Version level review

builder/src/scss/package-list.scss

@@ -16,6 +16,13 @@
     transform-origin: center;
 }
 
+.unavailable {
+    position: absolute;
+    z-index: 1;
+    pointer-events: none;
+    text-align: right;
+}
+
 .search-options {
     .checkbox {
         display: flex;

django/thunderstore/api/cyberstorm/tests/test_package_version_list.py

@@ -1,6 +1,8 @@
 import pytest
 from rest_framework.test import APIClient
 
+from thunderstore.permissions.factories import VisibilityFlagsFactory
+from thunderstore.repository.consts import PackageVersionReviewStatus
 from thunderstore.repository.factories import PackageVersionFactory
 from thunderstore.repository.models import Package
 
@@ -48,3 +50,58 @@ def test_package_version_list_api_view__returns_versions(
 
     assert len(actual) == 1
     assert actual[0]["version_number"] == expected.version_number
+
+
+@pytest.mark.django_db
+def test_only_visible_versions_are_returned(
+    api_client: APIClient,
+) -> None:
+    version1 = PackageVersionFactory(version_number="1.0.0")
+    version1.review_status = PackageVersionReviewStatus.approved
+    version1.save()
+
+    version2 = PackageVersionFactory(package=version1.package, version_number="2.0.0")
+    version2.review_status = PackageVersionReviewStatus.rejected
+    version2.save()
+
+    assert version1.visibility.public_list is True
+    assert version2.visibility.public_list is False
+
+    response = api_client.get(
+        f"/api/cyberstorm/package/{version1.package.namespace}/{version1.package.name}/versions/",
+    )
+    actual = response.json()
+
+    assert len(actual) == 1
+    assert actual[0]["version_number"] == version1.version_number
+
+
+@pytest.mark.django_db
+def test_latest_is_visible_if_possible(
+    api_client: APIClient,
+) -> None:
+    version1 = PackageVersionFactory(version_number="1.0.0")
+    version1.visibility = VisibilityFlagsFactory(public_list=True)
+    version1.save()
+
+    version2 = PackageVersionFactory(package=version1.package, version_number="2.0.0")
+    version2.visibility = VisibilityFlagsFactory(public_list=True)
+    version2.save()
+
+    version1.package.recache_latest()
+
+    assert version1.package.latest == version2
+
+    version2.review_status = PackageVersionReviewStatus.rejected
+    version2.save()
+
+    version1.package.recache_latest()
+
+    assert version1.package.latest == version1
+
+    version1.review_status = PackageVersionReviewStatus.rejected
+    version1.save()
+
+    version1.package.recache_latest()
+
+    assert version1.package.latest == version1

django/thunderstore/api/cyberstorm/views/package_listing.py

@@ -144,8 +144,7 @@ def get_custom_package_listing(
     listing_ref = PackageListing.objects.filter(pk=OuterRef("pk"))
 
     qs = (
-        PackageListing.objects.active()
-        .filter_by_community_approval_rule()
+        PackageListing.objects.public_list()
         .select_related(
             "community",
             "package__latest",

django/thunderstore/api/cyberstorm/views/package_version_list.py

@@ -27,4 +27,4 @@ def get_queryset(self):
             name__iexact=self.kwargs["package_name"],
         )
 
-        return package.versions.active()
+        return package.versions.public_list()

django/thunderstore/community/migrations/0030_packagelisting_visibility.py

@@ -0,0 +1,25 @@
+# Generated by Django 3.1.7 on 2024-10-03 19:34
+
+import django.db.models.deletion
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("permissions", "0001_initial"),
+        ("community", "0029_packagelisting_is_auto_imported"),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name="packagelisting",
+            name="visibility",
+            field=models.OneToOneField(
+                blank=True,
+                null=True,
+                on_delete=django.db.models.deletion.PROTECT,
+                to="permissions.visibilityflags",
+            ),
+        ),
+    ]

django/thunderstore/community/migrations/0031_create_default_visibility_for_existing_listings.py

