 @@ def save(self, *args, **kwargs):
         self.validate()
 
         old_self = PackageVersion.objects.filter(pk=self.pk).first()
-        if old_self is not None:
-            if old_self.review_status != self.review_status:
-                self.update_visibility()
+        if old_self is None:
+            self.update_visibility()
+        elif old_self.review_status != self.review_status:
+            self.update_visibility()
 
         return super().save(*args, **kwargs)
 
@@ -316,7 +318,11 @@ def log_download_event(version_id: int, client_ip: Optional[str]):
 
         log_version_download.delay(version_id, timezone.now().isoformat())
 
+    @transaction.atomic
     def update_visibility(self):
+        if not self.visibility:
+            self.visibility = VisibilityFlags.objects.create_private()
+
         self.visibility.public_detail = True
         self.visibility.public_list = True
         self.visibility.owner_detail = True
@@ -332,6 +338,9 @@ def update_visibility(self):
             self.visibility.public_list = False
 
         self.visibility.save()
+        for listing in self.package.community_listings.all():
+            listing.update_visibility()
+        self.package.recache_latest()
 
 
 signals.post_save.connect(PackageVersion.post_save, sender=PackageVersion)
diff --git a/django/thunderstore/repository/package_upload.py b/django/thunderstore/repository/package_upload.py
index b2249719d..356996f03 100644
--- a/django/thunderstore/repository/package_upload.py
+++ b/django/thunderstore/repository/package_upload.py
@@ -196,6 +196,9 @@ def save(self, *args, **kwargs) -> PackageVersion:
             zip_data=self.cleaned_data["file"],
         )
 
+        self.instance.icon.save("icon.png", self.icon)
+        instance = super().save()
+
         community_categories = self.cleaned_data.get("community_categories", {})
         for community in self.cleaned_data.get("communities", []):
             categories = community_categories.get(community.identifier, [])
@@ -211,8 +214,6 @@ def save(self, *args, **kwargs) -> PackageVersion:
                 community=community,
             )
 
-        self.instance.icon.save("icon.png", self.icon)
-        instance = super().save()
         for reference in self.manifest["dependencies"]:
             instance.dependencies.add(reference.instance)
 

From 272cbb334e5be482df4d99d707a7879071a9a132 Mon Sep 17 00:00:00 2001
From: "753.network" <PrimaryInfinity@gmail.com>
Date: Fri, 25 Oct 2024 11:04:50 -0400
Subject: [PATCH 28/61] Add authentication to package version page

Add authentication to package version page so users can't view rejected
versions without proper permissions
---
 .../repository/models/package_version.py      | 28 +++++++++++++++++++
 .../repository/views/package/version.py       |  9 ++++--
 2 files changed, 34 insertions(+), 3 deletions(-)

diff --git a/django/thunderstore/repository/models/package_version.py b/django/thunderstore/repository/models/package_version.py
index 44afbecaa..45325a977 100644
--- a/django/thunderstore/repository/models/package_version.py
+++ b/django/thunderstore/repository/models/package_version.py
@@ -12,7 +12,10 @@
 from django.utils import timezone
 from django.utils.functional import cached_property
 
+from thunderstore.community.models import Community
 from thunderstore.core.mixins import AdminLinkMixin
+from thunderstore.core.types import UserType
+from thunderstore.core.utils import check_validity
 from thunderstore.permissions.mixins import VisibilityMixin, VisibilityQuerySet
 from thunderstore.permissions.models import VisibilityFlags
 from thunderstore.repository.consts import (
@@ -318,6 +321,31 @@ def log_download_event(version_id: int, client_ip: Optional[str]):
 
         log_version_download.delay(version_id, timezone.now().isoformat())
 
+    def ensure_can_be_viewed_by_user(
+        self, user: Optional[UserType], community: Community
+    ) -> None:
+        if not self.visibility:
+            raise ValidationError("Insufficient permissions to view")
+
+        if not self.visibility.public_detail:
+            if not (
+                self.visibility.owner_detail
+                and self.package.owner.can_user_access(user)
+            ):
+                if not (
+                    self.visibility.moderator_detail
+                    and community.can_user_manage_packages(user)
+                ):
+                    if not (self.visibility.admin_detail and user.is_superuser):
+                        raise ValidationError("Insufficient permissions to view")
+
+    def can_be_viewed_by_user(
+        self, user: Optional[UserType], community: Community
+    ) -> bool:
+        return check_validity(
+            lambda: self.ensure_can_be_viewed_by_user(user, community)
+        )
+
     @transaction.atomic
     def update_visibility(self):
         if not self.visibility:
diff --git a/django/thunderstore/repository/views/package/version.py b/django/thunderstore/repository/views/package/version.py
index 6a4c1baa5..98e8ad285 100644
--- a/django/thunderstore/repository/views/package/version.py
+++ b/django/thunderstore/repository/views/package/version.py
@@ -18,7 +18,7 @@ class PackageVersionDetailView(CommunityMixin, DetailView):
     def get_object(self, *args, **kwargs):
         owner = self.kwargs["owner"]
         name = self.kwargs["name"]
-        version = self.kwargs["version"]
+        version_number = self.kwargs["version"]
         listing = get_object_or_404(
             PackageListing,
             package__owner__name=owner,
@@ -29,11 +29,14 @@ def get_object(self, *args, **kwargs):
             raise Http404("Package is waiting for approval or has been rejected")
         if not listing.package.is_active:
             raise Http404("Main package is deactivated")
-        return get_object_or_404(
+        version = get_object_or_404(
             PackageVersion,
             package=listing.package,
-            version_number=version,
+            version_number=version_number,
         )
+        if not version.can_be_viewed_by_user(self.request.user, listing.community):
+            raise Http404("Package is waiting for approval or has been rejected")
+        return version
 
     def get_context_data(self, *args, **kwargs):
         context = super().get_context_data(*args, **kwargs)

From ad07c47698e23c2b021339935e58d6cedf9aebb8 Mon Sep 17 00:00:00 2001
From: "753.network" <PrimaryInfinity@gmail.com>
Date: Fri, 25 Oct 2024 15:41:00 -0400
Subject: [PATCH 29/61] Add version review buttons to versions table

Add version review buttons to versions table
Add version reject/approve audit events
Add APIs for rejecting/approving versions
---
 .../community/includes/version_table.html     | 77 +++++++++++++++++-
 .../community/packagelisting_versions.html    |  2 +-
 .../repository/api/experimental/urls.py       | 14 ++++
 .../api/experimental/views/package_version.py | 44 +++++++++-
 .../repository/models/package_version.py      | 81 +++++++++++++++++++
 .../thunderstore/repository/views/mixins.py   |  1 +
 django/thunderstore/webhooks/audit.py         |  2 +
 7 files changed, 215 insertions(+), 6 deletions(-)

diff --git a/django/thunderstore/community/templates/community/includes/version_table.html b/django/thunderstore/community/templates/community/includes/version_table.html
index 0d2ca1c38..d4a6f019f 100644
--- a/django/thunderstore/community/templates/community/includes/version_table.html
+++ b/django/thunderstore/community/templates/community/includes/version_table.html
@@ -4,16 +4,87 @@
         <th>Version number</th>
         <th>Downloads</th>
         <th>Actions</th>
+        {% if can_moderate %}
+            <th>Moderation</th>
+        {% endif %}
     </tr>
     {% for version in versions %}
         <tr>
             <td>{{ version.date_created|date:"Y-n-j" }}</td>
             <td>{{ version.version_number }}</td>
             <td>{{ version.downloads }}</td>
-            <td class="d-flex gap-1">
-                <a href="{{ version.full_download_url }}" type="button" class="btn btn-primary">Download</a>
-                <a href="{{ version.install_url }}" type="button" class="btn btn-primary">Install</a>
+            <td>
+                <div class="d-flex gap-1">
+                    <a href="{{ version.full_download_url }}" type="button" class="btn btn-primary">Download</a>
+                    <a href="{{ version.install_url }}" type="button" class="btn btn-primary">Install</a>
+                </div>
             </td>
+            {% if can_moderate %}
+                <td>
+                    <div class="d-flex gap-1">
+                        <button class="btn btn-danger" onclick="reviewVersion({{ version.pk }}, false)">REJECT</button>
+                        <button class="btn btn-success" onclick="reviewVersion({{ version.pk }}, true)">APPROVE</button>
+                    </div>
+                </td>
+            {% endif %}
         </tr>
     {% endfor %}
 </table>
+
+{% if can_moderate %}
+    <script>
+        function reviewVersion(version, approve) {
+            let apiURL = '/api/experimental/package-version/' + version;
+            if(approve)
+            {
+                apiURL += '/approve/';
+            }
+            else
+            {
+                apiURL += '/reject/';
+            }
+
+            fetch(apiURL, {
+                method: 'POST',
+                headers: {
+                    'authorization': `Session ${getCookie("sessionid")}`,
+                    'X-CSRFToken': getCookie("csrftoken"),
+                },
+            })
+                .then(response => {
+                    if (!response.ok) {
+                        throw new Error('Network response was not ok');
+                    }
+                    return response;
+                })
+                .then(data => {
+                    console.log('Success:', data);
+                    alert('Successfully reviewed package version');
+                    location.reload();
+                })
+                .catch(error => {
+                    console.error('Error:', error);
+                    alert('Failed to review package version');
+                    location.reload();
+                });
+        }
+
+        function getCookie(name) {
+            let cookieValue = null;
+            if (document.cookie && document.cookie !== "") {
+                let cookies = document.cookie.split(";");
+                for (let i = 0; i < cookies.length; i++) {
+                    let cookie = cookies[i].trim();
+
+                    if (cookie.substring(0, name.length + 1) === name + "=") {
+                        cookieValue = decodeURIComponent(
+                            cookie.substring(name.length + 1)
+                        );
+                        break;
+                    }
+                }
+            }
+            return cookieValue;
+        }
+    </script>
+{% endif %}
diff --git a/django/thunderstore/community/templates/community/packagelisting_versions.html b/django/thunderstore/community/templates/community/packagelisting_versions.html
index 16ee7fb72..d308d65c5 100644
--- a/django/thunderstore/community/templates/community/packagelisting_versions.html
+++ b/django/thunderstore/community/templates/community/packagelisting_versions.html
@@ -19,7 +19,7 @@
 {% endblock %}
 
 {% block content %}
-{% cache_until "any_package_updated" "mod-detail-version-history" 300 object.package.pk community_identifier object.package.available_versions %}
+{% cache_until "any_package_updated" "mod-detail-version-history" 300 object.package.pk community_identifier can_moderate object.package.available_versions %}
 
 <nav class="mt-3" aria-label="breadcrumb">
     <ol class="breadcrumb">
diff --git a/django/thunderstore/repository/api/experimental/urls.py b/django/thunderstore/repository/api/experimental/urls.py
index 62016a72f..a8d417b9b 100644
--- a/django/thunderstore/repository/api/experimental/urls.py
+++ b/django/thunderstore/repository/api/experimental/urls.py
@@ -11,6 +11,10 @@
 from thunderstore.repository.api.experimental.views.package_index import (
     PackageIndexApiView,
 )
+from thunderstore.repository.api.experimental.views.package_version import (
+    PackageVersionApproveApiView,
+    PackageVersionRejectApiView,
+)
 from thunderstore.repository.api.experimental.views.submit import SubmitPackageApiView
 from thunderstore.repository.api.experimental.views.submit_async import (
     CreateAsyncPackageSubmissionApiView,
@@ -90,4 +94,14 @@
         IconValidatorApiView.as_view(),
         name="submission.validate.icon",
     ),
+    path(
+        "package-version/<int:pk>/approve/",
+        PackageVersionApproveApiView.as_view(),
+        name="package-version.approve",
+    ),
+    path(
+        "package-version/<int:pk>/reject/",
+        PackageVersionRejectApiView.as_view(),
+        name="package-version.reject",
+    ),
 ]
diff --git a/django/thunderstore/repository/api/experimental/views/package_version.py b/django/thunderstore/repository/api/experimental/views/package_version.py
index 5fd4bc66f..878b52263 100644
--- a/django/thunderstore/repository/api/experimental/views/package_version.py
+++ b/django/thunderstore/repository/api/experimental/views/package_version.py
@@ -1,6 +1,8 @@
 from drf_yasg.utils import swagger_auto_schema
-from rest_framework.exceptions import ValidationError
-from rest_framework.generics import RetrieveAPIView, get_object_or_404
+from rest_framework import permissions, status
+from rest_framework.authentication import BasicAuthentication, SessionAuthentication
+from rest_framework.exceptions import PermissionDenied, ValidationError
+from rest_framework.generics import GenericAPIView, RetrieveAPIView, get_object_or_404
 from rest_framework.response import Response
 
 from thunderstore.cache.cache import ManualCacheCommunityMixin
@@ -107,3 +109,41 @@ def retrieve(self, request, *args, **kwargs):
         instance = self.get_object()
         serializer = self.get_serializer({"markdown": instance.readme})
         return Response(serializer.data)
+
+
+class PackageVersionRejectApiView(GenericAPIView):
+    queryset = PackageVersion.objects
+
+    @swagger_auto_schema(
+        operation_id="experimental.package_version.reject",
+        tags=["experimental"],
+    )
+    def post(self, request, *args, **kwargs):
+        version: PackageVersion = self.get_object()
+
+        try:
+            version.reject(
+                agent=request.user,
+            )
+            return Response(status=status.HTTP_200_OK)
+        except PermissionError:
+            raise PermissionDenied()
+
+
+class PackageVersionApproveApiView(GenericAPIView):
+    queryset = PackageVersion.objects
+
+    @swagger_auto_schema(
+        operation_id="experimental.package_version.approve",
+        tags=["experimental"],
+    )
+    def post(self, request, *args, **kwargs):
+        version: PackageVersion = self.get_object()
+
+        try:
+            version.approve(
+                agent=request.user,
+            )
+            return Response(status=status.HTTP_200_OK)
+        except PermissionError:
+            raise PermissionDenied()
diff --git a/django/thunderstore/repository/models/package_version.py b/django/thunderstore/repository/models/package_version.py
index 45325a977..611a6de7d 100644
--- a/django/thunderstore/repository/models/package_version.py
+++ b/django/thunderstore/repository/models/package_version.py
@@ -12,6 +12,7 @@
 from django.utils import timezone
 from django.utils.functional import cached_property
 
+from thunderstore.community.consts import PackageListingReviewStatus
 from thunderstore.community.models import Community
 from thunderstore.core.mixins import AdminLinkMixin
 from thunderstore.core.types import UserType
@@ -25,6 +26,12 @@
 from thunderstore.repository.models import Package
 from thunderstore.repository.package_formats import PackageFormats
 from thunderstore.utils.decorators import run_after_commit
+from thunderstore.webhooks.audit import (
+    AuditAction,
+    AuditEvent,
+    AuditEventField,
+    fire_audit_event,
+)
 from thunderstore.webhooks.models.release import Webhook
 
 if TYPE_CHECKING:
@@ -321,6 +328,80 @@ def log_download_event(version_id: int, client_ip: Optional[str]):
 
         log_version_download.delay(version_id, timezone.now().isoformat())
 
+    def build_audit_event(
+        self,
+        *,
+        action: AuditAction,
+        user_id: Optional[int],
+        message: Optional[str] = None,
+    ) -> AuditEvent:
+        return AuditEvent(
+            timestamp=timezone.now(),
+            user_id=user_id,
+            action=action,
+            message=message,
+            related_url=self.package.get_view_on_site_url(),
+            fields=[
+                AuditEventField(
+                    name="Package",
+                    value=self.package.full_package_name,
+                ),
+            ],
+        )
+
+    @transaction.atomic
+    def reject(
+        self,
+        agent: Optional[UserType],
+        is_system: bool = False,
+    ):
+        if self.review_status == PackageVersionReviewStatus.immune:
+            raise PermissionError()
+
+        if is_system or self.can_user_manage_approval_status(agent):
+            self.review_status = PackageVersionReviewStatus.rejected
+            self.save(update_fields=("review_status",))
+
+            fire_audit_event(
+                self.build_audit_event(
+                    action=AuditAction.VERSION_REJECTED,
+                    user_id=agent.pk if agent else None,
+                )
+            )
+        else:
+            raise PermissionError()
+
+    @transaction.atomic
+    def approve(
+        self,
+        agent: Optional[UserType],
+        is_system: bool = False,
+    ):
+        if self.review_status == PackageVersionReviewStatus.immune:
+            raise PermissionError()
+
+        if is_system or self.can_user_manage_approval_status(agent):
+            self.review_status = PackageVersionReviewStatus.approved
+            self.save(update_fields=("review_status",))
+
+            fire_audit_event(
+                self.build_audit_event(
+                    action=AuditAction.VERSION_APPROVED,
+                    user_id=agent.pk if agent else None,
+                )
+            )
+        else:
+            raise PermissionError()
+
+    def can_user_manage_approval_status(self, user: Optional[UserType]) -> bool:
+        if self.review_status == PackageVersionReviewStatus.immune:
+            return False
+
+        for listing in self.package.community_listings.all():
+            if listing.can_user_manage_approval_status(user):
+                return True
+        return False
+
     def ensure_can_be_viewed_by_user(
         self, user: Optional[UserType], community: Community
     ) -> None:
diff --git a/django/thunderstore/repository/views/mixins.py b/django/thunderstore/repository/views/mixins.py
index d2c90e3ce..2f91f8937 100644
--- a/django/thunderstore/repository/views/mixins.py
+++ b/django/thunderstore/repository/views/mixins.py
@@ -157,6 +157,7 @@ def get_context_data(self, *args, **kwargs):
         )
         context["show_review_status"] = self.can_manage
         context["show_internal_notes"] = self.can_moderate
+        context["can_moderate"] = self.can_moderate
 
         context["management_panel_props"] = {
             "isDeprecated": package_listing.package.is_deprecated,
diff --git a/django/thunderstore/webhooks/audit.py b/django/thunderstore/webhooks/audit.py
index c77667339..8960a2970 100644
--- a/django/thunderstore/webhooks/audit.py
+++ b/django/thunderstore/webhooks/audit.py
@@ -10,6 +10,8 @@ class AuditAction(str, Enum):
     PACKAGE_REJECTED = "PACKAGE_REJECTED"
     PACKAGE_APPROVED = "PACKAGE_APPROVED"
     PACKAGE_WARNING = "PACKAGE_WARNING"
+    VERSION_REJECTED = "VERSION_REJECTED"
+    VERSION_APPROVED = "VERSION_APPROVED"
 
 
 class AuditEventField(BaseModel):

From 600ee51f1f5048b1481d4ca18fe848c135ff5636 Mon Sep 17 00:00:00 2001
From: "753.network" <PrimaryInfinity@gmail.com>
Date: Fri, 25 Oct 2024 18:21:43 -0400
Subject: [PATCH 30/61] Ensure APIs only return public listings

Ensure APIs only return public listings
---
 django/thunderstore/api/cyberstorm/views/package_listing.py | 1 +
 django/thunderstore/repository/cache.py                     | 1 +
 2 files changed, 2 insertions(+)

diff --git a/django/thunderstore/api/cyberstorm/views/package_listing.py b/django/thunderstore/api/cyberstorm/views/package_listing.py
index 5a8722cde..839120994 100644
--- a/django/thunderstore/api/cyberstorm/views/package_listing.py
+++ b/django/thunderstore/api/cyberstorm/views/package_listing.py
@@ -146,6 +146,7 @@ def get_custom_package_listing(
     qs = (
         PackageListing.objects.active()
         .filter_by_community_approval_rule()
+        .public_list()
         .select_related(
             "community",
             "package__latest",
diff --git a/django/thunderstore/repository/cache.py b/django/thunderstore/repository/cache.py
index f3ea879bf..dc92252a1 100644
--- a/django/thunderstore/repository/cache.py
+++ b/django/thunderstore/repository/cache.py
@@ -32,6 +32,7 @@ def get_package_listing_base_queryset(
     return (
         PackageListing.objects.active()
         .filter_by_community_approval_rule()
+        .public_list()
         .exclude(~Q(community__identifier=community_identifier))
     )
 

