Check perms in list views

This commit is contained in:
Mouse Reeve 2021-09-27 14:03:06 -07:00
parent ab31798931
commit 556ae0726b
2 changed files with 36 additions and 34 deletions

View file

@ -92,6 +92,12 @@ class ListItem(CollectionItemMixin, BookWyrmModel):
notification_type="ADD", notification_type="ADD",
) )
def raise_not_deletable(self, viewer):
"""the associated user OR the list owner can delete"""
if self.book_list.user == viewer:
return
super().raise_not_deletable(viewer)
class Meta: class Meta:
"""A book may only be placed into a list once, """A book may only be placed into a list once,
and each order in the list may be used only once""" and each order in the list may be used only once"""

View file

@ -3,7 +3,6 @@ from typing import Optional
from urllib.parse import urlencode from urllib.parse import urlencode
from django.contrib.auth.decorators import login_required from django.contrib.auth.decorators import login_required
from django.core.exceptions import PermissionDenied
from django.core.paginator import Paginator from django.core.paginator import Paginator
from django.db import IntegrityError, transaction from django.db import IntegrityError, transaction
from django.db.models import Avg, Count, DecimalField, Q, Max from django.db.models import Avg, Count, DecimalField, Q, Max
@ -270,8 +269,7 @@ def delete_list(request, list_id):
book_list = get_object_or_404(models.List, id=list_id) book_list = get_object_or_404(models.List, id=list_id)
# only the owner or a moderator can delete a list # only the owner or a moderator can delete a list
if book_list.user != request.user and not request.user.has_perm("moderate_post"): book_list.raise_not_editable(request.user)
raise PermissionDenied
book_list.delete() book_list.delete()
return redirect("lists") return redirect("lists")
@ -334,9 +332,7 @@ def remove_book(request, list_id):
with transaction.atomic(): with transaction.atomic():
book_list = get_object_or_404(models.List, id=list_id) book_list = get_object_or_404(models.List, id=list_id)
item = get_object_or_404(models.ListItem, id=request.POST.get("item")) item = get_object_or_404(models.ListItem, id=request.POST.get("item"))
item.raise_not_deletable(request.user)
if not book_list.user == request.user and not item.user == request.user:
return HttpResponseNotFound()
deleted_order = item.order deleted_order = item.order
item.delete() item.delete()
@ -351,8 +347,8 @@ def set_book_position(request, list_item_id):
Action for when the list user manually specifies a list position, takes Action for when the list user manually specifies a list position, takes
special care with the unique ordering per list. special care with the unique ordering per list.
""" """
with transaction.atomic():
list_item = get_object_or_404(models.ListItem, id=list_item_id) list_item = get_object_or_404(models.ListItem, id=list_item_id)
list_item.list.raise_not_editable(request.user)
try: try:
int_position = int(request.POST.get("position")) int_position = int(request.POST.get("position"))
except ValueError: except ValueError:
@ -373,12 +369,12 @@ def set_book_position(request, list_item_id):
int_position = min(int_position, order_max) int_position = min(int_position, order_max)
if request.user not in (book_list.user, list_item.user):
return HttpResponseNotFound()
original_order = list_item.order original_order = list_item.order
if original_order == int_position: if original_order == int_position:
# no change
return HttpResponse(status=204) return HttpResponse(status=204)
with transaction.atomic():
if original_order > int_position: if original_order > int_position:
list_item.order = -1 list_item.order = -1
list_item.save() list_item.save()