From 8f4a155c06699eb85a4d03f286051536244efa06 Mon Sep 17 00:00:00 2001
From: "Edward Tirado Jr." <ed@etdevelopment.net>
Date: Mon, 30 Jun 2025 18:15:56 -0500
Subject: [PATCH] updated permissions for list

---
 movie_manager/serializers.py |  1 +
 movie_manager/views.py       | 20 ++++++++++++++++++--
 2 files changed, 19 insertions(+), 2 deletions(-)

diff --git a/movie_manager/serializers.py b/movie_manager/serializers.py
index cb39648..3b7a517 100644
--- a/movie_manager/serializers.py
+++ b/movie_manager/serializers.py
@@ -42,6 +42,7 @@ class MovieListListSerializer(serializers.ModelSerializer):
 class MovieListSerializer(serializers.ModelSerializer):
     movies = MovieSerializer(read_only=True, many=True)
     serializer_class = MovieSerializer
+    owner = serializers.PrimaryKeyRelatedField(read_only=True)
 
     def get_queryset(self):
         return MovieList.objects.prefetch_related(
diff --git a/movie_manager/views.py b/movie_manager/views.py
index 973a488..2d606ea 100644
--- a/movie_manager/views.py
+++ b/movie_manager/views.py
@@ -1,9 +1,10 @@
 import datetime
-import json
 
+from django.db.models import QuerySet
 from django.http import JsonResponse
 from django.contrib.auth.models import User
 from django.utils.dateparse import parse_datetime
+from django.db import models
 from rest_framework import permissions, viewsets
 from knox.auth import TokenAuthentication
 from rest_framework.decorators import action, api_view
@@ -66,14 +67,29 @@ class MovieListViewset(viewsets.ModelViewSet):
             return MovieListSerializer
 
     def get_queryset(self):
+        base_qs = MovieList.objects.all()
+
         if self.action == "list":
-            return MovieList.objects.filter(owner=self.request.user)
+            if self.request.user.is_authenticated:
+                return base_qs.filter(
+                    models.Q(public=True) |
+                    models.Q(owner=self.request.user)
+                ).order_by("name")
+
+            return base_qs.filter(public=True).order_by("name")
         else:
             return MovieList.objects.prefetch_related(
                 "movies",
                 "movies__showing_set"
             ).order_by("name")
 
+    def perform_create(self, serializer):
+        serializer.save(owner=self.request.user)
+
+    def get_permissions(self):
+        if self.action in ['update', 'partial_update', 'destroy']:
+            self.permission_classes = [permissions.IsAuthenticated]
+        return super().get_permissions()
 
     def create(self, request, *args, **kwargs):
         movie_list = MovieList.objects.create(