@@ -0,0 +1,80 @@
+from django.db import migrations
+
+from thunderstore.community.consts import PackageListingReviewStatus
+
+
+def create_default_visibility_for_existing_records(apps, schema_editor):
+    PackageListing = apps.get_model("community", "PackageListing")
+    VisibilityFlags = apps.get_model("permissions", "VisibilityFlags")
+
+    for instance in PackageListing.objects.filter(visibility__isnull=True):
+        visibility_flags = VisibilityFlags.objects.create(
+            public_list=False,
+            public_detail=False,
+            owner_list=True,
+            owner_detail=True,
+            moderator_list=True,
+            moderator_detail=True,
+            admin_list=True,
+            admin_detail=True,
+        )
+        instance.visibility = visibility_flags
+        instance.save()
+        update_visibility(instance)
+
+
+def update_visibility(listing):
+    listing.visibility.public_detail = True
+    listing.visibility.public_list = True
+    listing.visibility.owner_detail = True
+    listing.visibility.owner_list = True
+    listing.visibility.moderator_detail = True
+    listing.visibility.moderator_list = True
+
+    if not listing.package.is_active:
+        listing.visibility.public_detail = False
+        listing.visibility.public_list = False
+        listing.visibility.owner_detail = False
+        listing.visibility.owner_list = False
+        listing.visibility.moderator_detail = False
+        listing.visibility.moderator_list = False
+
+    if listing.review_status == PackageListingReviewStatus.rejected:
+        listing.visibility.public_detail = False
+        listing.visibility.public_list = False
+
+    if (
+        listing.community.require_package_listing_approval
+        and listing.review_status == PackageListingReviewStatus.unreviewed
+    ):
+        listing.visibility.public_detail = False
+        listing.visibility.public_list = False
+
+    versions = listing.package.versions.filter(is_active=True).all()
+    if versions.exclude(visibility__public_detail=False).count() == 0:
+        listing.visibility.public_detail = False
+    if versions.exclude(visibility__public_list=False).count() == 0:
+        listing.visibility.public_list = False
+    if versions.exclude(visibility__owner_detail=False).count() == 0:
+        listing.visibility.owner_detail = False
+    if versions.exclude(visibility__owner_list=False).count() == 0:
+        listing.visibility.owner_list = False
+    if versions.exclude(visibility__moderator_detail=False).count() == 0:
+        listing.visibility.moderator_detail = False
+    if versions.exclude(visibility__moderator_list=False).count() == 0:
+        listing.visibility.moderator_list = False
+
+    listing.visibility.save()
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("community", "0030_packagelisting_visibility"),
+    ]
+
+    operations = [
+        migrations.RunPython(
+            create_default_visibility_for_existing_records, migrations.RunPython.noop
+        ),
+    ]

django/thunderstore/community/models/package_listing.py

@@ -15,6 +15,8 @@
 from thunderstore.core.types import UserType
 from thunderstore.core.utils import check_validity
 from thunderstore.frontend.url_reverse import get_community_url_reverse_args
+from thunderstore.permissions.mixins import VisibilityMixin, VisibilityQuerySet
+from thunderstore.permissions.models import VisibilityFlags
 from thunderstore.permissions.utils import validate_user
 from thunderstore.webhooks.audit import (
     AuditAction,
@@ -27,12 +29,15 @@
     from thunderstore.community.models import PackageCategory
 
 
-class PackageListingQueryset(models.QuerySet):
+class PackageListingQueryset(VisibilityQuerySet):
     def active(self):
         return self.exclude(package__is_active=False).exclude(
             ~Q(package__versions__is_active=True)
         )
 
+    def public_list(self):
+        return super(PackageListingQueryset, self.active()).public_list()
+
     def approved(self):
         return self.exclude(~Q(review_status=PackageListingReviewStatus.approved))
 
@@ -46,7 +51,7 @@ def filter_by_community_approval_rule(self):
 # TODO: Add a db constraint that ensures a package listing and it's categories
 #       belong to the same community. This might require actually specifying
 #       the intermediate model in code rather than letting Django handle it
-class PackageListing(TimestampMixin, AdminLinkMixin, models.Model):
+class PackageListing(TimestampMixin, VisibilityMixin, AdminLinkMixin, models.Model):
     """
     Represents a package's relation to how it's displayed on the site and APIs
     """
@@ -212,7 +217,7 @@ def reject(
             message = "\n\n".join(filter(bool, (rejection_reason, internal_notes)))
             fire_audit_event(
                 self.build_audit_event(
-                    action=AuditAction.PACKAGE_REJECTED,
+                    action=AuditAction.LISTING_REJECTED,
                     user_id=agent.pk if agent else None,
                     message=message,
                 )
@@ -238,7 +243,7 @@ def approve(
             )
             fire_audit_event(
                 self.build_audit_event(
-                    action=AuditAction.PACKAGE_APPROVED,
+                    action=AuditAction.LISTING_APPROVED,
                     user_id=agent.pk if agent else None,
                     message=internal_notes,
                 )
@@ -331,32 +336,52 @@ def check_update_categories_permission(self, user: Optional[UserType]) -> bool:
     def can_user_manage_approval_status(self, user: Optional[UserType]) -> bool:
         return self.can_be_moderated_by_user(user)
 
