Check perms in status views

bookwyrm/models/status.py

@@ -3,6 +3,7 @@ from dataclasses import MISSING
 import re
 
 from django.apps import apps
+from django.core.exceptions import PermissionDenied
 from django.core.validators import MaxValueValidator, MinValueValidator
 from django.db import models
 from django.dispatch import receiver
@@ -187,6 +188,14 @@ class Status(OrderedCollectionPageMixin, BookWyrmModel):
         """json serialized activitypub class"""
         return self.to_activity_dataclass(pure=pure).serialize()
 
+    def raise_not_editable(self, viewer):
+        """certain types of status aren't editable"""
+        # first, the standard raise
+        super().raise_not_editable(viewer)
+        if isinstance(self, (GeneratedNote, ReviewRating)):
+            raise PermissionDenied
+
+
 
 class GeneratedNote(Status):
     """these are app-generated messages about user activity"""

bookwyrm/views/status.py

@@ -98,8 +98,7 @@ class DeleteStatus(View):
         status = get_object_or_404(models.Status, id=status_id)
 
         # don't let people delete other people's statuses
-        if status.user != request.user and not request.user.has_perm("moderate_post"):
-            return HttpResponseBadRequest()
+        status.raise_not_deletable(request.user)
 
         # perform deletion
         status.delete()
@@ -115,12 +114,8 @@ class DeleteAndRedraft(View):
         status = get_object_or_404(
             models.Status.objects.select_subclasses(), id=status_id
         )
-        if isinstance(status, (models.GeneratedNote, models.ReviewRating)):
-            return HttpResponseBadRequest()
-
         # don't let people redraft other people's statuses
-        if status.user != request.user:
-            return HttpResponseBadRequest()
+        status.raise_not_editable(request.user)
 
         status_type = status.status_type.lower()
         if status.reply_parent: