diff options
| author | rubenwardy <rw@rubenwardy.com> | 2020-07-11 03:35:14 +0100 |
|---|---|---|
| committer | rubenwardy <rw@rubenwardy.com> | 2020-07-11 03:35:14 +0100 |
| commit | 08f6bd8befa266d40f56b143193c8c1ca5fb2716 (patch) | |
| tree | 193991a67c097e105b57e3f5a04e60eacb736c07 | |
| parent | 31b8a7931bdb95b296e236c11705206507b035d8 (diff) | |
| download | cheatdb-08f6bd8befa266d40f56b143193c8c1ca5fb2716.tar.xz | |
Move DELETE_REPLY permission to ThreadReply
| -rw-r--r-- | app/blueprints/threads/__init__.py | 2 | ||||
| -rw-r--r-- | app/models.py | 19 | ||||
| -rw-r--r-- | app/templates/macros/threads.html | 2 |
3 files changed, 19 insertions, 4 deletions
diff --git a/app/blueprints/threads/__init__.py b/app/blueprints/threads/__init__.py index 28a7fde..113cdfa 100644 --- a/app/blueprints/threads/__init__.py +++ b/app/blueprints/threads/__init__.py @@ -126,7 +126,7 @@ def delete_reply(id): flash("Cannot delete thread opening post!", "danger") return redirect(thread.getViewURL()) - if not thread.checkPerm(current_user, Permission.DELETE_REPLY): + if not reply.checkPerm(current_user, Permission.DELETE_REPLY): abort(403) if request.method == "GET": diff --git a/app/models.py b/app/models.py index 9e1840e..62ac1ee 100644 --- a/app/models.py +++ b/app/models.py @@ -1105,7 +1105,7 @@ class Thread(db.Model): def checkPerm(self, user, perm): if not user.is_authenticated: - return not self.private + return perm == Permission.SEE_THREAD and not self.private if type(perm) == str: perm = Permission[perm] @@ -1124,7 +1124,7 @@ class Thread(db.Model): elif perm == Permission.COMMENT_THREAD: return canSee and (not self.locked or user.rank.atLeast(UserRank.MODERATOR)) - elif perm == Permission.LOCK_THREAD or perm == Permission.DELETE_REPLY: + elif perm == Permission.LOCK_THREAD: return user.rank.atLeast(UserRank.MODERATOR) else: @@ -1137,6 +1137,21 @@ class ThreadReply(db.Model): author_id = db.Column(db.Integer, db.ForeignKey("user.id"), nullable=False) created_at = db.Column(db.DateTime, nullable=False, default=datetime.datetime.utcnow) + def checkPerm(self, user, perm): + if not user.is_authenticated: + return False + + if type(perm) == str: + perm = Permission[perm] + elif type(perm) != Permission: + raise Exception("Unknown permission given to ThreadReply.checkPerm()") + + if perm == Permission.DELETE_REPLY: + return user.rank.atLeast(UserRank.MODERATOR) and self.thread.replies[0] != self + + else: + raise Exception("Permission {} is not related to threads".format(perm.name)) + class PackageReview(db.Model): id = db.Column(db.Integer, primary_key=True) diff --git a/app/templates/macros/threads.html b/app/templates/macros/threads.html index 32acbc4..e94cded 100644 --- a/app/templates/macros/threads.html +++ b/app/templates/macros/threads.html @@ -22,7 +22,7 @@ </div> <div class="card-body"> - {% if r != thread.replies[0] and thread.checkPerm(current_user, "DELETE_REPLY") %} + {% if r.checkPerm(current_user, "DELETE_REPLY") %} <a class="float-right btn btn-secondary btn-sm" href="{{ url_for('threads.delete_reply', id=thread.id, reply=r.id) }}"> <i class="fas fa-trash"></i> |