fix: enforce visibility column in tree access filter

Previously build_tree_access_filter used is_public boolean and ignored the visibility column entirely. Now private/link trees are only visible to their author, team trees require matching account_id, and public trees are open to all. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-24 03:21:20 -05:00
parent 2ff37d6dd9
commit 8c982a95ec
1 changed files with 16 additions and 8 deletions
--- a/backend/app/core/filters.py
+++ b/backend/app/core/filters.py
@@ -16,24 +16,32 @@ if TYPE_CHECKING:
 def build_tree_access_filter(current_user: User):
    """Build the access filter for trees based on user permissions.

-    Returns trees that are:
-    - All trees (for super admins)
-    - Default/system trees (visible to all)
-    - Public trees
-    - User's own trees
-    - Trees from user's account
+    Visibility rules:
+    - super_admin: sees everything
+    - is_default: visible to all authenticated users
+    - visibility='public': visible to all authenticated users
+    - author_id == me: always visible (regardless of visibility setting)
+    - visibility='team' AND account_id == mine: visible to account members
+    - visibility='private': only visible to author (covered by author_id check above)
+    - visibility='link': only visible to author (share token access is handled separately)
    """
    from app.models.tree import Tree

    if current_user.is_super_admin:
        return sa_true()
+
    conditions = [
        Tree.is_default == True,
-        Tree.is_public == True,
+        Tree.visibility == 'public',
        Tree.author_id == current_user.id,
    ]
    if current_user.account_id:
-        conditions.append(Tree.account_id == current_user.account_id)
+        conditions.append(
+            and_(
+                Tree.visibility == 'team',
+                Tree.account_id == current_user.account_id
+            )
+        )
    return or_(*conditions)