mirrors/bookwyrm
1
0
Fork 1
mirror of https://github.com/bookwyrm-social/bookwyrm.git synced 2024-09-28 14:22:01 +00:00
Code Issues Projects Releases Wiki Activity

Check perms in status views

Browse source
This commit is contained in:
Mouse Reeve 2021-09-27 14:03:17 -07:00
parent 556ae0726b
commit 3657f9e0df
2 changed files with 11 additions and 7 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

9
bookwyrm/models/status.py
View file

@ -3,6 +3,7 @@ from dataclasses import MISSING
import re import re
from django.apps import apps from django.apps import apps
from django.core.exceptions import PermissionDenied
from django.core.validators import MaxValueValidator, MinValueValidator from django.core.validators import MaxValueValidator, MinValueValidator
from django.db import models from django.db import models
from django.dispatch import receiver from django.dispatch import receiver
@ -187,6 +188,14 @@ class Status(OrderedCollectionPageMixin, BookWyrmModel):
"""json serialized activitypub class""" """json serialized activitypub class"""
return self.to_activity_dataclass(pure=pure).serialize() return self.to_activity_dataclass(pure=pure).serialize()
def raise_not_editable(self, viewer):
"""certain types of status aren't editable"""
# first, the standard raise
super().raise_not_editable(viewer)
if isinstance(self, (GeneratedNote, ReviewRating)):
raise PermissionDenied
class GeneratedNote(Status): class GeneratedNote(Status):
"""these are app-generated messages about user activity""" """these are app-generated messages about user activity"""

9
bookwyrm/views/status.py
View file

@ -98,8 +98,7 @@ class DeleteStatus(View):
status = get_object_or_404(models.Status, id=status_id) status = get_object_or_404(models.Status, id=status_id)
# don't let people delete other people's statuses # don't let people delete other people's statuses
if status.user != request.user and not request.user.has_perm("moderate_post"): status.raise_not_deletable(request.user)
return HttpResponseBadRequest()
# perform deletion # perform deletion
status.delete() status.delete()
@ -115,12 +114,8 @@ class DeleteAndRedraft(View):
status = get_object_or_404( status = get_object_or_404(
models.Status.objects.select_subclasses(), id=status_id models.Status.objects.select_subclasses(), id=status_id
) )
if isinstance(status, (models.GeneratedNote, models.ReviewRating)):
return HttpResponseBadRequest()
# don't let people redraft other people's statuses # don't let people redraft other people's statuses
if status.user != request.user: status.raise_not_editable(request.user)
return HttpResponseBadRequest()
status_type = status.status_type.lower() status_type = status.status_type.lower()
if status.reply_parent: if status.reply_parent: