wtv

files/views/comments.py

@@ -75,8 +75,11 @@ class CommentDetail(APIView):
         try:
             media = Media.objects.select_related("user").get(friendly_token=friendly_token)
             self.check_object_permissions(self.request, media)
-            if media.state == "private" and self.request.user != media.user:
-                return Response({"detail": "media is private"}, status=status.HTTP_400_BAD_REQUEST)
+            if media.state == "private":
+                user = self.request.user
+                has_access = user.is_authenticated and (user.has_member_access_to_media(media) or is_mediacms_editor(user))
+                if not has_access:
+                    return Response({"detail": "media is private"}, status=status.HTTP_400_BAD_REQUEST)
             return media
         except PermissionDenied:
             return Response({"detail": "bad permissions"}, status=status.HTTP_400_BAD_REQUEST)
@@ -97,7 +100,7 @@ class CommentDetail(APIView):
         media = self.get_object(friendly_token)
         if isinstance(media, Response):
             return media
-        comments = media.comments.filter().prefetch_related("user")
+        comments = media.comments.filter().prefetch_related("user").order_by("-add_date")
         pagination_class = api_settings.DEFAULT_PAGINATION_CLASS
         paginator = pagination_class()
         page = paginator.paginate_queryset(comments, request)

files/views/media.py

@@ -2,7 +2,7 @@ from datetime import datetime, timedelta
 
 from django.conf import settings
 from django.contrib.postgres.search import SearchQuery
-from django.db.models import Count, Prefetch, Q, prefetch_related_objects
+from django.db.models import Count, F, Prefetch, Q, prefetch_related_objects
 from django.shortcuts import get_object_or_404
 from drf_yasg import openapi
 from drf_yasg.utils import swagger_auto_schema
@@ -779,24 +779,22 @@ class MediaBulkUserActions(APIView):
 
             if has_media:
                 if remove_permissions:
-                    MediaPermission.objects.filter(media__in=selected_media, user__in=group_users).delete()
-                    # Delete EmbedMediaCourse records and owner MediaPermissions for embedded media
+                    MediaPermission.objects.filter(media__in=selected_media, user__in=group_users).exclude(user=F('media__user')).delete()
                     selected_embedded = embed_qs.filter(media__in=selected_media)
                     selected_embedded_media_ids = list(selected_embedded.values_list('media_id', flat=True))
                     selected_embedded.delete()
-                    MediaPermission.objects.filter(media_id__in=selected_embedded_media_ids).delete()
+                    MediaPermission.objects.filter(media_id__in=selected_embedded_media_ids).exclude(user=F('media__user')).delete()
                 if remove_comments:
                     Comment.objects.filter(media__in=selected_media).delete()
 
                 if apply_to_all:
                     other_course_media = all_course_media.exclude(friendly_token__in=media_ids)
                     if remove_permissions:
-                        MediaPermission.objects.filter(media__in=other_course_media, user__in=group_users).delete()
-                        # exclude selected_media, not other_course_media — LTI-embedded media are not in the M2M
+                        MediaPermission.objects.filter(media__in=other_course_media, user__in=group_users).exclude(user=F('media__user')).delete()
                         other_embedded = embed_qs.exclude(media__in=selected_media)
                         other_embedded_media_ids = list(other_embedded.values_list('media_id', flat=True))
                         other_embedded.delete()
-                        MediaPermission.objects.filter(media_id__in=other_embedded_media_ids).delete()
+                        MediaPermission.objects.filter(media_id__in=other_embedded_media_ids).exclude(user=F('media__user')).delete()
                     if remove_comments:
                         Comment.objects.filter(media__in=other_course_media).delete()
                     for m in other_course_media:
@@ -806,8 +804,8 @@ class MediaBulkUserActions(APIView):
                     m.category.remove(category)
             else:
                 if remove_permissions:
-                    MediaPermission.objects.filter(media__in=all_course_media, user__in=group_users).delete()
-                    MediaPermission.objects.filter(media_id__in=embedded_media_ids).delete()
+                    MediaPermission.objects.filter(media__in=all_course_media, user__in=group_users).exclude(user=F('media__user')).delete()
+                    MediaPermission.objects.filter(media_id__in=embedded_media_ids).exclude(user=F('media__user')).delete()
                     embed_qs.delete()
                 if remove_comments:
                     Comment.objects.filter(media__in=all_course_media).delete()