From 7eafb7b3db444a4944dd2c0f69151738aae2d781 Mon Sep 17 00:00:00 2001
From: "753.network" <PrimaryInfinity@gmail.com>
Date: Mon, 28 Oct 2024 21:54:05 -0400
Subject: [PATCH 31/61] Make APIs return only public_list instance

Update cyberstorm.package.versions and
experimental.frontend.community.packages
return only public_list instances
---
 .../thunderstore/api/cyberstorm/views/package_version_list.py   | 2 +-
 .../frontend/api/experimental/views/community_package_list.py   | 1 +
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/django/thunderstore/api/cyberstorm/views/package_version_list.py b/django/thunderstore/api/cyberstorm/views/package_version_list.py
index 0dc69c957..2ba5248fc 100644
--- a/django/thunderstore/api/cyberstorm/views/package_version_list.py
+++ b/django/thunderstore/api/cyberstorm/views/package_version_list.py
@@ -27,4 +27,4 @@ def get_queryset(self):
             name__iexact=self.kwargs["package_name"],
         )
 
-        return package.versions.active()
+        return package.available_versions
diff --git a/django/thunderstore/frontend/api/experimental/views/community_package_list.py b/django/thunderstore/frontend/api/experimental/views/community_package_list.py
index e1682dbe6..4e8b1d555 100644
--- a/django/thunderstore/frontend/api/experimental/views/community_package_list.py
+++ b/django/thunderstore/frontend/api/experimental/views/community_package_list.py
@@ -91,6 +91,7 @@ def get_queryset(self, community: Community) -> QuerySet[Package]:
             .filter(
                 community_listings__community__pk=community.pk,
                 community_listings__review_status__in=review_statuses,
+                community_listings__visibility__public_list=True,
             )
             .prefetch_related(
                 community_listings,

From 9ca722aff784a5d88df5305a999d90baf0c1524c Mon Sep 17 00:00:00 2001
From: "753.network" <PrimaryInfinity@gmail.com>
Date: Tue, 29 Oct 2024 00:30:41 -0400
Subject: [PATCH 32/61] Small fixes to satisfy tests

Add check for None to PackageListing's ensure_can_be_viewed_by_user
Move format_category back inside get_context_data
Filter review queue to moderator_list instead of public_list
---
 .../community/models/package_listing.py       | 19 ++++++++++---------
 .../thunderstore/repository/views/mixins.py   | 10 +++++-----
 .../repository/views/package/list.py          | 12 +++++++++++-
 3 files changed, 26 insertions(+), 15 deletions(-)

diff --git a/django/thunderstore/community/models/package_listing.py b/django/thunderstore/community/models/package_listing.py
index 30e5db697..000dfd600 100644
--- a/django/thunderstore/community/models/package_listing.py
+++ b/django/thunderstore/community/models/package_listing.py
@@ -354,17 +354,18 @@ def get_has_perms() -> bool:
         if not self.visibility:
             raise ValidationError("Insufficient permissions to view")
 
-        if not self.visibility.public_detail:
-            if not (
-                self.visibility.owner_detail
-                and self.package.owner.can_user_access(user)
-            ):
+        if user is not None:
+            if not self.visibility.public_detail:
                 if not (
-                    self.visibility.moderator_detail
-                    and self.community.can_user_manage_packages(user)
+                    self.visibility.owner_detail
+                    and self.package.owner.can_user_access(user)
                 ):
-                    if not (self.visibility.admin_detail and user.is_superuser):
-                        raise ValidationError("Insufficient permissions to view")
+                    if not (
+                        self.visibility.moderator_detail
+                        and self.community.can_user_manage_packages(user)
+                    ):
+                        if not (self.visibility.admin_detail and user.is_superuser):
+                            raise ValidationError("Insufficient permissions to view")
 
         if self.community.require_package_listing_approval:
             if (
diff --git a/django/thunderstore/repository/views/mixins.py b/django/thunderstore/repository/views/mixins.py
index 2f91f8937..196ef0059 100644
--- a/django/thunderstore/repository/views/mixins.py
+++ b/django/thunderstore/repository/views/mixins.py
@@ -136,9 +136,6 @@ def get_review_panel(self):
             "packageListingId": self.object.pk,
         }
 
-    def format_category(cat: PackageCategory):
-        return {"name": cat.name, "slug": cat.slug}
-
     def get_context_data(self, *args, **kwargs):
         context = super().get_context_data(*args, **kwargs)
         package_listing = context["object"]
@@ -159,6 +156,9 @@ def get_context_data(self, *args, **kwargs):
         context["show_internal_notes"] = self.can_moderate
         context["can_moderate"] = self.can_moderate
 
+        def format_category(cat: PackageCategory):
+            return {"name": cat.name, "slug": cat.slug}
+
         context["management_panel_props"] = {
             "isDeprecated": package_listing.package.is_deprecated,
             "canDeprecate": self.can_deprecate,
@@ -167,10 +167,10 @@ def get_context_data(self, *args, **kwargs):
             "canUpdateCategories": self.can_manage_categories,
             "csrfToken": csrf.get_token(self.request),
             "currentCategories": [
-                self.format_category(x) for x in package_listing.categories.all()
+                format_category(x) for x in package_listing.categories.all()
             ],
             "availableCategories": [
-                self.format_category(x)
+                format_category(x)
                 for x in package_listing.community.package_categories.all()
             ],
             "packageListingId": package_listing.pk,
diff --git a/django/thunderstore/repository/views/package/list.py b/django/thunderstore/repository/views/package/list.py
index f12adafb3..4e14902d7 100644
--- a/django/thunderstore/repository/views/package/list.py
+++ b/django/thunderstore/repository/views/package/list.py
@@ -220,6 +220,11 @@ def filter_approval_status(
                 review_status=PackageListingReviewStatus.rejected,
             )
 
+    def filter_visibility(
+        self, queryset: QuerySet[PackageListing]
+    ) -> QuerySet[PackageListing]:
+        return queryset.public_list()
+
     def get_queryset(self):
         listing_ref = PackageListing.objects.filter(pk=OuterRef("pk"))
 
@@ -271,7 +276,7 @@ def get_queryset(self):
             queryset = queryset.exclude(package__is_deprecated=True)
 
         queryset = self.filter_approval_status(queryset)
-        queryset = queryset.public_list()
+        queryset = self.filter_visibility(queryset)
 
         search_query = self.get_search_query()
         if search_query:
@@ -437,6 +442,11 @@ def filter_approval_status(
     ) -> QuerySet[PackageListing]:
         return queryset
 
+    def filter_visibility(
+        self, queryset: QuerySet[PackageListing]
+    ) -> QuerySet[PackageListing]:
+        return queryset.moderator_list()
+
     def get_community_cache_vary(self) -> str:
         return ".".join(self.community_ids)
 

From beedbeba7d16c37f2ae26988ba8cd6f452f40ab4 Mon Sep 17 00:00:00 2001
From: "753.network" <PrimaryInfinity@gmail.com>
Date: Tue, 29 Oct 2024 00:48:12 -0400
Subject: [PATCH 33/61] Add tests for listing/version visibility

Add VisibilityFlagsFactory
Add test for returning only visible packages
Add test for returning only packages with an available version
Add test for returning only visible versions
Add test for ensuring latest is visible if possible
---
 .../tests/test_package_version_list.py        | 54 ++++++++++++++++
 .../tests/test_community_package_list.py      | 61 +++++++++++++++++++
 django/thunderstore/permissions/factories.py  | 17 ++++++
 3 files changed, 132 insertions(+)
 create mode 100644 django/thunderstore/permissions/factories.py

diff --git a/django/thunderstore/api/cyberstorm/tests/test_package_version_list.py b/django/thunderstore/api/cyberstorm/tests/test_package_version_list.py
index e8bd57d9f..cb79265ff 100644
--- a/django/thunderstore/api/cyberstorm/tests/test_package_version_list.py
+++ b/django/thunderstore/api/cyberstorm/tests/test_package_version_list.py
@@ -1,6 +1,8 @@
 import pytest
 from rest_framework.test import APIClient
 
+from thunderstore.permissions.factories import VisibilityFlagsFactory
+from thunderstore.repository.consts import PackageVersionReviewStatus
 from thunderstore.repository.factories import PackageVersionFactory
 from thunderstore.repository.models import Package
 
@@ -48,3 +50,55 @@ def test_package_version_list_api_view__returns_versions(
 
     assert len(actual) == 1
     assert actual[0]["version_number"] == expected.version_number
+
+
+@pytest.mark.django_db
+def test_only_visible_versions_are_returned(
+    api_client: APIClient,
+) -> None:
+    version1 = PackageVersionFactory(version_number="1.0.0")
+    version1.visibility = VisibilityFlagsFactory(public_list=True)
+    version1.save()
+
+    version2 = PackageVersionFactory(package=version1.package, version_number="2.0.0")
+    version2.visibility = VisibilityFlagsFactory(public_list=False)
+    version2.save()
+
+    response = api_client.get(
+        f"/api/cyberstorm/package/{version1.package.namespace}/{version1.package.name}/versions/",
+    )
+    actual = response.json()
+
+    assert len(actual) == 1
+    assert actual[0]["version_number"] == version1.version_number
+
+
+@pytest.mark.django_db
+def test_latest_is_visible_if_possible(
+    api_client: APIClient,
+) -> None:
+    version1 = PackageVersionFactory(version_number="1.0.0")
+    version1.visibility = VisibilityFlagsFactory(public_list=True)
+    version1.save()
+
+    version2 = PackageVersionFactory(package=version1.package, version_number="2.0.0")
+    version2.visibility = VisibilityFlagsFactory(public_list=True)
+    version2.save()
+
+    version1.package.recache_latest()
+
+    assert version1.package.latest == version2
+
+    version2.review_status = PackageVersionReviewStatus.rejected
+    version2.save()
+
+    version1.package.recache_latest()
+
+    assert version1.package.latest == version1
+
+    version1.review_status = PackageVersionReviewStatus.rejected
+    version1.save()
+
+    version1.package.recache_latest()
+
+    assert version1.package.latest == version1
diff --git a/django/thunderstore/frontend/api/experimental/tests/test_community_package_list.py b/django/thunderstore/frontend/api/experimental/tests/test_community_package_list.py
index 0d46a464e..52c223f17 100644
--- a/django/thunderstore/frontend/api/experimental/tests/test_community_package_list.py
+++ b/django/thunderstore/frontend/api/experimental/tests/test_community_package_list.py
@@ -11,6 +11,8 @@
 from thunderstore.community.models import PackageCategory, PackageListingSection
 from thunderstore.community.models.package_listing import PackageListing
 from thunderstore.frontend.api.experimental.views import CommunityPackageListApiView
+from thunderstore.permissions.factories import VisibilityFlagsFactory
+from thunderstore.repository.consts import PackageVersionReviewStatus
 from thunderstore.repository.factories import (
     PackageRatingFactory,
     PackageVersionFactory,
@@ -109,6 +111,65 @@ def test_only_approved_packages_are_returned_when_approval_is_required(
     __assert_packages_by_listings(data, listing2)
 
 
+@pytest.mark.django_db
+def test_only_visible_packages_are_returned(api_client: APIClient) -> None:
+    listing1 = PackageListingFactory()
+    listing1.visibility = VisibilityFlagsFactory(public_list=True)
+    listing1.save()
+
+    listing2 = PackageListingFactory(
+        community_=listing1.community,
+    )
+    listing2.visibility = VisibilityFlagsFactory(public_list=True)
+    listing2.save()
+
+    listing3 = PackageListingFactory(
+        community_=listing1.community,
+    )
+    listing3.visibility = VisibilityFlagsFactory(public_list=False)
+    listing3.save()
+
+    data = __query_api(api_client, listing1.community.identifier)
+
+    assert len(data["packages"]) == 2
+    __assert_packages_by_listings(data, [listing2, listing1])
+
+
+@pytest.mark.django_db
+def test_packages_with_only_rejected_versions_are_not_returned(
+    api_client: APIClient,
+) -> None:
+    listing1 = PackageListingFactory()
+    listing1.visibility = VisibilityFlagsFactory(public_list=True)
+    listing1.save()
+
+    listing2 = PackageListingFactory(community_=listing1.community)
+    listing2.visibility = VisibilityFlagsFactory(public_list=True)
+    listing2.save()
+    PackageVersionFactory(
+        package=listing2.package,
+        version_number="2.0.0",
+    )
+
+    listing3 = PackageListingFactory(community_=listing1.community)
+    listing3.visibility = VisibilityFlagsFactory(public_list=True)
+    listing3.save()
+
+    listing1.package.latest.review_status = PackageVersionReviewStatus.rejected
+    listing1.package.latest.save()
+
+    listing2.package.latest.review_status = PackageVersionReviewStatus.rejected
+    listing2.package.latest.save()
+
+    listing2.package.recache_latest()  # can't wait for post_save() here
+    listing2.package.latest.review_status = PackageVersionReviewStatus.rejected
+    listing2.package.latest.save()
+
+    data = __query_api(api_client, listing1.community.identifier)
+
+    assert len(data["packages"]) == 1
+
+
 @pytest.mark.django_db
 def test_deprecated_packages_are_returned_only_when_requested(
     api_client: APIClient,
diff --git a/django/thunderstore/permissions/factories.py b/django/thunderstore/permissions/factories.py
new file mode 100644
index 000000000..52ec4a6eb
--- /dev/null
+++ b/django/thunderstore/permissions/factories.py
@@ -0,0 +1,17 @@
+from factory.django import DjangoModelFactory
+
+from thunderstore.permissions.models import VisibilityFlags
+
+
+class VisibilityFlagsFactory(DjangoModelFactory):
+    class Meta:
+        model = VisibilityFlags
+
+    public_list = True
+    public_detail = True
+    owner_list = True
+    owner_detail = True
+    moderator_list = True
+    moderator_detail = True
+    admin_list = True
+    admin_detail = True

From f46bda18775321d1d7b3323e66d22be17e50518b Mon Sep 17 00:00:00 2001
From: "753.network" <PrimaryInfinity@gmail.com>
Date: Tue, 29 Oct 2024 10:45:03 -0400
Subject: [PATCH 34/61] Update webhook audits

Update webhook audits to display approval, rejection, and warnings for
listings, versions, and packages
---
 .../community/models/package_listing.py          |  4 ++--
 .../repository/models/package_version.py         |  4 ++++
 django/thunderstore/webhooks/audit.py            |  6 ++++--
 django/thunderstore/webhooks/models/audit.py     | 16 +++++++++++++---
 .../webhooks/tasks/tests/test_audit.py           |  8 ++++++--
 5 files changed, 29 insertions(+), 9 deletions(-)

diff --git a/django/thunderstore/community/models/package_listing.py b/django/thunderstore/community/models/package_listing.py
index 000dfd600..75c859fec 100644
--- a/django/thunderstore/community/models/package_listing.py
+++ b/django/thunderstore/community/models/package_listing.py
@@ -221,7 +221,7 @@ def reject(
             message = "\n\n".join(filter(bool, (rejection_reason, internal_notes)))
             fire_audit_event(
                 self.build_audit_event(
-                    action=AuditAction.PACKAGE_REJECTED,
+                    action=AuditAction.LISTING_REJECTED,
                     user_id=agent.pk if agent else None,
                     message=message,
                 )
@@ -247,7 +247,7 @@ def approve(
             )
             fire_audit_event(
                 self.build_audit_event(
-                    action=AuditAction.PACKAGE_APPROVED,
+                    action=AuditAction.LISTING_APPROVED,
                     user_id=agent.pk if agent else None,
                     message=internal_notes,
                 )
diff --git a/django/thunderstore/repository/models/package_version.py b/django/thunderstore/repository/models/package_version.py
index 611a6de7d..f59546f8c 100644
--- a/django/thunderstore/repository/models/package_version.py
+++ b/django/thunderstore/repository/models/package_version.py
@@ -354,6 +354,7 @@ def reject(
         self,
         agent: Optional[UserType],
         is_system: bool = False,
+        message: Optional[str] = None,
     ):
         if self.review_status == PackageVersionReviewStatus.immune:
             raise PermissionError()
@@ -366,6 +367,7 @@ def reject(
                 self.build_audit_event(
                     action=AuditAction.VERSION_REJECTED,
                     user_id=agent.pk if agent else None,
+                    message=message,
                 )
             )
         else:
@@ -376,6 +378,7 @@ def approve(
         self,
         agent: Optional[UserType],
         is_system: bool = False,
+        message: Optional[str] = None,
     ):
         if self.review_status == PackageVersionReviewStatus.immune:
             raise PermissionError()
@@ -388,6 +391,7 @@ def approve(
                 self.build_audit_event(
                     action=AuditAction.VERSION_APPROVED,
                     user_id=agent.pk if agent else None,
+                    message=message,
                 )
             )
         else:
diff --git a/django/thunderstore/webhooks/audit.py b/django/thunderstore/webhooks/audit.py
index 8960a2970..e1f40ccf5 100644
--- a/django/thunderstore/webhooks/audit.py
+++ b/django/thunderstore/webhooks/audit.py
@@ -7,11 +7,13 @@
 
 
 class AuditAction(str, Enum):
-    PACKAGE_REJECTED = "PACKAGE_REJECTED"
-    PACKAGE_APPROVED = "PACKAGE_APPROVED"
     PACKAGE_WARNING = "PACKAGE_WARNING"
+    LISTING_REJECTED = "LISTING_REJECTED"
+    LISTING_APPROVED = "LISTING_APPROVED"
+    LISTING_WARNING = "LISTING_WARNING"
     VERSION_REJECTED = "VERSION_REJECTED"
     VERSION_APPROVED = "VERSION_APPROVED"
+    VERSION_WARNING = "VERSION_WARNING"
 
 
 class AuditEventField(BaseModel):
diff --git a/django/thunderstore/webhooks/models/audit.py b/django/thunderstore/webhooks/models/audit.py
index 569b85d14..9c8ade1ab 100644
--- a/django/thunderstore/webhooks/models/audit.py
+++ b/django/thunderstore/webhooks/models/audit.py
@@ -40,11 +40,21 @@ def get_for_event(cls, event: AuditEvent) -> QuerySet["AuditWebhook"]:
 
     @staticmethod
     def get_event_color(action: AuditAction) -> int:
-        if action == AuditAction.PACKAGE_APPROVED:
+        if (
+            action == AuditAction.LISTING_APPROVED
+            or action == AuditAction.VERSION_APPROVED
+        ):
             return 5763719
-        if action == AuditAction.PACKAGE_REJECTED:
+        if (
+            action == AuditAction.LISTING_REJECTED
+            or action == AuditAction.VERSION_REJECTED
+        ):
             return 15548997
-        if action == AuditAction.PACKAGE_WARNING:
+        if (
+            action == AuditAction.PACKAGE_WARNING
+            or action == AuditAction.LISTING_WARNING
+            or action == AuditAction.VERSION_WARNING
+        ):
             return 16705372
         return 9807270
 
diff --git a/django/thunderstore/webhooks/tasks/tests/test_audit.py b/django/thunderstore/webhooks/tasks/tests/test_audit.py
index 8b4eac65e..14fab5acb 100644
--- a/django/thunderstore/webhooks/tasks/tests/test_audit.py
+++ b/django/thunderstore/webhooks/tasks/tests/test_audit.py
@@ -13,9 +13,13 @@
 @pytest.mark.parametrize(
     "action",
     (
-        AuditAction.PACKAGE_APPROVED,
-        AuditAction.PACKAGE_REJECTED,
         AuditAction.PACKAGE_WARNING,
+        AuditAction.LISTING_REJECTED,
+        AuditAction.LISTING_APPROVED,
+        AuditAction.LISTING_WARNING,
+        AuditAction.VERSION_REJECTED,
+        AuditAction.VERSION_APPROVED,
+        AuditAction.VERSION_WARNING,
     ),
 )
 @pytest.mark.parametrize("message", (None, "Test message"))

From 9d5d9e5065d90335247d863dada279e75975eaf1 Mon Sep 17 00:00:00 2001
From: "753.network" <PrimaryInfinity@gmail.com>
Date: Mon, 4 Nov 2024 14:29:56 -0500
Subject: [PATCH 35/61] Update listing visibility

