Filter out personal material lists

carlobeltrame · carlobeltrame · commit 9fc261ede8f2 · 2025-09-06T04:19:13.000+02:00
diff --git a/api/src/Entity/MaterialItem.php b/api/src/Entity/MaterialItem.php
@@ -24,6 +24,7 @@
 use Doctrine\Common\Collections\Collection;
 use Doctrine\ORM\Mapping as ORM;
 use Symfony\Component\Serializer\Annotation\Groups;
+use Symfony\Component\Serializer\Attribute\SerializedName;
 use Symfony\Component\Validator\Constraints as Assert;
 
 /**
@@ -71,14 +72,6 @@ class MaterialItem extends BaseEntity implements BelongsToCampInterface, CopyFro
     #[ORM\JoinColumn(nullable: false, onDelete: 'cascade')]
     public ?Camp $camp = null;
 
-    /**
-     * The list to which this item belongs. Lists are used to keep track of who is
-     * responsible to prepare and bring the item to the camp.
-     */
-    #[Assert\NotNull]
-    #[AssertBelongsToSameCamp]
-    #[ApiProperty(example: '/material_lists/1a2b3c4d')]
-    #[Groups(['read', 'write'])]
     #[ORM\ManyToOne(targetEntity: MaterialList::class, inversedBy: 'materialItems')]
     #[ORM\JoinColumn(nullable: true, onDelete: 'cascade')]
     public ?MaterialList $materialList = null;
@@ -149,6 +142,36 @@ public function __construct() {
         $this->periodMaterialItems = new ArrayCollection();
     }
 
+    /**
+     * The list to which this item belongs. Lists are used to keep track of who is
+     * responsible to prepare and bring the item to the camp.
+     */
+    #[Assert\NotNull]
+    #[AssertBelongsToSameCamp]
+    #[ApiProperty(example: '/material_lists/1a2b3c4d', security: 'is_granted("CAMP_COLLABORATOR", object)')]
+    #[Groups(['read', 'write'])]
+    public function getMaterialList(): ?MaterialList {
+        return $this->materialList;
+    }
+
+    /**
+     * The list to which this item belongs. Lists are used to keep track of who is
+     * responsible to prepare and bring the item to the camp.
+     */
+    #[Assert\NotNull]
+    #[AssertBelongsToSameCamp]
+    #[ApiProperty(example: '/material_lists/1a2b3c4d', security: '!is_granted("CAMP_COLLABORATOR", object)')]
+    #[Groups(['read', 'write'])]
+    #[SerializedName('materialList')]
+    public function getPublicMaterialList(): ?MaterialList {
+        // When accessing a shared or prototype camp, hide personal material lists
+        if (null !== $this->materialList->campCollaboration) {
+            return null;
+        }
+
+        return $this->materialList;
+    }
+
     public function getCamp(): ?Camp {
         return $this->camp ?? $this->period->camp ?? $this->materialNode?->getCamp();
     }
diff --git a/api/src/Entity/MaterialList.php b/api/src/Entity/MaterialList.php
@@ -29,8 +29,8 @@
     operations: [
         new Get(
             security: 'is_granted("CAMP_COLLABORATOR", object) or
-                       is_granted("CAMP_IS_SHARED", object) or
-                       is_granted("CAMP_IS_PROTOTYPE", object)'
+                       (object.campCollaboration === null and
+                         (is_granted("CAMP_IS_SHARED", object) or is_granted("CAMP_IS_PROTOTYPE", object)))'
         ),
         new Patch(
             security: 'is_granted("CAMP_MEMBER", object) or is_granted("CAMP_MANAGER", object)'
diff --git a/api/src/Repository/MaterialListRepository.php b/api/src/Repository/MaterialListRepository.php
@@ -3,8 +3,10 @@
 namespace App\Repository;
 
 use ApiPlatform\Doctrine\Orm\Util\QueryNameGeneratorInterface;
+use App\Entity\Camp;
 use App\Entity\MaterialList;
 use App\Entity\User;
+use App\Entity\UserCamp;
 use Doctrine\Bundle\DoctrineBundle\Repository\ServiceEntityRepository;
 use Doctrine\ORM\QueryBuilder;
 use Doctrine\Persistence\ManagerRegistry;
@@ -16,14 +18,32 @@
  * @method MaterialList[]    findBy(array $criteria, array $orderBy = null, $limit = null, $offset = null)
  */
 class MaterialListRepository extends ServiceEntityRepository implements CanFilterByUserInterface {
-    use FiltersByCampCollaboration;
-
     public function __construct(ManagerRegistry $registry) {
         parent::__construct($registry, MaterialList::class);
     }
 
     public function filterByUser(QueryBuilder $queryBuilder, QueryNameGeneratorInterface $queryNameGenerator, User $user): void {
         $rootAlias = $queryBuilder->getRootAliases()[0];
-        $this->filterByCampCollaborationOrPublic($queryBuilder, $user, "{$rootAlias}.camp");
+
+        $campsQry = $queryBuilder->getEntityManager()->createQueryBuilder();
+        $campsQry->select('identity(uc.camp)');
+        $campsQry->from(UserCamp::class, 'uc');
+        $campsQry->where('uc.user = :current_user');
+
+        $publicCampsQry = $queryBuilder->getEntityManager()->createQueryBuilder();
+        $publicCampsQry->select('c');
+        $publicCampsQry->from(Camp::class, 'c');
+        $publicCampsQry->where($queryBuilder->expr()->orX('c.isPrototype = true', 'c.isShared = true'));
+
+        $queryBuilder->andWhere(
+            $queryBuilder->expr()->orX(
+                $queryBuilder->expr()->andX(
+                    "{$rootAlias}.campCollaboration IS NULL",
+                    $queryBuilder->expr()->in("{$rootAlias}.camp", $publicCampsQry->getDQL())
+                ),
+                $queryBuilder->expr()->in("{$rootAlias}.camp", $campsQry->getDQL())
+            )
+        );
+        $queryBuilder->setParameter('current_user', $user);
     }
 }
