locked down all post endpoints scoped to either the author of the post (for updating, deleting, and creation of posts) or to friends of the author (if post visibility is set to 'FRIENDS' and the requesting user is a follower of the author) or to the general public (if post visibility is set to 'PUBLIC')
likes on posts are also not visible unless user is a friend of the author (or the post is public)
comments on posts are locked down similarly to likes
author comments on a post will not be visible to other users if the requesting user is not a friend of the comment author
This was done by adding another permissions class that sets 2 flags (request.is_owner, request.is_friend) after the IsAuthenticated permissions is ran (so the request.user is added) that checks object level permissions of the Author entity (author of post and whatnot).
things included in this PR:
This was done by adding another permissions class that sets 2 flags (request.is_owner, request.is_friend) after the IsAuthenticated permissions is ran (so the request.user is added) that checks object level permissions of the Author entity (author of post and whatnot).
let me know how testing goes!