Update visibility based on whether a community requires listings to be
approved or not
---
 django/thunderstore/community/models/package_listing.py | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/django/thunderstore/community/models/package_listing.py b/django/thunderstore/community/models/package_listing.py
index 75c859fec..0fada592d 100644
--- a/django/thunderstore/community/models/package_listing.py
+++ b/django/thunderstore/community/models/package_listing.py
@@ -399,6 +399,13 @@ def update_visibility(self):
             self.visibility.public_detail = False
             self.visibility.public_list = False
 
+        if (
+            self.community.require_package_listing_approval
+            and self.review_status == PackageListingReviewStatus.unreviewed
+        ):
+            self.visibility.public_detail = False
+            self.visibility.public_list = False
+
         versions = self.package.versions.filter(is_active=True).all()
         if versions.exclude(visibility__public_detail=False).count() == 0:
             self.visibility.public_detail = False

From fe9758cdd4ae88b585f18a126972e0e7785aebb1 Mon Sep 17 00:00:00 2001
From: "753.network" <PrimaryInfinity@gmail.com>
Date: Mon, 4 Nov 2024 14:42:04 -0500
Subject: [PATCH 36/61] Update version table caching

Add show_management_panel to version table caching
---
 .../community/templates/community/packagelisting_versions.html  | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/django/thunderstore/community/templates/community/packagelisting_versions.html b/django/thunderstore/community/templates/community/packagelisting_versions.html
index d308d65c5..5c6d12f49 100644
--- a/django/thunderstore/community/templates/community/packagelisting_versions.html
+++ b/django/thunderstore/community/templates/community/packagelisting_versions.html
@@ -19,7 +19,7 @@
 {% endblock %}
 
 {% block content %}
-{% cache_until "any_package_updated" "mod-detail-version-history" 300 object.package.pk community_identifier can_moderate object.package.available_versions %}
+{% cache_until "any_package_updated" "mod-detail-version-history" 300 object.package.pk community_identifier can_moderate show_management_panel object.package.available_versions %}
 
 <nav class="mt-3" aria-label="breadcrumb">
     <ol class="breadcrumb">

From c088a236a6d506a29a71717552066b172fc2f29a Mon Sep 17 00:00:00 2001
From: "753.network" <PrimaryInfinity@gmail.com>
Date: Wed, 6 Nov 2024 12:55:06 -0500
Subject: [PATCH 37/61] Add reverse to RunPython migrations

Add reverse to RunPython migrations for creating default visibility for
existing instances of PackageListing and PackageVersion
---
 ...create_default_visibility_for_existing_listings.py | 11 ++++++++++-
 ...create_default_visibility_for_existing_versions.py |  4 +++-
 2 files changed, 13 insertions(+), 2 deletions(-)

diff --git a/django/thunderstore/community/migrations/0031_create_default_visibility_for_existing_listings.py b/django/thunderstore/community/migrations/0031_create_default_visibility_for_existing_listings.py
index 5e57bd652..542d3c361 100644
--- a/django/thunderstore/community/migrations/0031_create_default_visibility_for_existing_listings.py
+++ b/django/thunderstore/community/migrations/0031_create_default_visibility_for_existing_listings.py
@@ -35,6 +35,13 @@ def update_visibility(listing):
         listing.visibility.public_detail = False
         listing.visibility.public_list = False
 
+    if (
+        listing.community.require_package_listing_approval
+        and listing.review_status == PackageListingReviewStatus.unreviewed
+    ):
+        listing.visibility.public_detail = False
+        listing.visibility.public_list = False
+
     versions = listing.package.versions.filter(is_active=True).all()
     if versions.exclude(visibility__public_detail=False).count() == 0:
         listing.visibility.public_detail = False
@@ -59,5 +66,7 @@ class Migration(migrations.Migration):
     ]
 
     operations = [
-        migrations.RunPython(create_default_visibility_for_existing_records),
+        migrations.RunPython(
+            create_default_visibility_for_existing_records, migrations.RunPython.noop
+        ),
     ]
diff --git a/django/thunderstore/repository/migrations/0056_create_default_visibility_for_existing_versions.py b/django/thunderstore/repository/migrations/0056_create_default_visibility_for_existing_versions.py
index 5dee13dfe..8618c54d7 100644
--- a/django/thunderstore/repository/migrations/0056_create_default_visibility_for_existing_versions.py
+++ b/django/thunderstore/repository/migrations/0056_create_default_visibility_for_existing_versions.py
@@ -48,5 +48,7 @@ class Migration(migrations.Migration):
     ]
 
     operations = [
-        migrations.RunPython(create_default_visibility_for_existing_records),
+        migrations.RunPython(
+            create_default_visibility_for_existing_records, migrations.RunPython.noop
+        ),
     ]

From 27b8247f21af5443c058cf351cc6f3c0afa4f286 Mon Sep 17 00:00:00 2001
From: "753.network" <PrimaryInfinity@gmail.com>
Date: Wed, 6 Nov 2024 14:53:28 -0500
Subject: [PATCH 38/61] Refactor create_private -> create_unpublished

Refactor create_private -> create_unpublished because private might give
inaccurate assumptions
---
 django/thunderstore/community/models/package_listing.py  | 2 +-
 django/thunderstore/permissions/mixins.py                | 2 +-
 django/thunderstore/permissions/models/visibility.py     | 2 +-
 django/thunderstore/repository/models/package_version.py | 2 +-
 4 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/django/thunderstore/community/models/package_listing.py b/django/thunderstore/community/models/package_listing.py
index 0fada592d..b0cc7c39b 100644
--- a/django/thunderstore/community/models/package_listing.py
+++ b/django/thunderstore/community/models/package_listing.py
@@ -386,7 +386,7 @@ def can_be_viewed_by_user(self, user: Optional[UserType]) -> bool:
     @transaction.atomic
     def update_visibility(self):
         if not self.visibility:
-            self.visibility = VisibilityFlags.objects.create_private()
+            self.visibility = VisibilityFlags.objects.create_unpublished()
 
         self.visibility.public_detail = True
         self.visibility.public_list = True
diff --git a/django/thunderstore/permissions/mixins.py b/django/thunderstore/permissions/mixins.py
index c2e5b12c6..e04af8f69 100644
--- a/django/thunderstore/permissions/mixins.py
+++ b/django/thunderstore/permissions/mixins.py
@@ -56,7 +56,7 @@ class VisibilityMixin(models.Model):
     @transaction.atomic
     def save(self, *args, **kwargs):
         if not self.pk and not self.visibility:
-            self.visibility = VisibilityFlags.objects.create_private()
+            self.visibility = VisibilityFlags.objects.create_unpublished()
         super().save()
 
     class Meta:
diff --git a/django/thunderstore/permissions/models/visibility.py b/django/thunderstore/permissions/models/visibility.py
index b01d19329..9d01e7464 100644
--- a/django/thunderstore/permissions/models/visibility.py
+++ b/django/thunderstore/permissions/models/visibility.py
@@ -14,7 +14,7 @@ def create_public(self):
             admin_detail=True,
         )
 
-    def create_private(self):
+    def create_unpublished(self):
         return self.create(
             public_list=False,
             public_detail=False,
diff --git a/django/thunderstore/repository/models/package_version.py b/django/thunderstore/repository/models/package_version.py
index f59546f8c..d2cb8a007 100644
--- a/django/thunderstore/repository/models/package_version.py
+++ b/django/thunderstore/repository/models/package_version.py
@@ -434,7 +434,7 @@ def can_be_viewed_by_user(
     @transaction.atomic
     def update_visibility(self):
         if not self.visibility:
-            self.visibility = VisibilityFlags.objects.create_private()
+            self.visibility = VisibilityFlags.objects.create_unpublished()
 
         self.visibility.public_detail = True
         self.visibility.public_list = True

From 991c9e11f3a16049d04a9d7f5ee028cb8b774422 Mon Sep 17 00:00:00 2001
From: "753.network" <PrimaryInfinity@gmail.com>
Date: Wed, 6 Nov 2024 15:03:50 -0500
Subject: [PATCH 39/61] Update package_version_list.py

Update PackageVersionList API to return a public_list() of versions,
rather than the available_versions cached property
---
 .../thunderstore/api/cyberstorm/views/package_version_list.py   | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/django/thunderstore/api/cyberstorm/views/package_version_list.py b/django/thunderstore/api/cyberstorm/views/package_version_list.py
index 2ba5248fc..4b18379e2 100644
--- a/django/thunderstore/api/cyberstorm/views/package_version_list.py
+++ b/django/thunderstore/api/cyberstorm/views/package_version_list.py
@@ -27,4 +27,4 @@ def get_queryset(self):
             name__iexact=self.kwargs["package_name"],
         )
 
-        return package.available_versions
+        return package.versions.public_list()

From 88f1ad00c8aa91363838775f920752ee986cdcb4 Mon Sep 17 00:00:00 2001
From: "753.network" <PrimaryInfinity@gmail.com>
Date: Wed, 6 Nov 2024 15:38:51 -0500
Subject: [PATCH 40/61] Move update_visibility()

Move update_visibility() so it's called whenever something inheriting
VisibilityMixin is saved
---
 django/thunderstore/community/models/package_listing.py  | 7 -------
 django/thunderstore/permissions/mixins.py                | 7 +++++++
 django/thunderstore/repository/models/package_version.py | 7 -------
 3 files changed, 7 insertions(+), 14 deletions(-)

diff --git a/django/thunderstore/community/models/package_listing.py b/django/thunderstore/community/models/package_listing.py
index b0cc7c39b..5299fd025 100644
--- a/django/thunderstore/community/models/package_listing.py
+++ b/django/thunderstore/community/models/package_listing.py
@@ -103,13 +103,6 @@ def validate(self):
 
     def save(self, *args, **kwargs):
         self.validate()
-
-        old_self = PackageListing.objects.filter(pk=self.pk).first()
-        if old_self is None:
-            self.update_visibility()
-        elif old_self.review_status != self.review_status:
-            self.update_visibility()
-
         return super().save(*args, **kwargs)
 
     def __str__(self):
diff --git a/django/thunderstore/permissions/mixins.py b/django/thunderstore/permissions/mixins.py
index e04af8f69..0a45a9c3a 100644
--- a/django/thunderstore/permissions/mixins.py
+++ b/django/thunderstore/permissions/mixins.py
@@ -53,10 +53,17 @@ class VisibilityMixin(models.Model):
         on_delete=models.PROTECT,
     )
 
+    @transaction.atomic
+    def update_visibility(self):
+        pass
+
     @transaction.atomic
     def save(self, *args, **kwargs):
         if not self.pk and not self.visibility:
             self.visibility = VisibilityFlags.objects.create_unpublished()
+
+        self.update_visibility()
+
         super().save()
 
     class Meta:
diff --git a/django/thunderstore/repository/models/package_version.py b/django/thunderstore/repository/models/package_version.py
index d2cb8a007..7e7223d85 100644
--- a/django/thunderstore/repository/models/package_version.py
+++ b/django/thunderstore/repository/models/package_version.py
@@ -172,13 +172,6 @@ def validate(self):
 
     def save(self, *args, **kwargs):
         self.validate()
-
-        old_self = PackageVersion.objects.filter(pk=self.pk).first()
-        if old_self is None:
-            self.update_visibility()
-        elif old_self.review_status != self.review_status:
-            self.update_visibility()
-
         return super().save(*args, **kwargs)
 
     class Meta:

From 448cca360c1e80e6e3167f8180659a5d2303ca59 Mon Sep 17 00:00:00 2001
From: "753.network" <PrimaryInfinity@gmail.com>
Date: Wed, 6 Nov 2024 16:21:44 -0500
Subject: [PATCH 41/61] Add active() into public_list()

Add active() into public_list() so inactive packages are not included in
public_list(), even if they're visible for some reason

Remove all the now-redundant active() checks from queries that use
public_list()
---
 .../thunderstore/api/cyberstorm/views/package_listing.py   | 4 +---
 django/thunderstore/community/models/package_listing.py    | 3 +++
 django/thunderstore/repository/cache.py                    | 7 ++-----
 django/thunderstore/repository/models/package.py           | 6 +-----
 django/thunderstore/repository/models/package_version.py   | 3 +++
 5 files changed, 10 insertions(+), 13 deletions(-)

diff --git a/django/thunderstore/api/cyberstorm/views/package_listing.py b/django/thunderstore/api/cyberstorm/views/package_listing.py
index 839120994..bd8948c31 100644
--- a/django/thunderstore/api/cyberstorm/views/package_listing.py
+++ b/django/thunderstore/api/cyberstorm/views/package_listing.py
@@ -144,9 +144,7 @@ def get_custom_package_listing(
     listing_ref = PackageListing.objects.filter(pk=OuterRef("pk"))
 
     qs = (
-        PackageListing.objects.active()
-        .filter_by_community_approval_rule()
-        .public_list()
+        PackageListing.objects.public_list()
         .select_related(
             "community",
             "package__latest",
diff --git a/django/thunderstore/community/models/package_listing.py b/django/thunderstore/community/models/package_listing.py
index 5299fd025..368cddc1f 100644
--- a/django/thunderstore/community/models/package_listing.py
+++ b/django/thunderstore/community/models/package_listing.py
@@ -35,6 +35,9 @@ def active(self):
             ~Q(package__versions__is_active=True)
         )
 
+    def public_list(self):
+        return super(PackageListingQueryset, self.active()).public_list()
+
     def approved(self):
         return self.exclude(~Q(review_status=PackageListingReviewStatus.approved))
 
diff --git a/django/thunderstore/repository/cache.py b/django/thunderstore/repository/cache.py
index dc92252a1..ea61c8640 100644
--- a/django/thunderstore/repository/cache.py
+++ b/django/thunderstore/repository/cache.py
@@ -29,11 +29,8 @@ def order_package_listing_queryset(
 def get_package_listing_base_queryset(
     community_identifier: str,
 ) -> QuerySet[PackageListing]:
-    return (
-        PackageListing.objects.active()
-        .filter_by_community_approval_rule()
-        .public_list()
-        .exclude(~Q(community__identifier=community_identifier))
+    return PackageListing.objects.public_list().exclude(
+        ~Q(community__identifier=community_identifier)
     )
 
 
diff --git a/django/thunderstore/repository/models/package.py b/django/thunderstore/repository/models/package.py
index 2e939af69..5d11e3e25 100644
--- a/django/thunderstore/repository/models/package.py
+++ b/django/thunderstore/repository/models/package.py
@@ -164,11 +164,7 @@ def available_versions(self):
         # TODO: Caching
         if hasattr(self, "unavailable_versions"):
             del self.unavailable_versions
-        versions = (
-            self.versions.filter(is_active=True)
-            .public_list()
-            .values_list("pk", "version_number")
-        )
+        versions = self.versions.public_list().values_list("pk", "version_number")
         ordered = sorted(versions, key=lambda version: StrictVersion(version[1]))
         pk_list = [version[0] for version in reversed(ordered)]
         preserved = Case(*[When(pk=pk, then=pos) for pos, pk in enumerate(pk_list)])
diff --git a/django/thunderstore/repository/models/package_version.py b/django/thunderstore/repository/models/package_version.py
index 7e7223d85..f7e2756cf 100644
--- a/django/thunderstore/repository/models/package_version.py
+++ b/django/thunderstore/repository/models/package_version.py
@@ -53,6 +53,9 @@ class PackageVersionQuerySet(VisibilityQuerySet):
     def active(self) -> "QuerySet[PackageVersion]":  # TODO: Generic type
         return self.exclude(is_active=False)
 
+    def public_list(self):
+        return super(PackageVersionQuerySet, self.active()).public_list()
+
     def filter_by_review_status(self):
         return self.exclude(review_status__in=["pending", "rejected"])
 

From 8e1d9eaa8ef7f23c920fd43418e665fdde547399 Mon Sep 17 00:00:00 2001
From: "753.network" <PrimaryInfinity@gmail.com>
Date: Wed, 6 Nov 2024 19:03:39 -0500
Subject: [PATCH 42/61] Fix visibility tests

Fix visibility tests by changing review status rather than changing visibility directly
---
 .../tests/test_package_version_list.py           |  7 +++++--
 .../tests/test_community_package_list.py         | 16 ++++++++++------
 2 files changed, 15 insertions(+), 8 deletions(-)

diff --git a/django/thunderstore/api/cyberstorm/tests/test_package_version_list.py b/django/thunderstore/api/cyberstorm/tests/test_package_version_list.py
index cb79265ff..b9761379a 100644
--- a/django/thunderstore/api/cyberstorm/tests/test_package_version_list.py
+++ b/django/thunderstore/api/cyberstorm/tests/test_package_version_list.py
@@ -57,13 +57,16 @@ def test_only_visible_versions_are_returned(
     api_client: APIClient,
 ) -> None:
     version1 = PackageVersionFactory(version_number="1.0.0")
-    version1.visibility = VisibilityFlagsFactory(public_list=True)
+    version1.review_status = PackageVersionReviewStatus.approved
     version1.save()
 
     version2 = PackageVersionFactory(package=version1.package, version_number="2.0.0")
-    version2.visibility = VisibilityFlagsFactory(public_list=False)
+    version2.review_status = PackageVersionReviewStatus.rejected
     version2.save()
 
+    assert version1.visibility.public_list is True
+    assert version2.visibility.public_list is False
+
     response = api_client.get(
         f"/api/cyberstorm/package/{version1.package.namespace}/{version1.package.name}/versions/",
     )
diff --git a/django/thunderstore/frontend/api/experimental/tests/test_community_package_list.py b/django/thunderstore/frontend/api/experimental/tests/test_community_package_list.py
index 52c223f17..2bbb120a9 100644
--- a/django/thunderstore/frontend/api/experimental/tests/test_community_package_list.py
+++ b/django/thunderstore/frontend/api/experimental/tests/test_community_package_list.py
@@ -114,23 +114,27 @@ def test_only_approved_packages_are_returned_when_approval_is_required(
 @pytest.mark.django_db
 def test_only_visible_packages_are_returned(api_client: APIClient) -> None:
     listing1 = PackageListingFactory()
-    listing1.visibility = VisibilityFlagsFactory(public_list=True)
+    listing1.review_status = PackageListingReviewStatus.approved
     listing1.save()
 
     listing2 = PackageListingFactory(
         community_=listing1.community,
     )
-    listing2.visibility = VisibilityFlagsFactory(public_list=True)
+    listing2.review_status = PackageListingReviewStatus.approved
     listing2.save()
 
     listing3 = PackageListingFactory(
         community_=listing1.community,
     )
-    listing3.visibility = VisibilityFlagsFactory(public_list=False)
+    listing3.review_status = PackageListingReviewStatus.rejected
     listing3.save()
 
     data = __query_api(api_client, listing1.community.identifier)
 
+    assert listing1.visibility.public_list is True
+    assert listing2.visibility.public_list is True
+    assert listing3.visibility.public_list is False
+
     assert len(data["packages"]) == 2
     __assert_packages_by_listings(data, [listing2, listing1])
 
@@ -140,11 +144,11 @@ def test_packages_with_only_rejected_versions_are_not_returned(
     api_client: APIClient,
 ) -> None:
     listing1 = PackageListingFactory()
-    listing1.visibility = VisibilityFlagsFactory(public_list=True)
+    listing1.review_status = PackageListingReviewStatus.approved
     listing1.save()
 
     listing2 = PackageListingFactory(community_=listing1.community)
-    listing2.visibility = VisibilityFlagsFactory(public_list=True)
+    listing1.review_status = PackageListingReviewStatus.approved
     listing2.save()
     PackageVersionFactory(
         package=listing2.package,
@@ -152,7 +156,7 @@ def test_packages_with_only_rejected_versions_are_not_returned(
     )
 
     listing3 = PackageListingFactory(community_=listing1.community)
-    listing3.visibility = VisibilityFlagsFactory(public_list=True)
+    listing1.review_status = PackageListingReviewStatus.approved
     listing3.save()
 
     listing1.package.latest.review_status = PackageVersionReviewStatus.rejected

From e2ab39e761f49efde3becb57068a856550030927 Mon Sep 17 00:00:00 2001
From: "753.network" <PrimaryInfinity@gmail.com>
Date: Thu, 7 Nov 2024 00:38:29 -0500
Subject: [PATCH 43/61] Update package.py

