xjlin0 · xjlin0 · Jun 2, 2021 · Jun 1, 2021 · Jun 2, 2021 · Jun 2, 2021
diff --git a/attendees/persons/admin.py b/attendees/persons/admin.py
@@ -52,7 +52,7 @@ def get_queryset(self, request):
         requester_permission = {'infos__show_secret__' + request.user.attendee_uuid_str(): True}
         return qs.filter(
             Q(organization=request.user.organization),
-            ( Q(**requester_permission) | Q(infos__show_secret={}) ),
+            ( Q(**requester_permission) | Q(infos__show_secret={}) | Q(infos__show_secret__isnull=True) ),
         )
 
 

diff --git a/attendees/persons/models/utility.py b/attendees/persons/models/utility.py
@@ -50,7 +50,7 @@ def attendee_infos():
 
     @staticmethod
     def relationship_infos():
-        return {"show_secret": {}}
+        return {"show_secret": {}, "comment": None}
 
     @staticmethod
     def forever():  # 1923 years from now

diff --git a/attendees/persons/serializers/past_serializer.py b/attendees/persons/serializers/past_serializer.py
@@ -4,7 +4,7 @@
 
 class PastSerializer(serializers.ModelSerializer):
 
-    class Meta:
+    class Meta:  # It is critical not to have organization in the fields, to let perform_create set it
         model = Past
-        fields = '__all__'
+        fields = ('id', 'display_name', 'category', 'start', 'finish', 'infos', 'content_type', 'object_id')
 
diff --git a/attendees/persons/views/api/categorized_pasts.py b/attendees/persons/views/api/categorized_pasts.py
@@ -1,5 +1,7 @@
 import time
-from django.contrib.auth.mixins import LoginRequiredMixin, UserPassesTestMixin
+from django.contrib.auth.mixins import LoginRequiredMixin
+from django.contrib.contenttypes.models import ContentType
+from django.http import Http404
 from django.shortcuts import get_object_or_404
 from rest_framework import viewsets
 from django.db.models import Q
@@ -20,7 +22,7 @@ class ApiCategorizedPastsViewSet(LoginRequiredMixin, SpyGuard, viewsets.ModelVie
 
     def get_queryset(self):
         category__type = self.request.query_params.get('category__type', '')
-        menu_name = self.__class__.__name__ + category__type.capitalize()
+        menu_name = self.__class__.__name__ + category__type.capitalize()  # self.get_view_name() => Api Categorized Pasts List
         url_name = Utility.underscore(menu_name)
 
         if not MenuAuthGroup.objects.filter(
@@ -41,6 +43,8 @@ def get_queryset(self):
                 Q(pk=past_id),
                 Q(category__type=category__type),
                 (   Q(infos__show_secret={})
+                    |
+                    Q(infos__show_secret__isnull=True)
                     |
                     Q(**requester_permission)),
             )
@@ -49,9 +53,14 @@ def get_queryset(self):
                 Q(organization=self.request.user.organization),
                 Q(category__type=category__type),
                 (   Q(infos__show_secret={})
+                    |
+                    Q(infos__show_secret__isnull=True)
                     |
                     Q(**requester_permission)),
             )
 
+    def perform_create(self, serializer):  #SpyGuard ensured requester & target_attendee belongs to the same org.
+        serializer.save(organization=self.request.user.organization)
+
 
 api_categorized_pasts_viewset = ApiCategorizedPastsViewSet
diff --git a/attendees/static/js/persons/datagrid_attendee_update_view.js b/attendees/static/js/persons/datagrid_attendee_update_view.js
@@ -2429,7 +2429,7 @@ Attendees.datagridUpdate = {
             });
           },
           insert: function (values) {
-            const contentType = {
+            const subject = {
               content_type: Attendees.datagridUpdate.attendeeAttrs.dataset.attendeeContenttypeId,
               object_id: Attendees.datagridUpdate.attendeeId,
             };
@@ -2438,7 +2438,7 @@ Attendees.datagridUpdate = {
               method: "POST",
               dataType: 'json',
               contentType: "application/json; charset=utf-8",
-              data: JSON.stringify({...values, ...contentType}),
+              data: JSON.stringify({...values, ...subject}),
               success: (result) => {
                 DevExpress.ui.notify(
                   {
@@ -2456,13 +2456,13 @@ Attendees.datagridUpdate = {
         }),
       },
       onRowInserting: (rowData) => {
-        const infos = {organization: Attendees.datagridUpdate.attendeeFormConfigs.formData.organization_slug, show_secret:{}};
+        const infos = {show_secret: {}, comment: rowData.data.infos && rowData.data.infos.comment};
         if(rowData.data.infos && rowData.data.infos.show_secret){
-          infos.show_secret = {[Attendees.utilities.userAttendeeId]: true};
+          infos.show_secret[Attendees.utilities.userAttendeeId] = true;
         }
         rowData.data.infos = infos;
       },
-      onInitNewRow: (e) => {
+      onInitNewRow: (e) => {  // don't assign e.data or show_secret somehow messed up
         DevExpress.ui.notify(
           {
             message: "Let's create a " + type + ", click away or hit Enter to save. Hit Esc to quit without save",
@@ -2495,15 +2495,23 @@ Attendees.datagridUpdate = {
         allowDeleting: false,
       },
       onRowUpdating: (rowData) => {
-        if (rowData.newData.infos && 'show_secret' in rowData.newData.infos) { // value could be intentionally false to prevent someone seeing it
-          const showSecret = rowData.oldData.infos.show_secret;
-          const isRelationshipSecretForCurrentUser = rowData.newData.infos.show_secret;
-          if (isRelationshipSecretForCurrentUser) {
-            showSecret[Attendees.utilities.userAttendeeId] = true;
-          } else {
-            delete showSecret[Attendees.utilities.userAttendeeId];
+        if(rowData.newData.infos){
+          const updatingInfos = rowData.oldData.infos; // may contains both keys of show_secret and comment
+          if('show_secret' in rowData.newData.infos){
+            const isRelationshipSecretForCurrentUser = rowData.newData.infos.show_secret;
+            if(isRelationshipSecretForCurrentUser){
+              if (typeof(updatingInfos.show_secret)==="object") {
+                updatingInfos.show_secret[Attendees.utilities.userAttendeeId] = true;
+              } else {
+                updatingInfos.show_secret = {[Attendees.utilities.userAttendeeId]: true};
+              }
+            } else {
+              delete updatingInfos.show_secret[Attendees.utilities.userAttendeeId];
+            }
+            rowData.newData.infos = updatingInfos;
+          } else {  // for updating infos.comment
+            rowData.newData.infos = {...updatingInfos, ...rowData.newData.infos};
           }
-          rowData.newData.infos.show_secret = showSecret;
         }
       },
       columns: [

diff --git a/attendees/whereabouts/views/api/datagrid_data_place.py b/attendees/whereabouts/views/api/datagrid_data_place.py
@@ -27,5 +27,8 @@ def get_queryset(self):  # Todo: check if current user are allowed to query this
         querying_place_id = self.kwargs.get('place_id')
         return Place.objects.filter(pk=querying_place_id, organization=self.request.user.organization)
 
+    # def perform_create(self, serializer):  #forget SpyGuard ??
+    #     serializer.save(organization=self.request.user.organization)
+
 
 api_datagrid_data_place_viewset = ApiDatagridDataPlaceViewSet