-    def ensure_can_be_viewed_by_user(self, user: Optional[UserType]) -> None:
-        def get_has_perms() -> bool:
-            return (
-                user is not None
-                and user.is_authenticated
-                and (
-                    self.community.can_user_manage_packages(user)
-                    or self.package.owner.can_user_access(user)
-                )
-            )
-
-        if self.community.require_package_listing_approval:
-            if (
-                self.review_status != PackageListingReviewStatus.approved
-                and not get_has_perms()
-            ):
-                raise ValidationError("Insufficient permissions to view")
-        else:
-            if (
-                self.review_status == PackageListingReviewStatus.rejected
-                and not get_has_perms()
-            ):
-                raise ValidationError("Insufficient permissions to view")
-
-    def can_be_viewed_by_user(self, user: Optional[UserType]) -> bool:
-        return check_validity(lambda: self.ensure_can_be_viewed_by_user(user))
+    @transaction.atomic
+    def update_visibility(self):
+        if not self.visibility:
+            self.visibility = VisibilityFlags.objects.create_unpublished()
+
+        self.visibility.public_detail = True
+        self.visibility.public_list = True
+        self.visibility.owner_detail = True
+        self.visibility.owner_list = True
+        self.visibility.moderator_detail = True
+        self.visibility.moderator_list = True
+
+        if not self.package.is_active:
+            self.visibility.public_detail = False
+            self.visibility.public_list = False
+            self.visibility.owner_detail = False
+            self.visibility.owner_list = False
+            self.visibility.moderator_detail = False
+            self.visibility.moderator_list = False
+
+        if self.review_status == PackageListingReviewStatus.rejected:
+            self.visibility.public_detail = False
+            self.visibility.public_list = False
+
+        if (
+            self.community.require_package_listing_approval
+            and self.review_status == PackageListingReviewStatus.unreviewed
+        ):
+            self.visibility.public_detail = False
+            self.visibility.public_list = False
+
+        versions = self.package.versions.filter(is_active=True).all()
+        if versions.exclude(visibility__public_detail=False).count() == 0:
+            self.visibility.public_detail = False
+        if versions.exclude(visibility__public_list=False).count() == 0:
+            self.visibility.public_list = False
+        if versions.exclude(visibility__owner_detail=False).count() == 0:
+            self.visibility.owner_detail = False
+        if versions.exclude(visibility__owner_list=False).count() == 0:
+            self.visibility.owner_list = False
+        if versions.exclude(visibility__moderator_detail=False).count() == 0:
+            self.visibility.moderator_detail = False
+        if versions.exclude(visibility__moderator_list=False).count() == 0:
+            self.visibility.moderator_list = False
+
+        self.visibility.save()
 
 
 signals.post_save.connect(PackageListing.post_save, sender=PackageListing)

django/thunderstore/community/templates/community/includes/package_management_panel.html

@@ -0,0 +1,28 @@
+{% load encode_props %}
+
+{% if show_management_panel %}
+<div class="d-flex justify-content-end gap-1">
+    {% if review_panel_props %}
+    <div id="package-review-panel"></div>
+    <script type="text/javascript">
+        window.ts.PackageReviewPanel(
+            document.getElementById("package-review-panel"),
+            {{ review_panel_props|encode_props }}
+        );
+    </script>
+    {% endif %}
+    <div id="package-management-panel"></div>
+    {% if show_listing_admin_link %}
+    <a href="{% url "admin:community_packagelisting_change" object.pk %}" type="button" class="btn btn-primary"><span class="fas fa-external-link-alt"></span>&nbsp;&nbsp;Listing admin</a>
+    {% endif %}
+    {% if show_package_admin_link %}
+    <a href="{% url "admin:repository_package_change" object.package.pk %}" type="button" class="btn btn-primary"><span class="fas fa-external-link-alt"></span>&nbsp;&nbsp;Package admin</a>
+    {% endif %}
+</div>
+<script type="text/javascript">
+window.ts.PackageManagementPanel(
+    document.getElementById("package-management-panel"),
+    {{ management_panel_props|encode_props }}
+);
+</script>
+{% endif %}