Remove deleting cached unavailable_versions from available_versions
---
 django/thunderstore/repository/models/package.py | 3 ---
 1 file changed, 3 deletions(-)

diff --git a/django/thunderstore/repository/models/package.py b/django/thunderstore/repository/models/package.py
index 5d11e3e25..b941b72a5 100644
--- a/django/thunderstore/repository/models/package.py
+++ b/django/thunderstore/repository/models/package.py
@@ -162,8 +162,6 @@ def display_name(self):
     @cached_property
     def available_versions(self):
         # TODO: Caching
-        if hasattr(self, "unavailable_versions"):
-            del self.unavailable_versions
         versions = self.versions.public_list().values_list("pk", "version_number")
         ordered = sorted(versions, key=lambda version: StrictVersion(version[1]))
         pk_list = [version[0] for version in reversed(ordered)]
@@ -184,7 +182,6 @@ def available_versions(self):
 
     @cached_property
     def unavailable_versions(self):
-        # TODO: Caching
         versions = self.versions.filter(
             is_active=True, visibility__public_list=False, visibility__owner_list=True
         ).values_list("pk", "version_number")

From 14af6cc39db284beba8a9b482c9bbb4e6ebf0e7e Mon Sep 17 00:00:00 2001
From: "753.network" <PrimaryInfinity@gmail.com>
Date: Thu, 7 Nov 2024 10:12:56 -0500
Subject: [PATCH 44/61] Remove shorthands from visibility mixin

The system is intended to require resolving all three user-specific context
attributes for visibility, so these shorthands go against that.
---
 django/thunderstore/permissions/mixins.py            | 12 ------------
 django/thunderstore/repository/views/package/list.py |  2 +-
 2 files changed, 1 insertion(+), 13 deletions(-)

diff --git a/django/thunderstore/permissions/mixins.py b/django/thunderstore/permissions/mixins.py
index 0a45a9c3a..943161959 100644
--- a/django/thunderstore/permissions/mixins.py
+++ b/django/thunderstore/permissions/mixins.py
@@ -11,18 +11,6 @@ def public_list(self):
     def public_detail(self):
         return self.exclude(visibility__public_detail=False)
 
-    def owner_list(self):
-        return self.exclude(visibility__owner_list=False)
-
-    def owner_detail(self):
-        return self.exclude(visibility__owner_detail=False)
-
-    def moderator_list(self):
-        return self.exclude(visibility__moderator_list=False)
-
-    def moderator_detail(self):
-        return self.exclude(visibility__moderator_detail=False)
-
     def visible_list(self, is_owner: bool, is_moderator: bool, is_admin: bool):
         filter = Q(visibility__public_list=True)
         if is_owner:
diff --git a/django/thunderstore/repository/views/package/list.py b/django/thunderstore/repository/views/package/list.py
index 4e14902d7..29dd45d14 100644
--- a/django/thunderstore/repository/views/package/list.py
+++ b/django/thunderstore/repository/views/package/list.py
@@ -445,7 +445,7 @@ def filter_approval_status(
     def filter_visibility(
         self, queryset: QuerySet[PackageListing]
     ) -> QuerySet[PackageListing]:
-        return queryset.moderator_list()
+        return queryset.exclude(visibility__moderator_list=False)
 
     def get_community_cache_vary(self) -> str:
         return ".".join(self.community_ids)

From eef28dc9e5dbee1463e3b64ee1b27c33e6de5ab5 Mon Sep 17 00:00:00 2001
From: "753.network" <PrimaryInfinity@gmail.com>
Date: Thu, 7 Nov 2024 10:44:54 -0500
Subject: [PATCH 45/61] Ensure inactive models are not visible

Ensure inactive models are not visible by checking is_active in the
update_visibility function
---
 ...031_create_default_visibility_for_existing_listings.py | 8 ++++++++
 django/thunderstore/community/models/package_listing.py   | 8 ++++++++
 ...056_create_default_visibility_for_existing_versions.py | 8 ++++++++
 django/thunderstore/repository/models/package_version.py  | 8 ++++++++
 4 files changed, 32 insertions(+)

diff --git a/django/thunderstore/community/migrations/0031_create_default_visibility_for_existing_listings.py b/django/thunderstore/community/migrations/0031_create_default_visibility_for_existing_listings.py
index 542d3c361..c12d2068a 100644
--- a/django/thunderstore/community/migrations/0031_create_default_visibility_for_existing_listings.py
+++ b/django/thunderstore/community/migrations/0031_create_default_visibility_for_existing_listings.py
@@ -31,6 +31,14 @@ def update_visibility(listing):
     listing.visibility.moderator_detail = True
     listing.visibility.moderator_list = True
 
+    if not listing.package.is_active:
+        listing.visibility.public_detail = False
+        listing.visibility.public_list = False
+        listing.visibility.owner_detail = False
+        listing.visibility.owner_list = False
+        listing.visibility.moderator_detail = False
+        listing.visibility.moderator_list = False
+
     if listing.review_status == PackageListingReviewStatus.rejected:
         listing.visibility.public_detail = False
         listing.visibility.public_list = False
diff --git a/django/thunderstore/community/models/package_listing.py b/django/thunderstore/community/models/package_listing.py
index 368cddc1f..fc6cec998 100644
--- a/django/thunderstore/community/models/package_listing.py
+++ b/django/thunderstore/community/models/package_listing.py
@@ -391,6 +391,14 @@ def update_visibility(self):
         self.visibility.moderator_detail = True
         self.visibility.moderator_list = True
 
+        if not self.package.is_active:
+            self.visibility.public_detail = False
+            self.visibility.public_list = False
+            self.visibility.owner_detail = False
+            self.visibility.owner_list = False
+            self.visibility.moderator_detail = False
+            self.visibility.moderator_list = False
+
         if self.review_status == PackageListingReviewStatus.rejected:
             self.visibility.public_detail = False
             self.visibility.public_list = False
diff --git a/django/thunderstore/repository/migrations/0056_create_default_visibility_for_existing_versions.py b/django/thunderstore/repository/migrations/0056_create_default_visibility_for_existing_versions.py
index 8618c54d7..ca1a2cc08 100644
--- a/django/thunderstore/repository/migrations/0056_create_default_visibility_for_existing_versions.py
+++ b/django/thunderstore/repository/migrations/0056_create_default_visibility_for_existing_versions.py
@@ -31,6 +31,14 @@ def update_visibility(version):
     version.visibility.moderator_detail = True
     version.visibility.moderator_list = True
 
+    if not version.is_active or not version.package.is_active:
+        version.visibility.public_detail = False
+        version.visibility.public_list = False
+        version.visibility.owner_detail = False
+        version.visibility.owner_list = False
+        version.visibility.moderator_detail = False
+        version.visibility.moderator_list = False
+
     if (
         version.review_status == PackageVersionReviewStatus.rejected
         or version.review_status == PackageVersionReviewStatus.pending
diff --git a/django/thunderstore/repository/models/package_version.py b/django/thunderstore/repository/models/package_version.py
index f7e2756cf..5791a5b62 100644
--- a/django/thunderstore/repository/models/package_version.py
+++ b/django/thunderstore/repository/models/package_version.py
@@ -439,6 +439,14 @@ def update_visibility(self):
         self.visibility.moderator_detail = True
         self.visibility.moderator_list = True
 
+        if not self.is_active or not self.package.is_active:
+            self.visibility.public_detail = False
+            self.visibility.public_list = False
+            self.visibility.owner_detail = False
+            self.visibility.owner_list = False
+            self.visibility.moderator_detail = False
+            self.visibility.moderator_list = False
+
         if (
             self.review_status == PackageVersionReviewStatus.rejected
             or self.review_status == PackageVersionReviewStatus.pending

From 5e2eeafface215ff57edc0401dad8019b51a669c Mon Sep 17 00:00:00 2001
From: "753.network" <PrimaryInfinity@gmail.com>
Date: Thu, 7 Nov 2024 16:53:31 -0500
Subject: [PATCH 46/61] Add package management / status to detail views

Refactors the package management buttons and status cards (deprecated,
rejected, etc) to appear on every detail view page.
---
 .../includes/package_management_panel.html    | 28 ++++++
 .../community/includes/package_status.html    | 56 ++++++++++++
 .../community/packagelisting_changelog.html   | 11 ++-
 .../community/packagelisting_detail.html      | 85 +------------------
 .../community/packagelisting_versions.html    | 11 ++-
 .../templates/repository/_wiki_base.html      |  6 +-
 6 files changed, 112 insertions(+), 85 deletions(-)
 create mode 100644 django/thunderstore/community/templates/community/includes/package_management_panel.html
 create mode 100644 django/thunderstore/community/templates/community/includes/package_status.html

diff --git a/django/thunderstore/community/templates/community/includes/package_management_panel.html b/django/thunderstore/community/templates/community/includes/package_management_panel.html
new file mode 100644
index 000000000..aea84ef64
--- /dev/null
+++ b/django/thunderstore/community/templates/community/includes/package_management_panel.html
@@ -0,0 +1,28 @@
+{% load encode_props %}
+
+{% if show_management_panel %}
+<div class="d-flex justify-content-end gap-1">
+    {% if review_panel_props %}
+    <div id="package-review-panel"></div>
+    <script type="text/javascript">
+        window.ts.PackageReviewPanel(
+            document.getElementById("package-review-panel"),
+            {{ review_panel_props|encode_props }}
+        );
+    </script>
+    {% endif %}
+    <div id="package-management-panel"></div>
+    {% if show_listing_admin_link %}
+    <a href="{% url "admin:community_packagelisting_change" object.pk %}" type="button" class="btn btn-primary"><span class="fas fa-external-link-alt"></span>&nbsp;&nbsp;Listing admin</a>
+    {% endif %}
+    {% if show_package_admin_link %}
+    <a href="{% url "admin:repository_package_change" object.package.pk %}" type="button" class="btn btn-primary"><span class="fas fa-external-link-alt"></span>&nbsp;&nbsp;Package admin</a>
+    {% endif %}
+</div>
+<script type="text/javascript">
+window.ts.PackageManagementPanel(
+    document.getElementById("package-management-panel"),
+    {{ management_panel_props|encode_props }}
+);
+</script>
+{% endif %}
diff --git a/django/thunderstore/community/templates/community/includes/package_status.html b/django/thunderstore/community/templates/community/includes/package_status.html
new file mode 100644
index 000000000..001cdc5cd
--- /dev/null
+++ b/django/thunderstore/community/templates/community/includes/package_status.html
@@ -0,0 +1,56 @@
+{% if object.package.is_deprecated %}
+    <div class="alert alert-danger" role="alert">
+        This package has been marked as deprecated, and it's suggested another
+        alternative is used.
+    </div>
+{% endif %}
+
+{% if show_review_status and object.package.unavailable_versions %}
+    <div class="alert alert-danger" role="alert">
+        One or more versions of this package are awaiting approval.
+    </div>
+{% endif %}
+
+{% if show_review_status and object.is_rejected %}
+<div class="card text-white bg-danger mt-2">
+    <div class="card-body">
+        <h4 class="card-title">
+            Package rejected
+        </h4>
+        <p class="card-text">
+            This package has been rejected by site or community moderators.
+            If you think this is a mistake, please reach out to the moderators in
+            <a href="https://discord.thunderstore.io/">our Discord server</a>
+        </p>
+        {% if object.rejection_reason %}
+        <p class="card-text">
+            Reason: {{ object.rejection_reason }}
+        </p>
+        {% endif %}
+    </div>
+</div>
+{% endif %}
+
+{% if show_review_status and object.is_waiting_for_approval %}
+<div class="card text-white bg-warning mt-2">
+    <div class="card-body">
+        <h4 class="card-title">
+            Waiting for approval
+        </h4>
+        <p class="card-text">
+            This package is waiting for approval by site or community moderators
+        </p>
+    </div>
+</div>
+{% endif %}
+
+{% if show_internal_notes and object.notes %}
+    <div class="card text-white bg-info mt-2">
+        <div class="card-body">
+            <h4 class="card-title">
+                Internal notes
+            </h4>
+            <p class="card-text">{{ object.notes }}</p>
+        </div>
+    </div>
+{% endif %}
diff --git a/django/thunderstore/community/templates/community/packagelisting_changelog.html b/django/thunderstore/community/templates/community/packagelisting_changelog.html
index 8df5b476e..c327cc69c 100644
--- a/django/thunderstore/community/templates/community/packagelisting_changelog.html
+++ b/django/thunderstore/community/templates/community/packagelisting_changelog.html
@@ -20,7 +20,10 @@
 {% endblock %}
 
 {% block content %}
-{% cache_until "any_package_updated" "mod-detail-changelog-tab" 300 object.package.pk object.package.latest.pk community_identifier %}
+
+{% include "community/includes/package_management_panel.html" %}
+
+{% cache_until "any_package_updated" "mod-detail-changelog-header" 300 object.package.pk object.package.latest.pk community_identifier %}
 
 <nav class="mt-3" aria-label="breadcrumb">
     <ol class="breadcrumb">
@@ -31,6 +34,12 @@
     </ol>
 </nav>
 
+{% endcache %}
+
+{% include "community/includes/package_status.html" %}
+
+{% cache_until "any_package_updated" "mod-detail-changelog" 300 object.package.pk object.package.latest.pk community_identifier %}
+
 <div class="card bg-light mt-2">
     {% include "community/includes/package_tabs.html" with tabs=tabs %}
     {% include "community/includes/package_header.html" with object=object %}
diff --git a/django/thunderstore/community/templates/community/packagelisting_detail.html b/django/thunderstore/community/templates/community/packagelisting_detail.html
index 0072a31c4..aff508d63 100644
--- a/django/thunderstore/community/templates/community/packagelisting_detail.html
+++ b/django/thunderstore/community/templates/community/packagelisting_detail.html
@@ -3,7 +3,6 @@
 {% load arrow %}
 {% load markdownify %}
 {% load cache_until %}
-{% load encode_props %}
 {% load dynamic_html community_url %}
 
 {% block title %}{{ object.package.display_name }}{% endblock %}
@@ -22,32 +21,8 @@
 {% endblock %}
 
 {% block content %}
-{% if show_management_panel %}
-<div class="d-flex justify-content-end gap-1">
-    {% if review_panel_props %}
-    <div id="package-review-panel"></div>
-    <script type="text/javascript">
-        window.ts.PackageReviewPanel(
-            document.getElementById("package-review-panel"),
-            {{ review_panel_props|encode_props }}
-        );
-    </script>
-    {% endif %}
-    <div id="package-management-panel"></div>
-    {% if show_listing_admin_link %}
-    <a href="{% url "admin:community_packagelisting_change" object.pk %}" type="button" class="btn btn-primary"><span class="fas fa-external-link-alt"></span>&nbsp;&nbsp;Listing admin</a>
-    {% endif %}
-    {% if show_package_admin_link %}
-    <a href="{% url "admin:repository_package_change" object.package.pk %}" type="button" class="btn btn-primary"><span class="fas fa-external-link-alt"></span>&nbsp;&nbsp;Package admin</a>
-    {% endif %}
-</div>
-<script type="text/javascript">
-window.ts.PackageManagementPanel(
-    document.getElementById("package-management-panel"),
-    {{ management_panel_props|encode_props }}
-);
-</script>
-{% endif %}
+
+{% include "community/includes/package_management_panel.html" %}
 
 {% cache_until "any_package_updated" "mod-detail-header" 300 object.package.pk community_identifier object.package.latest.pk %}
 
@@ -59,64 +34,10 @@
   </ol>
 </nav>
 
-{% if object.package.is_deprecated %}
-    <div class="alert alert-danger" role="alert">
-        This package has been marked as deprecated, and it's suggested another
-        alternative is used.
-    </div>
-{% endif %}
-
 {% endcache %}
 
-{% if show_review_status and object.package.unavailable_versions %}
-    <div class="alert alert-danger" role="alert">
-        One or more versions of this package are awaiting approval.
-    </div>
-{% endif %}
+{% include "community/includes/package_status.html" %}
 
-{% if show_review_status and object.is_rejected %}
-<div class="card text-white bg-danger mt-2">
-    <div class="card-body">
-        <h4 class="card-title">
-            Package rejected
-        </h4>
-        <p class="card-text">
-            This package has been rejected by site or community moderators.
-            If you think this is a mistake, please reach out to the moderators in
-            <a href="https://discord.thunderstore.io/">our Discord server</a>
-        </p>
-        {% if object.rejection_reason %}
-        <p class="card-text">
-            Reason: {{ object.rejection_reason }}
-        </p>
-        {% endif %}
-    </div>
-</div>
-{% endif %}
-
-{% if show_review_status and object.is_waiting_for_approval %}
-<div class="card text-white bg-warning mt-2">
-    <div class="card-body">
-        <h4 class="card-title">
-            Waiting for approval
-        </h4>
-        <p class="card-text">
-            This package is waiting for approval by site or community moderators
-        </p>
-    </div>
-</div>
-{% endif %}
-
-{% if show_internal_notes and object.notes %}
-    <div class="card text-white bg-info mt-2">
-        <div class="card-body">
-            <h4 class="card-title">
-                Internal notes
-            </h4>
-            <p class="card-text">{{ object.notes }}</p>
-        </div>
-    </div>
-{% endif %}
 
 <div class="card bg-light mt-2">
     {% include "community/includes/package_tabs.html" with tabs=tabs %}
diff --git a/django/thunderstore/community/templates/community/packagelisting_versions.html b/django/thunderstore/community/templates/community/packagelisting_versions.html
index 5c6d12f49..69648b688 100644
--- a/django/thunderstore/community/templates/community/packagelisting_versions.html
+++ b/django/thunderstore/community/templates/community/packagelisting_versions.html
@@ -19,7 +19,10 @@
 {% endblock %}
 
 {% block content %}
-{% cache_until "any_package_updated" "mod-detail-version-history" 300 object.package.pk community_identifier can_moderate show_management_panel object.package.available_versions %}
+
+{% include "community/includes/package_management_panel.html" %}
+
+{% cache_until "any_package_updated" "mod-detail-versions-header" 300 object.package.pk community_identifier %}
 
 <nav class="mt-3" aria-label="breadcrumb">
     <ol class="breadcrumb">
@@ -30,6 +33,12 @@
     </ol>
 </nav>
 
+{% endcache %}
+
+{% include "community/includes/package_status.html" %}
+
+{% cache_until "any_package_updated" "mod-detail-versions" 300 object.package.pk community_identifier can_moderate show_management_panel object.package.available_versions %}
+
 <div class="card bg-light mt-2">
     {% include "community/includes/package_tabs.html" with tabs=tabs %}
     {% include "community/includes/package_header.html" with object=object %}
diff --git a/django/thunderstore/repository/templates/repository/_wiki_base.html b/django/thunderstore/repository/templates/repository/_wiki_base.html
index 38650d0d3..ba97888fc 100644
--- a/django/thunderstore/repository/templates/repository/_wiki_base.html
+++ b/django/thunderstore/repository/templates/repository/_wiki_base.html
@@ -29,6 +29,8 @@
 
 {% block content %}
 
+{% include "community/includes/package_management_panel.html" %}
+
 <nav class="mt-3" aria-label="breadcrumb">
     <ol class="breadcrumb">
         <li class="breadcrumb-item"><a href="{% community_url "packages.list" %}">Packages</a></li>
@@ -41,7 +43,9 @@
     </ol>
 </nav>
 
-<div class="card bg-light">
+{% include "community/includes/package_status.html" %}
+
+<div class="card bg-light mt-2">
     {% include "community/includes/package_tabs.html" with tabs=tabs%}
     {% block wiki_content %}{% endblock %}
 </div>

From 1ad566b462bfd10765e56805506c7d06a54214c2 Mon Sep 17 00:00:00 2001
From: "753.network" <PrimaryInfinity@gmail.com>
Date: Thu, 7 Nov 2024 17:02:53 -0500
Subject: [PATCH 47/61] Add unavailable warning to version detail page

