feat(privacy): user blocklist with private chat enforcement

- add blocked_users table and migration - add users API: block, unblock, list blocked users - prevent private chat creation and private messaging when block relation exists - add block/unblock action in private chat info panel
2026-03-08 02:19:37 +03:00
parent ea8a50ee05
commit 159a8ba516
9 changed files with 228 additions and 6 deletions
--- a/app/users/models.py
+++ b/app/users/models.py
@@ -1,7 +1,7 @@
 from datetime import datetime
 from typing import TYPE_CHECKING

-from sqlalchemy import Boolean, DateTime, String, func
+from sqlalchemy import Boolean, DateTime, ForeignKey, String, UniqueConstraint, func
 from sqlalchemy.orm import Mapped, mapped_column, relationship

 from app.database.base import Base
@@ -42,3 +42,13 @@ class User(Base):
        back_populates="user",
        cascade="all, delete-orphan",
    )
+
+
+class BlockedUser(Base):
+    __tablename__ = "blocked_users"
+    __table_args__ = (UniqueConstraint("user_id", "blocked_user_id", name="uq_blocked_users_user_target"),)
+
+    id: Mapped[int] = mapped_column(primary_key=True, index=True)
+    user_id: Mapped[int] = mapped_column(ForeignKey("users.id", ondelete="CASCADE"), nullable=False, index=True)
+    blocked_user_id: Mapped[int] = mapped_column(ForeignKey("users.id", ondelete="CASCADE"), nullable=False, index=True)
+    created_at: Mapped[datetime] = mapped_column(DateTime(timezone=True), server_default=func.now(), nullable=False)
--- a/app/users/repository.py
+++ b/app/users/repository.py
@@ -1,9 +1,9 @@
 from datetime import datetime, timezone

-from sqlalchemy import func, select
+from sqlalchemy import and_, func, or_, select
 from sqlalchemy.ext.asyncio import AsyncSession

-from app.users.models import User
+from app.users.models import BlockedUser, User


 async def create_user(db: AsyncSession, *, email: str, name: str, username: str, password_hash: str) -> User:
@@ -58,3 +58,52 @@ async def update_user_last_seen_now(db: AsyncSession, *, user_id: int) -> User |
    user.last_seen_at = datetime.now(timezone.utc)
    await db.flush()
    return user
+
+
+async def block_user(db: AsyncSession, *, user_id: int, blocked_user_id: int) -> BlockedUser:
+    existing = await get_block_relation(db, user_id=user_id, blocked_user_id=blocked_user_id)
+    if existing:
+        return existing
+    relation = BlockedUser(user_id=user_id, blocked_user_id=blocked_user_id)
+    db.add(relation)
+    await db.flush()
+    return relation
+
+
+async def unblock_user(db: AsyncSession, *, user_id: int, blocked_user_id: int) -> None:
+    relation = await get_block_relation(db, user_id=user_id, blocked_user_id=blocked_user_id)
+    if relation:
+        await db.delete(relation)
+
+
+async def get_block_relation(db: AsyncSession, *, user_id: int, blocked_user_id: int) -> BlockedUser | None:
+    result = await db.execute(
+        select(BlockedUser).where(
+            BlockedUser.user_id == user_id,
+            BlockedUser.blocked_user_id == blocked_user_id,
+        )
+    )
+    return result.scalar_one_or_none()
+
+
+async def has_block_relation_between_users(db: AsyncSession, *, user_a_id: int, user_b_id: int) -> bool:
+    result = await db.execute(
+        select(BlockedUser.id).where(
+            or_(
+                and_(BlockedUser.user_id == user_a_id, BlockedUser.blocked_user_id == user_b_id),
+                and_(BlockedUser.user_id == user_b_id, BlockedUser.blocked_user_id == user_a_id),
+            )
+        ).limit(1)
+    )
+    return result.scalar_one_or_none() is not None
+
+
+async def list_blocked_users(db: AsyncSession, *, user_id: int) -> list[User]:
+    stmt = (
+        select(User)
+        .join(BlockedUser, BlockedUser.blocked_user_id == User.id)
+        .where(BlockedUser.user_id == user_id)
+        .order_by(User.username.asc())
+    )
+    result = await db.execute(stmt)
+    return list(result.scalars().all())
--- a/app/users/router.py
+++ b/app/users/router.py
@@ -5,7 +5,15 @@ from app.auth.service import get_current_user
 from app.database.session import get_db
 from app.users.models import User
 from app.users.schemas import UserProfileUpdate, UserRead, UserSearchRead
-from app.users.service import get_user_by_id, get_user_by_username, search_users_by_username, update_user_profile
+from app.users.service import (
+    block_user,
+    get_user_by_id,
+    get_user_by_username,
+    list_blocked_users,
+    search_users_by_username,
+    unblock_user,
+    update_user_profile,
+)

 router = APIRouter(prefix="/users", tags=["users"])

@@ -61,3 +69,36 @@ async def update_profile(
        avatar_url=payload.avatar_url,
    )
    return updated
+
+
+@router.get("/blocked", response_model=list[UserSearchRead])
+async def read_blocked_users(
+    db: AsyncSession = Depends(get_db),
+    current_user: User = Depends(get_current_user),
+) -> list[UserSearchRead]:
+    return await list_blocked_users(db, user_id=current_user.id)
+
+
+@router.post("/{user_id}/block", status_code=status.HTTP_204_NO_CONTENT)
+async def block_user_endpoint(
+    user_id: int,
+    db: AsyncSession = Depends(get_db),
+    current_user: User = Depends(get_current_user),
+) -> None:
+    if user_id == current_user.id:
+        raise HTTPException(status_code=status.HTTP_422_UNPROCESSABLE_ENTITY, detail="Cannot block yourself")
+    target = await get_user_by_id(db, user_id)
+    if not target:
+        raise HTTPException(status_code=status.HTTP_404_NOT_FOUND, detail="User not found")
+    await block_user(db, user_id=current_user.id, blocked_user_id=user_id)
+
+
+@router.delete("/{user_id}/block", status_code=status.HTTP_204_NO_CONTENT)
+async def unblock_user_endpoint(
+    user_id: int,
+    db: AsyncSession = Depends(get_db),
+    current_user: User = Depends(get_current_user),
+) -> None:
+    if user_id == current_user.id:
+        return
+    await unblock_user(db, user_id=current_user.id, blocked_user_id=user_id)
--- a/app/users/service.py
+++ b/app/users/service.py
@@ -52,3 +52,21 @@ async def update_user_profile(
    await db.commit()
    await db.refresh(user)
    return user
+
+
+async def block_user(db: AsyncSession, *, user_id: int, blocked_user_id: int) -> None:
+    await repository.block_user(db, user_id=user_id, blocked_user_id=blocked_user_id)
+    await db.commit()
+
+
+async def unblock_user(db: AsyncSession, *, user_id: int, blocked_user_id: int) -> None:
+    await repository.unblock_user(db, user_id=user_id, blocked_user_id=blocked_user_id)
+    await db.commit()
+
+
+async def has_block_relation_between_users(db: AsyncSession, *, user_a_id: int, user_b_id: int) -> bool:
+    return await repository.has_block_relation_between_users(db, user_a_id=user_a_id, user_b_id=user_b_id)
+
+
+async def list_blocked_users(db: AsyncSession, *, user_id: int) -> list[User]:
+    return await repository.list_blocked_users(db, user_id=user_id)