From 1c7ac134c9a96b72664073a1fff0d45872e4293d Mon Sep 17 00:00:00 2001
From: Justin Edmund <justin@jedmund.com>
Date: Sun, 4 Jan 2026 21:47:16 -0800
Subject: [PATCH] include shared parties in listings and show

---
 app/controllers/api/v1/parties_controller.rb |  6 +++++-
 app/services/party_query_builder.rb          | 19 +++++++++++++++++--
 2 files changed, 22 insertions(+), 3 deletions(-)

diff --git a/app/controllers/api/v1/parties_controller.rb b/app/controllers/api/v1/parties_controller.rb
index 229e772..795377e 100644
--- a/app/controllers/api/v1/parties_controller.rb
+++ b/app/controllers/api/v1/parties_controller.rb
@@ -56,8 +56,12 @@ module Api
       end
 
       # Shows a specific party.
+      # Uses viewable_by? to check visibility including crew sharing.
+      # Also allows access via edit_key for anonymous parties.
       def show
-        return render_unauthorized_response if @party.private? && (!current_user || not_owner?)
+        unless @party.viewable_by?(current_user) || !not_owner?
+          return render_unauthorized_response
+        end
 
         if @party
           render json: PartyBlueprint.render(@party, view: :full, root: :party)
diff --git a/app/services/party_query_builder.rb b/app/services/party_query_builder.rb
index 600ed9c..2b77f2c 100644
--- a/app/services/party_query_builder.rb
+++ b/app/services/party_query_builder.rb
@@ -61,15 +61,30 @@ class PartyQueryBuilder
   end
 
   # Applies privacy settings based on whether the current user is an admin.
+  # Also includes parties shared with the current user's crew.
   def apply_privacy_settings(query)
     # If the options say to skip privacy filtering (e.g. when viewing your own profile),
     # then return the query unchanged.
     return query if @options[:skip_privacy]
 
-    # Otherwise, if not admin, only show public parties.
+    # Admins can see everything
     return query if @current_user&.admin?
 
-    query.where('visibility = ?', 1)
+    # Build conditions for what the user can see:
+    # 1. Public parties (visibility = 1)
+    # 2. Parties shared with their crew (if they're in a crew)
+    if @current_user&.crew
+      # User is in a crew - include public parties OR parties shared with their crew
+      query.where(<<-SQL.squish, 1, 'Crew', @current_user.crew.id)
+        visibility = ? OR parties.id IN (
+          SELECT party_id FROM party_shares
+          WHERE shareable_type = ? AND shareable_id = ?
+        )
+      SQL
+    else
+      # User is not in a crew - only show public parties
+      query.where('visibility = ?', 1)
+    end
   end
 
   # Builds a hash of filtering conditions from the params.