---
 .../templates/repository/packageversion_detail.html          | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/django/thunderstore/repository/templates/repository/packageversion_detail.html b/django/thunderstore/repository/templates/repository/packageversion_detail.html
index 6819ce8da..e24f108f4 100644
--- a/django/thunderstore/repository/templates/repository/packageversion_detail.html
+++ b/django/thunderstore/repository/templates/repository/packageversion_detail.html
@@ -36,6 +36,11 @@
   </ol>
 </nav>
 
+{% if not object.visibility.public_list %}
+    <div class="alert alert-danger" role="alert">
+        This version is not currently available to the public.
+    </div>
+{% endif %}
 {% if object.is_deprecated %}
     <div class="alert alert-danger" role="alert">
         This package has been marked as deprecated, and it's suggested another

From a94d46415c6328351923b3fde8b978ace31d054a Mon Sep 17 00:00:00 2001
From: "753.network" <PrimaryInfinity@gmail.com>
Date: Mon, 11 Nov 2024 13:58:23 -0500
Subject: [PATCH 48/61] Refactor can_be_viewed_by_user

Refactor can_be_viewed_by_user from the PackageListing / PackageVersion
classes into is_visible_to_user in the visibility mixin
---
 .../community/models/package_listing.py       | 43 -------------------
 .../community/tests/test_package_listing.py   | 24 +++--------
 .../api/experimental/views/package_details.py |  2 +-
 django/thunderstore/permissions/mixins.py     | 27 ++++++++++++
 .../thunderstore/repository/models/package.py |  2 +
 .../repository/models/package_version.py      | 25 -----------
 .../repository/tests/test_views.py            |  4 +-
 .../thunderstore/repository/views/mixins.py   |  2 +-
 .../repository/views/package/version.py       |  4 +-
 9 files changed, 41 insertions(+), 92 deletions(-)

diff --git a/django/thunderstore/community/models/package_listing.py b/django/thunderstore/community/models/package_listing.py
index fc6cec998..e520c73d4 100644
--- a/django/thunderstore/community/models/package_listing.py
+++ b/django/thunderstore/community/models/package_listing.py
@@ -336,49 +336,6 @@ def check_update_categories_permission(self, user: Optional[UserType]) -> bool:
     def can_user_manage_approval_status(self, user: Optional[UserType]) -> bool:
         return self.can_be_moderated_by_user(user)
 
-    def ensure_can_be_viewed_by_user(self, user: Optional[UserType]) -> None:
-        def get_has_perms() -> bool:
-            return (
-                user is not None
-                and user.is_authenticated
-                and (
-                    self.community.can_user_manage_packages(user)
-                    or self.package.owner.can_user_access(user)
-                )
-            )
-
-        if not self.visibility:
-            raise ValidationError("Insufficient permissions to view")
-
-        if user is not None:
-            if not self.visibility.public_detail:
-                if not (
-                    self.visibility.owner_detail
-                    and self.package.owner.can_user_access(user)
-                ):
-                    if not (
-                        self.visibility.moderator_detail
-                        and self.community.can_user_manage_packages(user)
-                    ):
-                        if not (self.visibility.admin_detail and user.is_superuser):
-                            raise ValidationError("Insufficient permissions to view")
-
-        if self.community.require_package_listing_approval:
-            if (
-                self.review_status != PackageListingReviewStatus.approved
-                and not get_has_perms()
-            ):
-                raise ValidationError("Insufficient permissions to view")
-        else:
-            if (
-                self.review_status == PackageListingReviewStatus.rejected
-                and not get_has_perms()
-            ):
-                raise ValidationError("Insufficient permissions to view")
-
-    def can_be_viewed_by_user(self, user: Optional[UserType]) -> bool:
-        return check_validity(lambda: self.ensure_can_be_viewed_by_user(user))
-
     @transaction.atomic
     def update_visibility(self):
         if not self.visibility:
diff --git a/django/thunderstore/community/tests/test_package_listing.py b/django/thunderstore/community/tests/test_package_listing.py
index 10ebcd70b..31ccae02b 100644
--- a/django/thunderstore/community/tests/test_package_listing.py
+++ b/django/thunderstore/community/tests/test_package_listing.py
@@ -181,12 +181,14 @@ def test_package_listing_ensure_can_be_viewed_by_user(
     team_role: str,
 ):
     listing = active_package_listing
-    listing.review_status = review_status
-    listing.save()
 
     community = listing.community
     community.require_package_listing_approval = require_approval
     community.save()
+
+    listing.review_status = review_status
+    listing.save()
+
     user = TestUserTypes.get_user_by_type(user_type)
     if community_role is not None and user_type not in TestUserTypes.fake_users():
         CommunityMembership.objects.create(
@@ -201,46 +203,30 @@ def test_package_listing_ensure_can_be_viewed_by_user(
             role=team_role,
         )
 
-    result = listing.can_be_viewed_by_user(user)
-    errors = []
-    expected_error = "Insufficient permissions to view"
-    try:
-        listing.ensure_can_be_viewed_by_user(user)
-    except ValidationError as e:
-        errors = e.messages
+    result = listing.is_visible_to_user(user)
 
     if require_approval:
         if review_status == PackageListingReviewStatus.approved:
             assert result is True
-            assert not errors
         elif user is None:
             assert result is False
-            assert expected_error in errors
         elif not user.is_authenticated:
             assert result is False
-            assert expected_error in errors
         elif community.can_user_manage_packages(user):
             assert result is True
-            assert not errors
         elif listing.package.owner.can_user_access(user):
             assert result is True
-            assert not errors
     else:
         if review_status != PackageListingReviewStatus.rejected:
             assert result is True
-            assert not errors
         elif user is None:
             assert result is False
-            assert expected_error in errors
         elif not user.is_authenticated:
             assert result is False
-            assert expected_error in errors
         elif community.can_user_manage_packages(user):
             assert result is True
-            assert not errors
         elif listing.package.owner.can_user_access(user):
             assert result is True
-            assert not errors
 
 
 @pytest.mark.django_db
diff --git a/django/thunderstore/frontend/api/experimental/views/package_details.py b/django/thunderstore/frontend/api/experimental/views/package_details.py
index dbf5bcec1..205434ea7 100644
--- a/django/thunderstore/frontend/api/experimental/views/package_details.py
+++ b/django/thunderstore/frontend/api/experimental/views/package_details.py
@@ -44,7 +44,7 @@ def get(
             package__name=package_name,
         )
 
-        if not listing.can_be_viewed_by_user(request.user):
+        if not listing.is_visible_to_user(request.user):
             raise Http404()
 
         serializer = self.serialize_results(listing)
diff --git a/django/thunderstore/permissions/mixins.py b/django/thunderstore/permissions/mixins.py
index 943161959..df002e104 100644
--- a/django/thunderstore/permissions/mixins.py
+++ b/django/thunderstore/permissions/mixins.py
@@ -1,6 +1,7 @@
 from django.db import models, transaction
 from django.db.models import Q
 
+from thunderstore.core.types import UserType
 from thunderstore.permissions.models import VisibilityFlags
 
 
@@ -56,3 +57,29 @@ def save(self, *args, **kwargs):
 
     class Meta:
         abstract = True
+
+    def is_visible_to_user(self, user: UserType) -> bool:
+        if not self.visibility:
+            return False
+
+        if self.visibility.public_detail:
+            return True
+
+        if user is None:
+            return False
+
+        if hasattr(self, "package"):
+            if self.visibility.owner_detail:
+                if self.package.owner.can_user_access(user):
+                    return True
+
+            if self.visibility.moderator_detail:
+                for listing in self.package.community_listings.all():
+                    if listing.community.can_user_manage_packages(user):
+                        return True
+
+        if self.visibility.admin_detail:
+            if user.is_superuser:
+                return True
+
+        return False
diff --git a/django/thunderstore/repository/models/package.py b/django/thunderstore/repository/models/package.py
index b941b72a5..e9911d82b 100644
--- a/django/thunderstore/repository/models/package.py
+++ b/django/thunderstore/repository/models/package.py
@@ -109,6 +109,8 @@ def validate(self):
 
     def save(self, *args, **kwargs):
         self.validate()
+        for listing in self.community_listings.all():
+            listing.update_visibility()
         return super().save(*args, **kwargs)
 
     def get_or_create_package_listing(self, community):
diff --git a/django/thunderstore/repository/models/package_version.py b/django/thunderstore/repository/models/package_version.py
index 5791a5b62..ef9a6c8a1 100644
--- a/django/thunderstore/repository/models/package_version.py
+++ b/django/thunderstore/repository/models/package_version.py
@@ -402,31 +402,6 @@ def can_user_manage_approval_status(self, user: Optional[UserType]) -> bool:
                 return True
         return False
 
-    def ensure_can_be_viewed_by_user(
-        self, user: Optional[UserType], community: Community
-    ) -> None:
-        if not self.visibility:
-            raise ValidationError("Insufficient permissions to view")
-
-        if not self.visibility.public_detail:
-            if not (
-                self.visibility.owner_detail
-                and self.package.owner.can_user_access(user)
-            ):
-                if not (
-                    self.visibility.moderator_detail
-                    and community.can_user_manage_packages(user)
-                ):
-                    if not (self.visibility.admin_detail and user.is_superuser):
-                        raise ValidationError("Insufficient permissions to view")
-
-    def can_be_viewed_by_user(
-        self, user: Optional[UserType], community: Community
-    ) -> bool:
-        return check_validity(
-            lambda: self.ensure_can_be_viewed_by_user(user, community)
-        )
-
     @transaction.atomic
     def update_visibility(self):
         if not self.visibility:
diff --git a/django/thunderstore/repository/tests/test_views.py b/django/thunderstore/repository/tests/test_views.py
index b434e722d..7ca1e5074 100644
--- a/django/thunderstore/repository/tests/test_views.py
+++ b/django/thunderstore/repository/tests/test_views.py
@@ -170,6 +170,8 @@ def test_package_detail_version_view_cannot_be_viewed_by_user(
     community_site.community.require_package_listing_approval = True
     community_site.community.save()
 
+    active_version_with_listing.update_visibility()
+
     # Try with user that is member of owner team
     client.force_login(user=team_member.user)
     response = client.get(
@@ -244,7 +246,7 @@ def test_package_detail_version_view_get_object(
     active_version_with_listing.package.save()
     with pytest.raises(Http404) as excinfo:
         view.get_object()
-    assert "Main package is deactivated" in str(excinfo.value)
+    assert "Package is waiting for approval or has been rejected" in str(excinfo.value)
 
     # Remove user from view, so that the view doesn't have permissions to view the listing
     mock_request.user = None
diff --git a/django/thunderstore/repository/views/mixins.py b/django/thunderstore/repository/views/mixins.py
index 196ef0059..08277f215 100644
--- a/django/thunderstore/repository/views/mixins.py
+++ b/django/thunderstore/repository/views/mixins.py
@@ -229,7 +229,7 @@ def get_object(self, queryset=None) -> PackageListing:
                 name=self.kwargs["name"],
                 community=self.community,
             )
-            if not listing.can_be_viewed_by_user(self.request.user):
+            if not listing.is_visible_to_user(self.request.user):
                 raise Http404("Package is waiting for approval or has been rejected")
             self.object = listing
         return self.object
diff --git a/django/thunderstore/repository/views/package/version.py b/django/thunderstore/repository/views/package/version.py
index 98e8ad285..e87d53757 100644
--- a/django/thunderstore/repository/views/package/version.py
+++ b/django/thunderstore/repository/views/package/version.py
@@ -25,7 +25,7 @@ def get_object(self, *args, **kwargs):
             package__name=name,
             community=self.community,
         )
-        if not listing.can_be_viewed_by_user(self.request.user):
+        if not listing.is_visible_to_user(self.request.user):
             raise Http404("Package is waiting for approval or has been rejected")
         if not listing.package.is_active:
             raise Http404("Main package is deactivated")
@@ -34,7 +34,7 @@ def get_object(self, *args, **kwargs):
             package=listing.package,
             version_number=version_number,
         )
-        if not version.can_be_viewed_by_user(self.request.user, listing.community):
+        if not version.is_visible_to_user(self.request.user):
             raise Http404("Package is waiting for approval or has been rejected")
         return version
 

From 2cef9d44bba67d145caa9d4a04e246b035cf6316 Mon Sep 17 00:00:00 2001
From: "753.network" <PrimaryInfinity@gmail.com>
Date: Mon, 11 Nov 2024 16:28:37 -0500
Subject: [PATCH 49/61] Allow owners to see their rejected packages

Allow owners to see their rejected packages by populating the
PackageListByOwnerView with owner_list listings
---
 builder/src/scss/package-list.scss            |  7 +++++
 .../community/packagelisting_list.html        |  7 +++++
 .../repository/views/package/list.py          | 27 +++++++++++++++++--
 3 files changed, 39 insertions(+), 2 deletions(-)

diff --git a/builder/src/scss/package-list.scss b/builder/src/scss/package-list.scss
index 88b0a6ec4..397872b10 100644
--- a/builder/src/scss/package-list.scss
+++ b/builder/src/scss/package-list.scss
@@ -16,6 +16,13 @@
     transform-origin: center;
 }
 
+.unavailable {
+    position: absolute;
+    z-index: 1;
+    pointer-events: none;
+    text-align: right;
+}
+
 .search-options {
     .checkbox {
         display: flex;
diff --git a/django/thunderstore/community/templates/community/packagelisting_list.html b/django/thunderstore/community/templates/community/packagelisting_list.html
index d4393ec34..f4dc8e40b 100644
--- a/django/thunderstore/community/templates/community/packagelisting_list.html
+++ b/django/thunderstore/community/templates/community/packagelisting_list.html
@@ -152,6 +152,13 @@ <h3 class="col-12 mt-4">{{ page_title }}</h3>
         <div class="col-6 col-md-4 col-lg-3 mb-2 p-1 d-flex flex-column
                     {% if object.package.is_deprecated %}text-dark deleted{% endif %}">
             <div class="p-0 bg-light">
+                {% if not object.visibility.public_detail %}
+                <div class="unavailable w-100">
+                    <div class="mr-2 p-1 px-2 bg-danger">
+                        Unavailable <span class="fa fa-lock ml-1"></span>
+                    </div>
+                </div>
+                {% endif %}
                 {% if object.package.is_pinned %}
                 <div class="pin w-100">
                     <div class="mr-2 p-1 px-2 bg-primary w-auto w-fit-content">
diff --git a/django/thunderstore/repository/views/package/list.py b/django/thunderstore/repository/views/package/list.py
index 29dd45d14..5cdad022a 100644
--- a/django/thunderstore/repository/views/package/list.py
+++ b/django/thunderstore/repository/views/package/list.py
@@ -275,7 +275,7 @@ def get_queryset(self):
         if not self.get_is_deprecated_included():
             queryset = queryset.exclude(package__is_deprecated=True)
 
-        queryset = self.filter_approval_status(queryset)
+        # queryset = self.filter_approval_status(queryset)
         queryset = self.filter_visibility(queryset)
 
         search_query = self.get_search_query()
@@ -356,6 +356,17 @@ def get_cache_vary(self):
 @method_decorator(ensure_csrf_cookie, name="dispatch")
 class PackageListByOwnerView(PackageListSearchView):
     owner: Optional[Team]
+    requester_has_community_permissions: bool
+    requester_has_owner_permissions: bool
+
+    def filter_visibility(
+        self, queryset: QuerySet[PackageListing]
+    ) -> QuerySet[PackageListing]:
+        if self.requester_has_community_permissions:
+            return queryset.exclude(visibility__moderator_list=False)
+        if self.requester_has_owner_permissions:
+            return queryset.exclude(visibility__owner_list=False)
+        return queryset.exclude(visibility__public_list=False)
 
     def get_breadcrumbs(self):
         breadcrumbs = super().get_breadcrumbs()
@@ -375,8 +386,17 @@ def get_breadcrumbs(self):
     def cache_owner(self):
         self.owner = get_object_or_404(Team, name=self.kwargs["owner"])
 
+    def cache_permissions(self):
+        self.requester_has_community_permissions = (
+            self.community.can_user_manage_packages(self.request.user)
+        )
+        self.requester_has_owner_permissions = self.owner.can_user_manage_packages(
+            self.request.user
+        )
+
     def dispatch(self, *args, **kwargs):
         self.cache_owner()
+        self.cache_permissions()
         return super().dispatch(*args, **kwargs)
 
     def get_base_queryset(self):
@@ -388,7 +408,10 @@ def get_page_title(self):
         return f"Mods uploaded by {self.owner.name}"
 
     def get_cache_vary(self):
-        return f"authorer-{self.owner.name}"
+        cache_vary = f"authorer-{self.owner.name}"
+        cache_vary += f".{self.requester_has_community_permissions}"
+        cache_vary += f".{self.requester_has_owner_permissions}"
+        return cache_vary
 
 
 @method_decorator(ensure_csrf_cookie, name="dispatch")

From 6503182ca88128bc7ce9cd03eb531e2268fbd62a Mon Sep 17 00:00:00 2001
From: "753.network" <PrimaryInfinity@gmail.com>
Date: Tue, 12 Nov 2024 14:40:04 -0500
Subject: [PATCH 50/61] Turn review_status CharFields into TextFields

Turn review_status CharFields into TextFields
---
 .../migrations/0032_auto_20241112_1930.py     | 25 +++++++++++++++++
 .../community/models/package_listing.py       |  3 +--
 .../migrations/0057_auto_20241112_1930.py     | 27 +++++++++++++++++++
 .../repository/models/package_version.py      |  3 +--
 4 files changed, 54 insertions(+), 4 deletions(-)
 create mode 100644 django/thunderstore/community/migrations/0032_auto_20241112_1930.py
 create mode 100644 django/thunderstore/repository/migrations/0057_auto_20241112_1930.py

diff --git a/django/thunderstore/community/migrations/0032_auto_20241112_1930.py b/django/thunderstore/community/migrations/0032_auto_20241112_1930.py
new file mode 100644
index 000000000..8e52c56bf
--- /dev/null
+++ b/django/thunderstore/community/migrations/0032_auto_20241112_1930.py
@@ -0,0 +1,25 @@
+# Generated by Django 3.1.7 on 2024-11-12 19:30
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("community", "0031_create_default_visibility_for_existing_listings"),
+    ]
+
+    operations = [
+        migrations.AlterField(
+            model_name="packagelisting",
+            name="review_status",
+            field=models.TextField(
+                choices=[
+                    ("unreviewed", "unreviewed"),
+                    ("approved", "approved"),
+                    ("rejected", "rejected"),
+                ],
+                default="unreviewed",
+            ),
+        ),
+    ]
diff --git a/django/thunderstore/community/models/package_listing.py b/django/thunderstore/community/models/package_listing.py
index e520c73d4..2181877db 100644
--- a/django/thunderstore/community/models/package_listing.py
+++ b/django/thunderstore/community/models/package_listing.py
@@ -76,10 +76,9 @@ class PackageListing(TimestampMixin, VisibilityMixin, AdminLinkMixin, models.Mod
     is_review_requested = models.BooleanField(
         default=False,
     )
-    review_status = models.CharField(
+    review_status = models.TextField(
         default=PackageListingReviewStatus.unreviewed,
         choices=PackageListingReviewStatus.as_choices(),
-        max_length=512,
     )
     rejection_reason = models.TextField(
         null=True,
diff --git a/django/thunderstore/repository/migrations/0057_auto_20241112_1930.py b/django/thunderstore/repository/migrations/0057_auto_20241112_1930.py
new file mode 100644
index 000000000..93417d64b
--- /dev/null
+++ b/django/thunderstore/repository/migrations/0057_auto_20241112_1930.py
@@ -0,0 +1,27 @@
+# Generated by Django 3.1.7 on 2024-11-12 19:30
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("repository", "0056_create_default_visibility_for_existing_versions"),
+    ]
+
+    operations = [
+        migrations.AlterField(
+            model_name="packageversion",
+            name="review_status",
+            field=models.TextField(
+                choices=[
+                    ("pending", "pending"),
+                    ("approved", "approved"),
+                    ("rejected", "rejected"),
+                    ("skipped", "skipped"),
+                    ("immune", "immune"),
+                ],
+                default="skipped",
+            ),
+        ),
+    ]
diff --git a/django/thunderstore/repository/models/package_version.py b/django/thunderstore/repository/models/package_version.py
index ef9a6c8a1..718ef5f39 100644
--- a/django/thunderstore/repository/models/package_version.py
+++ b/django/thunderstore/repository/models/package_version.py
@@ -141,10 +141,9 @@ class PackageVersion(VisibilityMixin, AdminLinkMixin):
     changelog = models.TextField(blank=True, null=True)
 
