From 3d4dbaacb0aef9085a3f7e1159aa802df48c8a8b Mon Sep 17 00:00:00 2001
From: Josh Washburne <recursive.green@gmail.com>
Date: Thu, 26 Apr 2018 12:18:08 -0400
Subject: [PATCH] Filter API results based on authorization.

---
 savepointradio/api/views/radio.py | 48 ++++++++++++++++++++++++++++---
 savepointradio/radio/managers.py  |  6 ++++
 2 files changed, 50 insertions(+), 4 deletions(-)

diff --git a/savepointradio/api/views/radio.py b/savepointradio/api/views/radio.py
index 9d07e7a..4287fb0 100644
--- a/savepointradio/api/views/radio.py
+++ b/savepointradio/api/views/radio.py
@@ -17,25 +17,65 @@ from ..serializers.radio import (AlbumSerializer, ArtistSerializer,
 
 class AlbumViewSet(viewsets.ModelViewSet):
     permission_classes = [IsAdminOrReadOnly]
-    queryset = Album.objects.all()
     serializer_class = AlbumSerializer
 
+    def get_queryset(self):
+        '''
+        Only send full data to an admin. All regular users get filtered
+        albums.
+        '''
+        if (self.request.user.is_authenticated and
+            self.request.user.is_staff and
+            not self.request.user.is_dj):
+            return Album.objects.all()
+        return Album.music.available()
+
 
 class ArtistViewSet(viewsets.ModelViewSet):
     permission_classes = [IsAdminOrReadOnly]
-    queryset = Artist.objects.all()
     serializer_class = ArtistSerializer
 
+    def get_queryset(self):
+        '''
+        Only send full data to an admin. All regular users get filtered
+        artists.
+        '''
+        if (self.request.user.is_authenticated and
+            self.request.user.is_staff and
+            not self.request.user.is_dj):
+            return Artist.objects.all()
+        return Artist.music.available()
+
 
 class GameViewSet(viewsets.ModelViewSet):
     permission_classes = [IsAdminOrReadOnly]
-    queryset = Game.objects.all()
     serializer_class = GameSerializer
 
+    def get_queryset(self):
+        '''
+        Only send full data to an admin. All regular users get filtered
+        games.
+        '''
+        if (self.request.user.is_authenticated and
+            self.request.user.is_staff and
+            not self.request.user.is_dj):
+            return Game.objects.all()
+        return Game.music.available()
+
 
 class SongViewSet(viewsets.ModelViewSet):
     permission_classes = [IsAdminOrReadOnly]
-    queryset = Song.objects.all()
+
+    def get_queryset(self):
+        '''
+        Only send full data to an admin. All regular users get filtered
+        songs.
+        '''
+        if (self.request.user.is_authenticated and
+            self.request.user.is_staff and
+            not self.request.user.is_dj):
+            return Song.objects.all()
+        return Song.music.available_songs()
 
     def get_serializer_class(self):
         '''
diff --git a/savepointradio/radio/managers.py b/savepointradio/radio/managers.py
index 0d49562..efee50b 100644
--- a/savepointradio/radio/managers.py
+++ b/savepointradio/radio/managers.py
@@ -49,6 +49,12 @@ class RadioManager(models.Manager):
         """
         return self.get_queryset().unpublished()
 
+    def available(self):
+        """
+        Radio objects that are enabled and published.
+        """
+        return self.enabled().published()
+
 
 class SongManager(RadioManager):
     """