     # TODO: Default should be pending once all versions require automated scanning before appearing to users
-    review_status = models.CharField(
+    review_status = models.TextField(
         default=PackageVersionReviewStatus.skipped,
         choices=PackageVersionReviewStatus.as_choices(),
-        max_length=512,
     )
 
     # <packagename>.zip

From 8369d36f786cd414ca43816667a442bb87781058 Mon Sep 17 00:00:00 2001
From: "753.network" <PrimaryInfinity@gmail.com>
Date: Tue, 12 Nov 2024 15:31:04 -0500
Subject: [PATCH 51/61] Remove redundancy in update_visibility

Remove redundancy in update_visibility
---
 django/thunderstore/community/models/package_listing.py  | 3 ---
 django/thunderstore/repository/models/package_version.py | 3 ---
 2 files changed, 6 deletions(-)

diff --git a/django/thunderstore/community/models/package_listing.py b/django/thunderstore/community/models/package_listing.py
index 2181877db..641e3f286 100644
--- a/django/thunderstore/community/models/package_listing.py
+++ b/django/thunderstore/community/models/package_listing.py
@@ -337,9 +337,6 @@ def can_user_manage_approval_status(self, user: Optional[UserType]) -> bool:
 
     @transaction.atomic
     def update_visibility(self):
-        if not self.visibility:
-            self.visibility = VisibilityFlags.objects.create_unpublished()
-
         self.visibility.public_detail = True
         self.visibility.public_list = True
         self.visibility.owner_detail = True
diff --git a/django/thunderstore/repository/models/package_version.py b/django/thunderstore/repository/models/package_version.py
index 718ef5f39..99c9bd540 100644
--- a/django/thunderstore/repository/models/package_version.py
+++ b/django/thunderstore/repository/models/package_version.py
@@ -403,9 +403,6 @@ def can_user_manage_approval_status(self, user: Optional[UserType]) -> bool:
 
     @transaction.atomic
     def update_visibility(self):
-        if not self.visibility:
-            self.visibility = VisibilityFlags.objects.create_unpublished()
-
         self.visibility.public_detail = True
         self.visibility.public_list = True
         self.visibility.owner_detail = True

From b6567cd204a59019a89881622b9a9b0b54f59dfd Mon Sep 17 00:00:00 2001
From: "753.network" <PrimaryInfinity@gmail.com>
Date: Tue, 12 Nov 2024 21:13:29 -0500
Subject: [PATCH 52/61] Adjust views so latest can be None

Adjust views so latest can be None by supplying a version as context data
---
 .../tests/test_package_version_list.py        | 31 -------------------
 .../community/includes/package_header.html    | 10 +++---
 .../community/packagelisting_detail.html      | 23 ++++++--------
 .../community/packagelisting_list.html        | 14 +++++++--
 .../community/packagelisting_versions.html    |  2 +-
 .../thunderstore/repository/models/package.py |  2 --
 .../repository/includes/dependencies.html     |  2 +-
 .../thunderstore/repository/views/mixins.py   | 11 ++++++-
 8 files changed, 39 insertions(+), 56 deletions(-)

diff --git a/django/thunderstore/api/cyberstorm/tests/test_package_version_list.py b/django/thunderstore/api/cyberstorm/tests/test_package_version_list.py
index b9761379a..32583fdb1 100644
--- a/django/thunderstore/api/cyberstorm/tests/test_package_version_list.py
+++ b/django/thunderstore/api/cyberstorm/tests/test_package_version_list.py
@@ -74,34 +74,3 @@ def test_only_visible_versions_are_returned(
 
     assert len(actual) == 1
     assert actual[0]["version_number"] == version1.version_number
-
-
-@pytest.mark.django_db
-def test_latest_is_visible_if_possible(
-    api_client: APIClient,
-) -> None:
-    version1 = PackageVersionFactory(version_number="1.0.0")
-    version1.visibility = VisibilityFlagsFactory(public_list=True)
-    version1.save()
-
-    version2 = PackageVersionFactory(package=version1.package, version_number="2.0.0")
-    version2.visibility = VisibilityFlagsFactory(public_list=True)
-    version2.save()
-
-    version1.package.recache_latest()
-
-    assert version1.package.latest == version2
-
-    version2.review_status = PackageVersionReviewStatus.rejected
-    version2.save()
-
-    version1.package.recache_latest()
-
-    assert version1.package.latest == version1
-
-    version1.review_status = PackageVersionReviewStatus.rejected
-    version1.save()
-
-    version1.package.recache_latest()
-
-    assert version1.package.latest == version1
diff --git a/django/thunderstore/community/templates/community/includes/package_header.html b/django/thunderstore/community/templates/community/includes/package_header.html
index 371f35c81..ed4a50dc8 100644
--- a/django/thunderstore/community/templates/community/includes/package_header.html
+++ b/django/thunderstore/community/templates/community/includes/package_header.html
@@ -2,16 +2,16 @@
 
 <div class="card-header">
     <div class="media">
-        <img class="align-self-center mr-3" src="{% thumbnail object.package.icon 128x128 %}" alt="{{ object.package }} icon">
+        <img class="align-self-center mr-3" src="{% thumbnail version.icon 128x128 %}" alt="{{ object.package }} icon">
         <div class="media-body">
             <h1 class="mt-0">{{ object.package.display_name }}</h1>
-            <p>{{ object.package.description }}</p>
+            <p>{{ version.description }}</p>
             <div class="d-flex w-100 justify-content-between">
                 <h5 class="mb-1">By <a href="{{ object.owner_url }}">{{ object.package.owner.name }}</a></h5>
-                {% if object.package.website_url %}
-                    <a class="text-nowrap" href="{{ object.package.website_url }}">
+                {% if version.website_url %}
+                    <a class="text-nowrap" href="{{ version.website_url }}">
                         <span class="fa fa-globe-americas fa-fw"></span>
-                        {{ object.package.website_url }}</a>
+                        {{ version.website_url }}</a>
                 {% endif %}
             </div>
         </div>
diff --git a/django/thunderstore/community/templates/community/packagelisting_detail.html b/django/thunderstore/community/templates/community/packagelisting_detail.html
index aff508d63..408524bd7 100644
--- a/django/thunderstore/community/templates/community/packagelisting_detail.html
+++ b/django/thunderstore/community/templates/community/packagelisting_detail.html
@@ -6,17 +6,17 @@
 {% load dynamic_html community_url %}
 
 {% block title %}{{ object.package.display_name }}{% endblock %}
-{% block description %}{{ object.package.description }}{% endblock %}
+{% block description %}{{ version.description }}{% endblock %}
 
 {% block opengraph %}
-<meta property="og:title" content="{{ object.package.display_name }} v{{ object.package.version_number }}" />
+<meta property="og:title" content="{{ version.display_name }} v{{ version.version_number }}" />
 <meta property="og:type" content="website" />
 <meta property="og:url" content="{{ request.build_absolute_uri }}" />
-<meta property="og:image" content="{% thumbnail object.package.icon 256x256 %}" />
+<meta property="og:image" content="{% thumbnail version.icon 256x256 %}" />
 <meta property="og:image:width" content="256" />
 <meta property="og:image:height" content="256" />
 
-<meta property="og:description" content="{{ object.package.description }}" />
+<meta property="og:description" content="{{ version.description }}" />
 <meta property="og:site_name" content="{{ site_name }}" />
 {% endblock %}
 
@@ -24,7 +24,7 @@
 
 {% include "community/includes/package_management_panel.html" %}
 
-{% cache_until "any_package_updated" "mod-detail-header" 300 object.package.pk community_identifier object.package.latest.pk %}
+{% cache_until "any_package_updated" "mod-detail-header" 300 version.pk community_identifier %}
 
 <nav class="mt-3" aria-label="breadcrumb">
   <ol class="breadcrumb">
@@ -38,10 +38,9 @@
 
 {% include "community/includes/package_status.html" %}
 
-
 <div class="card bg-light mt-2">
     {% include "community/includes/package_tabs.html" with tabs=tabs %}
-    {% cache_until "any_package_updated" "mod-detail-content" 300 object.package.pk community_identifier object.package.latest.pk %}
+    {% cache_until "any_package_updated" "mod-detail-content" 300 version.pk community_identifier %}
     {% include "community/includes/package_header.html" with object=object %}
     <div class="card-body pb-1">
         <table class="table mb-0">
@@ -67,7 +66,7 @@
             </tr>
             <tr>
                 <td>Dependency string</td>
-                <td>{{ object.package.latest.full_version_name }}</td>
+                <td>{{ version.full_version_name }}</td>
             </tr>
             <tr>
                 <td>Dependants</td>
@@ -79,12 +78,12 @@
 
 <div class="row my-2">
     <div class="col-12 col-sm-6 px-3 pl-sm-3 pr-sm-1">
-        <a href="{{ object.package.latest.install_url }}" type="button" class="btn btn-primary w-100 text-large">
+        <a href="{{ version.install_url }}" type="button" class="btn btn-primary w-100 text-large">
             <i class="fa fa-rocket mr-2" aria-hidden="true"></i>Install with Mod Manager
         </a>
     </div>
     <div class="col-12 col-sm-6 px-3 pr-sm-3 pl-sm-1 mt-1 mt-sm-0">
-        <a href="{{ object.package.latest.full_download_url }}" type="button" class="btn btn-primary w-100 text-large">
+        <a href="{{ version.full_download_url }}" type="button" class="btn btn-primary w-100 text-large">
             <i class="fa fa-download mr-2" aria-hidden="true"></i>Manual Download
         </a>
     </div>
@@ -99,16 +98,14 @@
 
 {% dynamic_html "package_page_actions" %}
 
-{% with object.package.dependencies as dependencies %}
 {% if dependencies %}
     {% include "repository/includes/dependencies.html" with dependencies=dependencies %}
 {% endif %}
-{% endwith %}
 
 <div class="card bg-light mb-2 mt-2">
     <div class="card-header"><h4 class="mb-0">README</h4></div>
     <div class="card-body markdown-body">
-        {{ object.package.readme|markdownify }}
+        {{ version.readme|markdownify }}
     </div>
 </div>
 
diff --git a/django/thunderstore/community/templates/community/packagelisting_list.html b/django/thunderstore/community/templates/community/packagelisting_list.html
index f4dc8e40b..1b4cb74a3 100644
--- a/django/thunderstore/community/templates/community/packagelisting_list.html
+++ b/django/thunderstore/community/templates/community/packagelisting_list.html
@@ -167,7 +167,13 @@ <h3 class="col-12 mt-4">{{ page_title }}</h3>
                 </div>
                 {% endif %}
                 <a href="{{ object.get_full_url }}">
-                    <img class="w-100" src="{% thumbnail object.package.icon 256x256 crop %}" alt="{{ object.package }} icon">
+                    <img class="w-100" src="
+                    {% if object.package.latest %}
+                        {% thumbnail object.package.icon 256x256 crop %}
+                    {% else %}
+                        {% thumbnail object.package.versions.first.icon 256x256 crop %}
+                    {% endif %}
+                    " alt="{{ object.package }} icon">
                 </a>
             </div>
             <div class="bg-light p-2">
@@ -183,7 +189,11 @@ <h5 class="mb-0 overflow-hidden text-nowrap w-100" title="{{ object.package.disp
                 <div class="overflow-hidden text-nowrap w-100">By <a href="{{ object.owner_url }}">{{ object.package.owner.name }}</a></div>
             </div>
             <div class="bg-light px-2 flex-grow-1">
-                {{ object.package.description }}
+                {% if object.package.latest %}
+                    {{ object.package.description }}
+                {% else %}
+                    {{ object.package.versions.first.description }}
+                {% endif %}
             </div>
             <div class="category-badge-container bg-light px-2 pt-2 flex-grow-1 d-flex flex-row flex-wrap align-items-end align-content-end ">
                 {% for category in object.categories.all %}
diff --git a/django/thunderstore/community/templates/community/packagelisting_versions.html b/django/thunderstore/community/templates/community/packagelisting_versions.html
index 69648b688..755abe237 100644
--- a/django/thunderstore/community/templates/community/packagelisting_versions.html
+++ b/django/thunderstore/community/templates/community/packagelisting_versions.html
@@ -10,7 +10,7 @@
     <meta property="og:title" content="{{ object.package.display_name }} version history" />
     <meta property="og:type" content="website" />
     <meta property="og:url" content="{{ request.build_absolute_uri }}" />
-    <meta property="og:image" content="{% thumbnail object.package.icon 256x256 %}" />
+    <meta property="og:image" content="{% thumbnail version.icon 256x256 %}" />
     <meta property="og:image:width" content="256" />
     <meta property="og:image:height" content="256" />
 
diff --git a/django/thunderstore/repository/models/package.py b/django/thunderstore/repository/models/package.py
index e9911d82b..8ae0fb64e 100644
--- a/django/thunderstore/repository/models/package.py
+++ b/django/thunderstore/repository/models/package.py
@@ -294,8 +294,6 @@ def recache_latest(self):
         if hasattr(self, "available_versions"):
             del self.available_versions  # Bust the version cache
         self.latest = self.available_versions.first()
-        if self.latest is None:
-            self.latest = self.versions.filter(is_active=True).first()
         if old_latest != self.latest:
             self.save()
 
diff --git a/django/thunderstore/repository/templates/repository/includes/dependencies.html b/django/thunderstore/repository/templates/repository/includes/dependencies.html
index 258004caa..76fcf82c8 100644
--- a/django/thunderstore/repository/templates/repository/includes/dependencies.html
+++ b/django/thunderstore/repository/templates/repository/includes/dependencies.html
@@ -7,7 +7,7 @@ <h4>This mod requires the following mods to function</h4>
     </div>
     <div class="card-body p-0">
         <div class="list-group dependency-list">
-            {% for dependency in object.package.dependencies.all %}
+            {% for dependency in dependencies %}
                 <div class="list-group-item flex-column align-items-start media">
                     <div class="media">
                         <img class="align-self-center mr-3" src="{% thumbnail dependency.icon 64x64 %}" alt="{{ dependency }} icon">
diff --git a/django/thunderstore/repository/views/mixins.py b/django/thunderstore/repository/views/mixins.py
index 08277f215..de1979018 100644
--- a/django/thunderstore/repository/views/mixins.py
+++ b/django/thunderstore/repository/views/mixins.py
@@ -58,7 +58,8 @@ def get_tab_context(
                 "changelog": PartialTab(
                     url=listing.get_changelog_url(),
                     title="Changelog",
-                    is_disabled=not listing.package.changelog(),
+                    is_disabled=not listing.package.latest
+                    or not listing.package.changelog(),
                 ),
                 "wiki": PartialTab(
                     url=listing.get_wiki_url(),
@@ -242,4 +243,12 @@ def get_context_data(self, *args, **kwargs):
                 self.request.user, package_listing, self.get_tab_name()
             )
         )
+
+        version = package_listing.package.latest
+        if not version:
+            version = package_listing.package.unavailable_versions.first()
+
+        context["version"] = version
+        context["dependencies"] = version.dependencies.all()
+
         return context

From 25e8e83f1ea1f77a8bddc10d536a364ae613c4cd Mon Sep 17 00:00:00 2001
From: "753.network" <PrimaryInfinity@gmail.com>
Date: Wed, 13 Nov 2024 12:55:30 -0500
Subject: [PATCH 53/61] Move is_visible_to_user() to version/listing

Move is_visible_to_user() to version/listing
Also set default visibility to public
---
 .../community/models/package_listing.py       | 25 +++++++++++++++++++
 django/thunderstore/permissions/mixins.py     | 25 +------------------
 .../repository/models/package_version.py      | 25 +++++++++++++++++++
 3 files changed, 51 insertions(+), 24 deletions(-)

diff --git a/django/thunderstore/community/models/package_listing.py b/django/thunderstore/community/models/package_listing.py
index 641e3f286..5b4724bda 100644
--- a/django/thunderstore/community/models/package_listing.py
+++ b/django/thunderstore/community/models/package_listing.py
@@ -335,6 +335,31 @@ def check_update_categories_permission(self, user: Optional[UserType]) -> bool:
     def can_user_manage_approval_status(self, user: Optional[UserType]) -> bool:
         return self.can_be_moderated_by_user(user)
 
+    def is_visible_to_user(self, user: UserType) -> bool:
+        if not self.visibility:
+            return False
+
+        if self.visibility.public_detail:
+            return True
+
+        if user is None:
+            return False
+
+        if self.visibility.owner_detail:
+            if self.package.owner.can_user_access(user):
+                return True
+
+        if self.visibility.moderator_detail:
+            for listing in self.package.community_listings.all():
+                if listing.community.can_user_manage_packages(user):
+                    return True
+
+        if self.visibility.admin_detail:
+            if user.is_superuser:
+                return True
+
+        return False
+
     @transaction.atomic
     def update_visibility(self):
         self.visibility.public_detail = True
diff --git a/django/thunderstore/permissions/mixins.py b/django/thunderstore/permissions/mixins.py
index df002e104..42abc2843 100644
--- a/django/thunderstore/permissions/mixins.py
+++ b/django/thunderstore/permissions/mixins.py
@@ -49,7 +49,7 @@ def update_visibility(self):
     @transaction.atomic
     def save(self, *args, **kwargs):
         if not self.pk and not self.visibility:
-            self.visibility = VisibilityFlags.objects.create_unpublished()
+            self.visibility = VisibilityFlags.objects.create_public()
 
         self.update_visibility()
 
@@ -59,27 +59,4 @@ class Meta:
         abstract = True
 
     def is_visible_to_user(self, user: UserType) -> bool:
-        if not self.visibility:
-            return False
-
-        if self.visibility.public_detail:
-            return True
-
-        if user is None:
-            return False
-
-        if hasattr(self, "package"):
-            if self.visibility.owner_detail:
-                if self.package.owner.can_user_access(user):
-                    return True
-
-            if self.visibility.moderator_detail:
-                for listing in self.package.community_listings.all():
-                    if listing.community.can_user_manage_packages(user):
-                        return True
-
-        if self.visibility.admin_detail:
-            if user.is_superuser:
-                return True
-
         return False
diff --git a/django/thunderstore/repository/models/package_version.py b/django/thunderstore/repository/models/package_version.py
index 99c9bd540..0c32aa5f2 100644
--- a/django/thunderstore/repository/models/package_version.py
+++ b/django/thunderstore/repository/models/package_version.py
@@ -401,6 +401,31 @@ def can_user_manage_approval_status(self, user: Optional[UserType]) -> bool:
                 return True
         return False
 
+    def is_visible_to_user(self, user: UserType) -> bool:
+        if not self.visibility:
+            return False
+
+        if self.visibility.public_detail:
+            return True
+
+        if user is None:
+            return False
+
+        if self.visibility.owner_detail:
+            if self.package.owner.can_user_access(user):
+                return True
+
+        if self.visibility.moderator_detail:
+            for listing in self.package.community_listings.all():
+                if listing.community.can_user_manage_packages(user):
+                    return True
+
+        if self.visibility.admin_detail:
+            if user.is_superuser:
+                return True
+
+        return False
+
     @transaction.atomic
     def update_visibility(self):
         self.visibility.public_detail = True

From b6716dbb16bdae5a66991de4b16c58c5eded89fa Mon Sep 17 00:00:00 2001
From: "753.network" <PrimaryInfinity@gmail.com>
Date: Wed, 27 Nov 2024 09:59:38 -0500
Subject: [PATCH 54/61] Add a rate limit to celery_post

Add a rate limit to celery_post, specifically so Discord doesn't drop webhook
messages that come in faster than its limit of 5/2s
---
 django/thunderstore/core/tasks.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/django/thunderstore/core/tasks.py b/django/thunderstore/core/tasks.py
index 11376aed8..1a30dd920 100644
--- a/django/thunderstore/core/tasks.py
+++ b/django/thunderstore/core/tasks.py
@@ -6,7 +6,7 @@
 from thunderstore.core.settings import CeleryQueues
 
 
-@shared_task(queue=CeleryQueues.Default)
+@shared_task(queue=CeleryQueues.Default, rate_limit="2/s")
 def celery_post(
     webhook_url: str,
     data: Optional[str] = None,

From b28c8a05eecde3ba5e1ba47370cf683a68d83485 Mon Sep 17 00:00:00 2001
From: "753.network" <PrimaryInfinity@gmail.com>
Date: Wed, 27 Nov 2024 15:13:09 -0500
Subject: [PATCH 55/61] Update community aggregates

Update community aggregates to take into account visibility, and to ignore
cross-community listings
---
 .../community/models/community.py             | 11 +--
 .../tests/test_community_aggregated_fields.py | 82 +++++++++++--------
 2 files changed, 55 insertions(+), 38 deletions(-)

diff --git a/django/thunderstore/community/models/community.py b/django/thunderstore/community/models/community.py
index bdb66f679..7b79b3aa9 100644
--- a/django/thunderstore/community/models/community.py
+++ b/django/thunderstore/community/models/community.py
@@ -4,7 +4,7 @@
 
 from django.core.exceptions import ValidationError
 from django.db import models, transaction
-from django.db.models import Manager, QuerySet
+from django.db.models import Count, Manager, QuerySet
 from django.urls import reverse
 from django.utils.functional import cached_property
 
@@ -282,10 +282,11 @@ def update_for_community(cls, community: Community) -> None:
         Assumes the CommunityAggregatedFields objects has been created
         previously, e.g. by calling .create_missing()
         """
-        listings = community.package_listings.active()
-
-        if community.require_package_listing_approval:
-            listings = listings.approved()
+        listings = (
+            community.package_listings.public_list()
+            .annotate(listing_count=Count("package__community_listings"))
+            .exclude(listing_count__gt=1)
+        )
 
         community.aggregated_fields.package_count = listings.count()
         community.aggregated_fields.download_count = sum(
diff --git a/django/thunderstore/community/tests/test_community_aggregated_fields.py b/django/thunderstore/community/tests/test_community_aggregated_fields.py
index 347a2181c..155ef0f6e 100644
--- a/django/thunderstore/community/tests/test_community_aggregated_fields.py
+++ b/django/thunderstore/community/tests/test_community_aggregated_fields.py
@@ -75,16 +75,6 @@ def test_community_aggregated_fields__update_for_community__calculates_packages(
     assert community1.aggregated.package_count == 5
     assert community2.aggregated.package_count == 0
 
-    for _ in range(10):
-        pl = PackageListingFactory(community_=community1)
-        PackageListingFactory(community_=community2, package=pl.package)
-
-    CommunityAggregatedFields.update_for_community(community1)
-    CommunityAggregatedFields.update_for_community(community2)
-
-    assert community1.aggregated.package_count == 15
-    assert community2.aggregated.package_count == 10
-
 
 @pytest.mark.django_db
 def test_community_aggregated_fields__update_for_community__calculates_downloads():
@@ -115,19 +105,42 @@ def test_community_aggregated_fields__update_for_community__calculates_downloads
     assert community2.aggregated.download_count == 0
     assert community3.aggregated.download_count == 1
 
-    listing = PackageListingFactory(
-        community_=community2,
-        package_version_kwargs={"downloads": 2},
+
+@pytest.mark.django_db
+def test_community_aggregated_fields__update_for_community__excludes_cross_community():
+    community1 = CommunityFactory(
+        aggregated_fields=CommunityAggregatedFields.objects.create(),
+    )
+    community2 = CommunityFactory(
+        aggregated_fields=CommunityAggregatedFields.objects.create(),
     )
-    PackageListingFactory(community_=community3, package=listing.package)
+
+    PackageListingFactory(community_=community1)
+    PackageListingFactory(community_=community2)
 
     CommunityAggregatedFields.update_for_community(community1)
     CommunityAggregatedFields.update_for_community(community2)
-    CommunityAggregatedFields.update_for_community(community3)
 
-    assert community1.aggregated.download_count == 0
-    assert community2.aggregated.download_count == 2
-    assert community3.aggregated.download_count == 3
+    assert community1.aggregated.package_count == 1
+    assert community2.aggregated.package_count == 1
+    assert community1.package_listings.count() == 1
+    assert community2.package_listings.count() == 1
+
+    for _ in range(10):
+        pl = PackageListingFactory(community_=community1)
+        PackageListingFactory(
+            community_=community2,
+            package=pl.package,
+        )
+    PackageListingFactory(community_=community1)
+
+    CommunityAggregatedFields.update_for_community(community1)
+    CommunityAggregatedFields.update_for_community(community2)
+
+    assert community1.package_listings.count() == 12
+    assert community2.package_listings.count() == 11
+    assert community1.aggregated.package_count == 2
+    assert community2.aggregated.package_count == 1
 
 
 @pytest.mark.django_db
@@ -148,30 +161,33 @@ def test_community_aggregated_fields__update_for_community__skips_inactive_packa
 
 
 @pytest.mark.django_db
-def test_community_aggregated_fields__update_for_community__skips_unapproved_packages():
+def test_community_aggregated_fields__update_for_community__only_includes_public_list_listings():
     community = CommunityFactory(
         aggregated_fields=CommunityAggregatedFields.objects.create(),
-        require_package_listing_approval=True,
-    )
-    listing1 = PackageListingFactory(
-        community_=community,
-        review_status=PackageListingReviewStatus.unreviewed,
-    )
-    listing2 = PackageListingFactory(
-        community_=community,
-        review_status=PackageListingReviewStatus.rejected,
     )
+    listing1 = PackageListingFactory(community_=community)
+    listing2 = PackageListingFactory(community_=community)
+
+    listing1.visibility.public_list = True
+    listing1.visibility.save()
+    listing2.visibility.public_list = False
+    listing2.visibility.save()
 
     CommunityAggregatedFields.update_for_community(community)
 
-    assert community.aggregated.package_count == 0
+    assert listing1.visibility.public_list is True
+    assert listing2.visibility.public_list is False
+    assert community.aggregated.package_count == 1
+
+    listing1.visibility.public_list = True
+    listing1.visibility.save()
+    listing2.visibility.public_list = True
+    listing2.visibility.save()
 
-    listing1.review_status = PackageListingReviewStatus.approved
-    listing1.save()
-    listing2.review_status = PackageListingReviewStatus.approved
-    listing2.save()
     CommunityAggregatedFields.update_for_community(community)
 
+    assert listing1.visibility.public_list is True
+    assert listing2.visibility.public_list is True
     assert community.aggregated.package_count == 2
 
 

From 10fb94f3104a4b337088e920f6975ac1738868b0 Mon Sep 17 00:00:00 2001
From: "753.network" <PrimaryInfinity@gmail.com>
Date: Tue, 17 Dec 2024 15:04:12 -0500
Subject: [PATCH 56/61] Add system() to VisibilityMixin

Add system() to VisibilityMixin, which returns all objects regardless of visibility
so that we can always specify the visibility of objects when querying.
---
 .../api/cyberstorm/views/package_listing.py       |  2 +-
 .../api/cyberstorm/views/package_listing_list.py  |  2 +-
 .../community/api/experimental/views/listing.py   | 14 +++++++++-----
 .../community/models/package_listing.py           |  4 ----
 .../api/experimental/views/package_details.py     |  3 ++-
 django/thunderstore/permissions/mixins.py         | 14 ++++++++++----
 .../api/experimental/views/package_index.py       |  3 ++-
 .../api/experimental/views/package_version.py     |  3 ++-
 .../repository/api/v1/views/metrics.py            |  2 +-
 django/thunderstore/repository/api/v1/viewsets.py |  2 +-
 django/thunderstore/repository/models/cache.py    |  5 +++--
 django/thunderstore/repository/models/package.py  | 15 ++++++++++-----
 .../repository/models/package_version.py          |  7 ++-----
 .../thunderstore/repository/package_reference.py  |  2 +-
 django/thunderstore/repository/tasks/downloads.py |  2 +-
 .../repository/views/package/_utils.py            |  3 ++-
 .../repository/views/package/create.py            | 12 ++++++++----
 .../repository/views/package/download.py          |  3 ++-
 .../thunderstore/repository/views/package/list.py | 10 +++++++---
 19 files changed, 65 insertions(+), 43 deletions(-)

diff --git a/django/thunderstore/api/cyberstorm/views/package_listing.py b/django/thunderstore/api/cyberstorm/views/package_listing.py
index bd8948c31..dfaad4a47 100644
--- a/django/thunderstore/api/cyberstorm/views/package_listing.py
+++ b/django/thunderstore/api/cyberstorm/views/package_listing.py
@@ -141,7 +141,7 @@ def get_custom_package_listing(
     namespace_id: str,
     package_name: str,
 ) -> CustomListing:
-    listing_ref = PackageListing.objects.filter(pk=OuterRef("pk"))
+    listing_ref = PackageListing.objects.public_list().filter(pk=OuterRef("pk"))
 
     qs = (
         PackageListing.objects.public_list()
diff --git a/django/thunderstore/api/cyberstorm/views/package_listing_list.py b/django/thunderstore/api/cyberstorm/views/package_listing_list.py
index eec1f8e4e..8debb049c 100644
--- a/django/thunderstore/api/cyberstorm/views/package_listing_list.py
+++ b/django/thunderstore/api/cyberstorm/views/package_listing_list.py
@@ -334,7 +334,7 @@ def get_queryset(self) -> QuerySet[Package]:
         community_id = self.kwargs["community_id"]
         namespace_id = self.kwargs["namespace_id"]
         package_name = self.kwargs["package_name"]
-        listings = PackageListing.objects.active()  # type: ignore
+        listings = PackageListing.objects.public_list()
         listing = get_object_or_404(
             listings,
             community__identifier=community_id,
diff --git a/django/thunderstore/community/api/experimental/views/listing.py b/django/thunderstore/community/api/experimental/views/listing.py
index 2dcd03291..3eb517dba 100644
--- a/django/thunderstore/community/api/experimental/views/listing.py
+++ b/django/thunderstore/community/api/experimental/views/listing.py
@@ -13,9 +13,13 @@
 
 
 class PackageListingUpdateApiView(GenericAPIView):
-    queryset = PackageListing.objects.active().select_related(
-        "community",
-        "package",
+    queryset = (
+        PackageListing.objects.system()
+        .active()
+        .select_related(
+            "community",
+            "package",
+        )
     )
     serializer_class = PackageListingUpdateResponseSerializer
 
@@ -57,7 +61,7 @@ class PackageListingRejectRequestSerializer(serializers.Serializer):
 
 
 class PackageListingRejectApiView(GenericAPIView):
-    queryset = PackageListing.objects.select_related("community", "package")
+    queryset = PackageListing.objects.system().select_related("community", "package")
 
     @swagger_auto_schema(
         operation_id="experimental.package_listing.reject",
@@ -97,7 +101,7 @@ class PackageListingApproveRequestSerializer(serializers.Serializer):
 
 
 class PackageListingApproveApiView(GenericAPIView):
-    queryset = PackageListing.objects.select_related("community", "package")
+    queryset = PackageListing.objects.system().select_related("community", "package")
 
     @swagger_auto_schema(
         operation_id="experimental.package_listing.approve",
diff --git a/django/thunderstore/community/models/package_listing.py b/django/thunderstore/community/models/package_listing.py
index 5b4724bda..fc26dd5ed 100644
--- a/django/thunderstore/community/models/package_listing.py
+++ b/django/thunderstore/community/models/package_listing.py
@@ -16,7 +16,6 @@
 from thunderstore.core.utils import check_validity
 from thunderstore.frontend.url_reverse import get_community_url_reverse_args
 from thunderstore.permissions.mixins import VisibilityMixin, VisibilityQuerySet
-from thunderstore.permissions.models import VisibilityFlags
 from thunderstore.permissions.utils import validate_user
 from thunderstore.webhooks.audit import (
     AuditAction,
@@ -35,9 +34,6 @@ def active(self):
             ~Q(package__versions__is_active=True)
         )
 
-    def public_list(self):
-        return super(PackageListingQueryset, self.active()).public_list()
-
     def approved(self):
         return self.exclude(~Q(review_status=PackageListingReviewStatus.approved))
 
diff --git a/django/thunderstore/frontend/api/experimental/views/package_details.py b/django/thunderstore/frontend/api/experimental/views/package_details.py
index 205434ea7..1bb6e6819 100644
--- a/django/thunderstore/frontend/api/experimental/views/package_details.py
+++ b/django/thunderstore/frontend/api/experimental/views/package_details.py
@@ -58,7 +58,8 @@ def get_listing_queryset(self) -> QuerySet[PackageListing]:
         results by version number.
         """
         return (
-            PackageListing.objects.active()
+            PackageListing.objects.system()
+            .active()
             .select_related(
                 "package",
                 "package__latest",
diff --git a/django/thunderstore/permissions/mixins.py b/django/thunderstore/permissions/mixins.py
index 42abc2843..cf12bc98c 100644
--- a/django/thunderstore/permissions/mixins.py
+++ b/django/thunderstore/permissions/mixins.py
@@ -6,11 +6,14 @@
 
 
 class VisibilityQuerySet(models.QuerySet):
+    def active(self):
+        return self
+
     def public_list(self):
-        return self.exclude(visibility__public_list=False)
+        return self.active().exclude(visibility__public_list=False)
 
     def public_detail(self):
-        return self.exclude(visibility__public_detail=False)
+        return self.active().exclude(visibility__public_detail=False)
 
     def visible_list(self, is_owner: bool, is_moderator: bool, is_admin: bool):
         filter = Q(visibility__public_list=True)
@@ -20,7 +23,7 @@ def visible_list(self, is_owner: bool, is_moderator: bool, is_admin: bool):
             filter |= Q(visibility__moderator_list=True)
         if is_admin:
             filter |= Q(visibility__admin_list=True)
-        return self.exclude(~filter)
+        return self.active().exclude(~filter)
 
     def visible_detail(self, is_owner: bool, is_moderator: bool, is_admin: bool):
         filter = Q(visibility__public_detail=True)
@@ -30,7 +33,10 @@ def visible_detail(self, is_owner: bool, is_moderator: bool, is_admin: bool):
             filter |= Q(visibility__moderator_detail=True)
         if is_admin:
             filter |= Q(visibility__admin_detail=True)
-        return self.exclude(~filter)
+        return self.active().exclude(~filter)
+
+    def system(self):
+        return self
 
 
 class VisibilityMixin(models.Model):
diff --git a/django/thunderstore/repository/api/experimental/views/package_index.py b/django/thunderstore/repository/api/experimental/views/package_index.py
index 803a6b4d9..eb0322aba 100644
--- a/django/thunderstore/repository/api/experimental/views/package_index.py
+++ b/django/thunderstore/repository/api/experimental/views/package_index.py
@@ -43,7 +43,8 @@ def get_dependencies(self, instance: PackageVersion) -> List[str]:
 
 def serialize_package_index() -> bytes:
     versions: PackageVersionQuerySet = (
-        PackageVersion.objects.active()
+        PackageVersion.objects.system()
+        .active()
         .annotate(namespace=F("package__namespace"))
         .prefetch_related("dependencies", "dependencies__package")
     )
diff --git a/django/thunderstore/repository/api/experimental/views/package_version.py b/django/thunderstore/repository/api/experimental/views/package_version.py
index 878b52263..1a926b269 100644
--- a/django/thunderstore/repository/api/experimental/views/package_version.py
+++ b/django/thunderstore/repository/api/experimental/views/package_version.py
@@ -38,7 +38,8 @@ def get_object(self):
 
     def get_queryset(self):
         return (
-            PackageVersion.objects.active()
+            PackageVersion.objects.system()
+            .active()
             .select_related(
                 "package",
                 "package__owner",
diff --git a/django/thunderstore/repository/api/v1/views/metrics.py b/django/thunderstore/repository/api/v1/views/metrics.py
index 31351571a..78c81b960 100644
--- a/django/thunderstore/repository/api/v1/views/metrics.py
+++ b/django/thunderstore/repository/api/v1/views/metrics.py
@@ -45,7 +45,7 @@ class PackageVersionMetricsApiView(APIView):
     )
     def get(self, request: Request, namespace: str, name: str, version: str):
         obj = get_object_or_404(
-            PackageVersion.objects.active(),
+            PackageVersion.objects.system().active(),
             package__is_active=True,
             package__namespace__name=namespace,
             name=name,
diff --git a/django/thunderstore/repository/api/v1/viewsets.py b/django/thunderstore/repository/api/v1/viewsets.py
index 6e85786d7..75d1c1dcf 100644
--- a/django/thunderstore/repository/api/v1/viewsets.py
+++ b/django/thunderstore/repository/api/v1/viewsets.py
@@ -42,7 +42,7 @@ def serialize_package_list_for_community(community: Community) -> bytes:
     result.write(b"[")
     for index, ids in enumerate(batch(batch_size, listing_ids)):
         queryset = order_package_listing_queryset(
-            PackageListing.objects.filter(id__in=ids)
+            PackageListing.objects.system().filter(id__in=ids)
         )
         serializer = PACKAGE_SERIALIZER(
             queryset,
diff --git a/django/thunderstore/repository/models/cache.py b/django/thunderstore/repository/models/cache.py
index 6a0f2947a..92277f27b 100644
--- a/django/thunderstore/repository/models/cache.py
+++ b/django/thunderstore/repository/models/cache.py
@@ -254,10 +254,11 @@ def get_package_listing_chunk(
     ordering = models.Case(
         *[models.When(id=id, then=pos) for pos, id in enumerate(listing_ids)]
     )
-    listing_ref = PackageListing.objects.filter(pk=models.OuterRef("pk"))
+    listing_ref = PackageListing.objects.system().filter(pk=models.OuterRef("pk"))
 
     return (
-        PackageListing.objects.filter(id__in=listing_ids)
+        PackageListing.objects.system()
+        .filter(id__in=listing_ids)
         .select_related("community", "package", "package__owner")
         .prefetch_related("categories", "community__sites", "package__versions")
         .annotate(
diff --git a/django/thunderstore/repository/models/package.py b/django/thunderstore/repository/models/package.py
index 8ae0fb64e..433734353 100644
--- a/django/thunderstore/repository/models/package.py
+++ b/django/thunderstore/repository/models/package.py
@@ -125,10 +125,15 @@ def get_or_create_package_listing(self, community):
     def get_package_listing(self, community):
         from thunderstore.community.models import PackageListing
 
-        return PackageListing.objects.filter(
-            package=self,
-            community=community,
-        ).first()
+        return (
+            PackageListing.objects.system()
+            .active()
+            .filter(
+                package=self,
+                community=community,
+            )
+            .first()
+        )
 
     def update_listing(self, has_nsfw_content, categories, community):
         listing = self.get_or_create_package_listing(community)
@@ -268,7 +273,7 @@ def get_view_on_site_url(self) -> Optional[str]:
         # TODO: Point this to the main page of a package once that exists as a concept
         from thunderstore.community.models import PackageListing
 
-        listing = PackageListing.objects.active().filter(package=self).first()
+        listing = PackageListing.objects.system().active().filter(package=self).first()
         return listing.get_full_url() if listing else None
 
     def get_page_url(self, community_identifier: str) -> str:
diff --git a/django/thunderstore/repository/models/package_version.py b/django/thunderstore/repository/models/package_version.py
index 0c32aa5f2..034f7525d 100644
--- a/django/thunderstore/repository/models/package_version.py
+++ b/django/thunderstore/repository/models/package_version.py
@@ -50,12 +50,9 @@ def get_version_png_filepath(instance, filename):
 
 
 class PackageVersionQuerySet(VisibilityQuerySet):
-    def active(self) -> "QuerySet[PackageVersion]":  # TODO: Generic type
+    def active(self):
         return self.exclude(is_active=False)
 
-    def public_list(self):
-        return super(PackageVersionQuerySet, self.active()).public_list()
-
     def filter_by_review_status(self):
         return self.exclude(review_status__in=["pending", "rejected"])
 
@@ -279,7 +276,7 @@ def post_delete(sender, instance, **kwargs):
 
     @classmethod
     def get_total_used_disk_space(cls):
-        return cls.objects.aggregate(total=Sum("file_size"))["total"] or 0
+        return cls.objects.system().aggregate(total=Sum("file_size"))["total"] or 0
 
     @run_after_commit
     def announce_release(self):
diff --git a/django/thunderstore/repository/package_reference.py b/django/thunderstore/repository/package_reference.py
index 98e75c0b6..e93a6f1a9 100644
--- a/django/thunderstore/repository/package_reference.py
+++ b/django/thunderstore/repository/package_reference.py
@@ -188,7 +188,7 @@ def queryset(self) -> QuerySet:
         :rtype: QuerySet of PackageVersion or Package
         """
         if self.version:
-            return PackageVersion.objects.filter(**self.get_filter_kwargs())
+            return PackageVersion.objects.system().filter(**self.get_filter_kwargs())
         else:
             return Package.objects.filter(**self.get_filter_kwargs())
 
diff --git a/django/thunderstore/repository/tasks/downloads.py b/django/thunderstore/repository/tasks/downloads.py
index bbb35e7df..d70713017 100644
--- a/django/thunderstore/repository/tasks/downloads.py
+++ b/django/thunderstore/repository/tasks/downloads.py
@@ -18,6 +18,6 @@ def log_version_download(version_id: int, timestamp: str):
             version_id=version_id,
             timestamp=datetime.fromisoformat(timestamp),
         )
-        PackageVersion.objects.filter(id=version_id).update(
+        PackageVersion.objects.system().active().filter(id=version_id).update(
             downloads=F("downloads") + 1
         )
diff --git a/django/thunderstore/repository/views/package/_utils.py b/django/thunderstore/repository/views/package/_utils.py
index 06a932a3f..70cc0b3ac 100644
--- a/django/thunderstore/repository/views/package/_utils.py
+++ b/django/thunderstore/repository/views/package/_utils.py
@@ -23,7 +23,8 @@ def get_package_listing_or_404(
 ) -> PackageListing:
     owner = get_object_or_404(Team, name=namespace)
     package_listing = (
-        PackageListing.objects.active()
+        PackageListing.objects.system()
+        .active()
         .filter(
             package__owner=owner,
             package__name=name,
diff --git a/django/thunderstore/repository/views/package/create.py b/django/thunderstore/repository/views/package/create.py
index 2e3f38b80..e973a9b8f 100644
--- a/django/thunderstore/repository/views/package/create.py
+++ b/django/thunderstore/repository/views/package/create.py
@@ -72,10 +72,14 @@ def get_form_kwargs(self, *args, **kwargs):
     @transaction.atomic
     def form_valid(self, form):
         instance: PackageVersion = form.save()
-        listing = PackageListing.objects.filter(
-            package=instance.package,
-            community__in=form.cleaned_data.get("communities"),
-        ).first()
+        listing = (
+            PackageListing.objects.system()
+            .filter(
+                package=instance.package,
+                community__in=form.cleaned_data.get("communities"),
+            )
+            .first()
+        )
         # TODO: Remove reliance on instance.get_absolute_url()
         redirect_url = (
             listing.get_full_url() if listing else instance.get_absolute_url()
diff --git a/django/thunderstore/repository/views/package/download.py b/django/thunderstore/repository/views/package/download.py
index 6c8df1a46..2970fecab 100644
--- a/django/thunderstore/repository/views/package/download.py
+++ b/django/thunderstore/repository/views/package/download.py
@@ -28,7 +28,8 @@ def get_download_meta(
             pass
 
     data = (
-        PackageVersion.objects.filter(
+        PackageVersion.objects.system()
+        .filter(
             package__namespace__name=namespace,
             package__name=name,
             version_number=version_number,
diff --git a/django/thunderstore/repository/views/package/list.py b/django/thunderstore/repository/views/package/list.py
index 5cdad022a..049ec8777 100644
--- a/django/thunderstore/repository/views/package/list.py
+++ b/django/thunderstore/repository/views/package/list.py
@@ -226,7 +226,7 @@ def filter_visibility(
         return queryset.public_list()
 
     def get_queryset(self):
-        listing_ref = PackageListing.objects.filter(pk=OuterRef("pk"))
+        listing_ref = PackageListing.objects.system().filter(pk=OuterRef("pk"))
 
         queryset = (
             self.get_base_queryset()
@@ -440,8 +440,12 @@ def dispatch(self, *args, **kwargs):
         return super().dispatch(*args, **kwargs)
 
     def get_base_queryset(self):
-        return PackageListing.objects.exclude(
-            ~Q(package__in=get_package_dependants(self.package_listing.package.pk)),
+        return (
+            PackageListing.objects.system()
+            .active()
+            .exclude(
+                ~Q(package__in=get_package_dependants(self.package_listing.package.pk)),
+            )
         )
 
     def get_page_title(self):

From 21de7da743e3a0ea14983a3a7faca91c6af832f4 Mon Sep 17 00:00:00 2001
From: "753.network" <PrimaryInfinity@gmail.com>
Date: Tue, 17 Dec 2024 15:06:00 -0500
Subject: [PATCH 57/61] Add visibility code convention test

Add a test to ensure that models with visibility (currently PackageListing and
PackageVersion) are not called without specifying visibility.
---
 .../core/tests/test_coding_conventions.py     | 53 +++++++++++++++++++
 1 file changed, 53 insertions(+)
 create mode 100644 django/thunderstore/core/tests/test_coding_conventions.py

diff --git a/django/thunderstore/core/tests/test_coding_conventions.py b/django/thunderstore/core/tests/test_coding_conventions.py
new file mode 100644
index 000000000..ccc63d186
--- /dev/null
+++ b/django/thunderstore/core/tests/test_coding_conventions.py
@@ -0,0 +1,53 @@
+import ast
+import os
+
+import pytest
+
+visibility_classes = ["PackageListing", "PackageVersion"]
+
+safe_functions = ["public_list", "system", "get", "create", "get_or_create"]
+
+excluded_filepaths = ["/migrations/", "/tests/", "/commands/", "/conftest.py"]
+
+
+def find_violations(tree, file_path):
+    violations = []
+
+    for node in ast.walk(tree):
+        if (
+            isinstance(node, ast.Attribute)
+            and isinstance(node.value, ast.Attribute)
+            and node.value.attr == "objects"
+            and isinstance(node.value.value, ast.Name)
+            and node.value.value.id in visibility_classes
+            and node.attr not in safe_functions
+        ):
+            violations.append(
+                f"'{node.value.value.id}.objects.{node.attr}' at line {node.lineno} of '{file_path}'"
+            )
+    return violations
+
+
+@pytest.mark.django_db
+def test_visibility_mixin_usage():
+    violations = []
+
+    for root, _, files in os.walk("../app/"):
+        for file in files:
+            if file.endswith(".py"):
+                file_path = os.path.join(root, file)
+                if not any(excluded in file_path for excluded in excluded_filepaths):
+                    with open(file_path, "r", encoding="utf-8") as f:
+                        try:
+                            tree = ast.parse(f.read(), filename=file_path)
+
+                            violations.extend(find_violations(tree, file_path))
+                        except SyntaxError as e:
+                            pytest.fail(f"Syntax error in {file_path}: {e}")
+
+    if violations:
+        pytest.fail(
+            "Found unsafe usage of visibility objects:\n"
+            + "\n".join(violations)
+            + "\nObjects with visibility should always be called with .public_list() or .system()"
+        )

From 16256f0bd7db932095ae9236e051d24f702f273f Mon Sep 17 00:00:00 2001
From: "753.network" <PrimaryInfinity@gmail.com>
Date: Tue, 17 Dec 2024 15:48:10 -0500
Subject: [PATCH 58/61] Master into version-level-review merge migration

---
 .../migrations/0033_merge_20241217_2045.py          | 13 +++++++++++++
 1 file changed, 13 insertions(+)
 create mode 100644 django/thunderstore/community/migrations/0033_merge_20241217_2045.py

diff --git a/django/thunderstore/community/migrations/0033_merge_20241217_2045.py b/django/thunderstore/community/migrations/0033_merge_20241217_2045.py
new file mode 100644
index 000000000..21e4df3eb
--- /dev/null
+++ b/django/thunderstore/community/migrations/0033_merge_20241217_2045.py
@@ -0,0 +1,13 @@
+# Generated by Django 3.1.7 on 2024-12-17 20:45
+
+from django.db import migrations
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("community", "0031_community_short_description"),
+        ("community", "0032_auto_20241112_1930"),
+    ]
+
+    operations = []

From b6227c995765d09d0e71a69516d0204a99bb7e9c Mon Sep 17 00:00:00 2001
From: "753.network" <PrimaryInfinity@gmail.com>
Date: Tue, 17 Dec 2024 16:49:43 -0500
Subject: [PATCH 59/61] Fix views 404ing shortly after approval

Fix package views 404ing shortly after approval due to the slow
propagation of package.latest
---
 django/thunderstore/repository/views/mixins.py | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/django/thunderstore/repository/views/mixins.py b/django/thunderstore/repository/views/mixins.py
index de1979018..d9a22e417 100644
--- a/django/thunderstore/repository/views/mixins.py
+++ b/django/thunderstore/repository/views/mixins.py
@@ -245,6 +245,8 @@ def get_context_data(self, *args, **kwargs):
         )
 
         version = package_listing.package.latest
+        if not version:
+            version = package_listing.package.available_versions.first()
         if not version:
             version = package_listing.package.unavailable_versions.first()
 

From a25b760b7d3cfc202a842797ef05d7e7e2f6087e Mon Sep 17 00:00:00 2001
From: "753.network" <PrimaryInfinity@gmail.com>
Date: Fri, 20 Dec 2024 10:19:32 -0500
Subject: [PATCH 60/61] Fix changelog view breaking when latest is None

Fix changelog view breaking when latest is None
---
 .../templates/community/packagelisting_changelog.html  | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/django/thunderstore/community/templates/community/packagelisting_changelog.html b/django/thunderstore/community/templates/community/packagelisting_changelog.html
index c327cc69c..2a2df0d16 100644
--- a/django/thunderstore/community/templates/community/packagelisting_changelog.html
+++ b/django/thunderstore/community/templates/community/packagelisting_changelog.html
@@ -11,7 +11,7 @@
     <meta property="og:title" content="{{ object.package.display_name }} changelog" />
     <meta property="og:type" content="website" />
     <meta property="og:url" content="{{ request.build_absolute_uri }}" />
-    <meta property="og:image" content="{% thumbnail object.package.icon 256x256 %}" />
+    <meta property="og:image" content="{% thumbnail version.icon 256x256 %}" />
     <meta property="og:image:width" content="256" />
     <meta property="og:image:height" content="256" />
 
@@ -23,7 +23,7 @@
 
 {% include "community/includes/package_management_panel.html" %}
 
-{% cache_until "any_package_updated" "mod-detail-changelog-header" 300 object.package.pk object.package.latest.pk community_identifier %}
+{% cache_until "any_package_updated" "mod-detail-changelog-header" 300 object.package.pk version.pk community_identifier %}
 
 <nav class="mt-3" aria-label="breadcrumb">
     <ol class="breadcrumb">
@@ -38,7 +38,7 @@
 
 {% include "community/includes/package_status.html" %}
 
-{% cache_until "any_package_updated" "mod-detail-changelog" 300 object.package.pk object.package.latest.pk community_identifier %}
+{% cache_until "any_package_updated" "mod-detail-changelog" 300 object.package.pk version.pk community_identifier %}
 
 <div class="card bg-light mt-2">
     {% include "community/includes/package_tabs.html" with tabs=tabs %}
@@ -47,9 +47,9 @@
 
 <div class="card bg-light mb-2 mt-2">
     <div class="card-header"><h4 class="mb-0">CHANGELOG</h4></div>
-    {% if object.package.changelog %}
+    {% if version.changelog %}
     <div class="card-body markdown-body">
-        {{ object.package.changelog|markdownify }}
+        {{ version.changelog|markdownify }}
     </div>
     {% else %}
     <div class="card-body">

From 39acac4652e69b775c85709eda6accfb3470eae1 Mon Sep 17 00:00:00 2001
From: "753.network" <PrimaryInfinity@gmail.com>
Date: Tue, 14 Jan 2025 11:47:52 -0500
Subject: [PATCH 61/61] Add custom Flake8 plugin

Create a new python project for flake8 plugins, currently only containing
a plugin to test for unsafe usage of models with visibility
---
 Dockerfile                                    |  1 +
 django/poetry.lock                            | 16 +++++-
 django/pyproject.toml                         |  1 +
 .../core/tests/test_coding_conventions.py     | 53 -------------------
 .../flake8_thunderstore/__init__.py           |  1 +
 .../visibility_coding_conventions.py          | 36 +++++++++++++
 flake8-thunderstore/pyproject.toml            | 18 +++++++
 7 files changed, 72 insertions(+), 54 deletions(-)
 delete mode 100644 django/thunderstore/core/tests/test_coding_conventions.py
 create mode 100644 flake8-thunderstore/flake8_thunderstore/__init__.py
 create mode 100644 flake8-thunderstore/flake8_thunderstore/visibility_coding_conventions.py
 create mode 100644 flake8-thunderstore/pyproject.toml

diff --git a/Dockerfile b/Dockerfile
index 5a2faa54a..d30a35f76 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -22,6 +22,7 @@ RUN apt-get update && apt-get install -y \
     curl build-essential git \
  && rm -rf /var/lib/apt/lists/*
 
+COPY ./flake8-thunderstore/ /flake8-thunderstore
 COPY ./python-packages/ /python-packages
 COPY ./django/pyproject.toml ./django/poetry.lock /app/
 
diff --git a/django/poetry.lock b/django/poetry.lock
index c7f972332..3c77ad308 100644
--- a/django/poetry.lock
+++ b/django/poetry.lock
@@ -1199,6 +1199,20 @@ files = [
 [package.dependencies]
 flake8-plugin-utils = ">=1.3.1,<2.0.0"
 
+[[package]]
+name = "flake8-thunderstore"
+version = "1.0.2"
+description = "Custom Flake8 plugins for Thunderstore"
+category = "dev"
+optional = false
+python-versions = "*"
+files = []
+develop = true
+
+[package.source]
+type = "directory"
+url = "../flake8-thunderstore"
+
 [[package]]
 name = "freezegun"
 version = "1.2.1"
@@ -3136,4 +3150,4 @@ testing = ["coverage (>=5.0.3)", "zope.event", "zope.testing"]
 [metadata]
 lock-version = "2.0"
 python-versions = "^3.8"
-content-hash = "623250fdf603ca415bb23c6a46c57bfa86499fb51c77b1ef0a6c6f1d74ef6e29"
+content-hash = "74f60c439cb2cb3633591a4e7f5a573b80664da66a52d89db894d07e0eab1a69"
diff --git a/django/pyproject.toml b/django/pyproject.toml
index 0d43fcfbe..714274ff6 100644
--- a/django/pyproject.toml
+++ b/django/pyproject.toml
@@ -70,6 +70,7 @@ flake8-comprehensions = "^3.3.1"
 flake8-pie = "^0.6.1"
 flake8-printf-formatting = "^1.1.0"
 flake8-pytest-style = "^1.3.0"
+flake8-thunderstore = { path = "../flake8-thunderstore", develop = true }
 pep8-naming = "^0.11.1"
 watchdog = {extras = ["watchmedo"], version = "^1.0.2"}
 mypy-boto3-s3 = "^1.17.47"
diff --git a/django/thunderstore/core/tests/test_coding_conventions.py b/django/thunderstore/core/tests/test_coding_conventions.py
deleted file mode 100644
index ccc63d186..000000000
--- a/django/thunderstore/core/tests/test_coding_conventions.py
+++ /dev/null
@@ -1,53 +0,0 @@
-import ast
-import os
-
-import pytest
-
-visibility_classes = ["PackageListing", "PackageVersion"]
-
-safe_functions = ["public_list", "system", "get", "create", "get_or_create"]
-
-excluded_filepaths = ["/migrations/", "/tests/", "/commands/", "/conftest.py"]
-
-
-def find_violations(tree, file_path):
-    violations = []
-
-    for node in ast.walk(tree):
-        if (
-            isinstance(node, ast.Attribute)
-            and isinstance(node.value, ast.Attribute)
-            and node.value.attr == "objects"
-            and isinstance(node.value.value, ast.Name)
-            and node.value.value.id in visibility_classes
-            and node.attr not in safe_functions
-        ):
-            violations.append(
-                f"'{node.value.value.id}.objects.{node.attr}' at line {node.lineno} of '{file_path}'"
-            )
-    return violations
-
-
-@pytest.mark.django_db
-def test_visibility_mixin_usage():
-    violations = []
-
-    for root, _, files in os.walk("../app/"):
-        for file in files:
-            if file.endswith(".py"):
-                file_path = os.path.join(root, file)
-                if not any(excluded in file_path for excluded in excluded_filepaths):
-                    with open(file_path, "r", encoding="utf-8") as f:
-                        try:
-                            tree = ast.parse(f.read(), filename=file_path)
-
-                            violations.extend(find_violations(tree, file_path))
-                        except SyntaxError as e:
-                            pytest.fail(f"Syntax error in {file_path}: {e}")
-
-    if violations:
-        pytest.fail(
-            "Found unsafe usage of visibility objects:\n"
-            + "\n".join(violations)
-            + "\nObjects with visibility should always be called with .public_list() or .system()"
-        )
diff --git a/flake8-thunderstore/flake8_thunderstore/__init__.py b/flake8-thunderstore/flake8_thunderstore/__init__.py
new file mode 100644
index 000000000..4ecb0f839
--- /dev/null
+++ b/flake8-thunderstore/flake8_thunderstore/__init__.py
@@ -0,0 +1 @@
+from .visibility_coding_conventions import VisibilityCodingConventions
diff --git a/flake8-thunderstore/flake8_thunderstore/visibility_coding_conventions.py b/flake8-thunderstore/flake8_thunderstore/visibility_coding_conventions.py
new file mode 100644
index 000000000..5c6a459ae
--- /dev/null
+++ b/flake8-thunderstore/flake8_thunderstore/visibility_coding_conventions.py
@@ -0,0 +1,36 @@
+import ast
+
+from flake8_plugin_utils import Plugin
+
+
+class VisibilityCodingConventions(Plugin):
+    name = "visibility-coding-conventions"
+    version = "1.0.1"
+
+    visibility_classes = ["PackageListing", "PackageVersion"]
+    safe_functions = ["public_list", "system", "get", "create", "get_or_create"]
+    excluded_filepaths = ["/migrations/", "/tests/", "/commands/", "/conftest.py"]
+
+    def __init__(self, tree: ast.AST, filename: str) -> None:
+        self.tree = tree
+        self.filename = filename
+
+    def run(self):
+        if any(excluded in self.filename for excluded in self.excluded_filepaths):
+            return
+
+        for node in ast.walk(self.tree):
+            if (
+                isinstance(node, ast.Attribute)
+                and isinstance(node.value, ast.Attribute)
+                and node.value.attr == "objects"
+                and isinstance(node.value.value, ast.Name)
+                and node.value.value.id in self.visibility_classes
+                and node.attr not in self.safe_functions
+            ):
+                yield (
+                    node.lineno,
+                    node.col_offset,
+                    f"VIS753 {node.value.value.id}.objects.{node.attr} is unsafe; Objects with visibility should always be called with .public_list() or .system())",
+                    type(self),
+                )
diff --git a/flake8-thunderstore/pyproject.toml b/flake8-thunderstore/pyproject.toml
new file mode 100644
index 000000000..99aab4364
--- /dev/null
+++ b/flake8-thunderstore/pyproject.toml
@@ -0,0 +1,18 @@
+[tool.poetry]
+name = "flake8-thunderstore"
+version = "1.0.2"
+description = "Custom Flake8 plugins for Thunderstore"
+authors = ["753 <753@753.network>"]
+packages = [
+    { include = "flake8_thunderstore" },
+]
+
+[tool.poetry.dependencies]
+python = "*"
+
+[build-system]
+requires = ["poetry-core>=1.0.0"]
+build-backend = "poetry.core.masonry.api"
+
+[tool.poetry.plugins."flake8.extension"]
+VIS = 'flake8_thunderstore.visibility_coding_conventions:VisibilityCodingConventions'