mirror of
https://github.com/bookwyrm-social/bookwyrm.git
synced 2024-12-24 17:10:31 +00:00
Check perms in list views
This commit is contained in:
parent
ab31798931
commit
556ae0726b
2 changed files with 36 additions and 34 deletions
|
@ -92,6 +92,12 @@ class ListItem(CollectionItemMixin, BookWyrmModel):
|
|||
notification_type="ADD",
|
||||
)
|
||||
|
||||
def raise_not_deletable(self, viewer):
|
||||
"""the associated user OR the list owner can delete"""
|
||||
if self.book_list.user == viewer:
|
||||
return
|
||||
super().raise_not_deletable(viewer)
|
||||
|
||||
class Meta:
|
||||
"""A book may only be placed into a list once,
|
||||
and each order in the list may be used only once"""
|
||||
|
|
|
@ -3,7 +3,6 @@ from typing import Optional
|
|||
from urllib.parse import urlencode
|
||||
|
||||
from django.contrib.auth.decorators import login_required
|
||||
from django.core.exceptions import PermissionDenied
|
||||
from django.core.paginator import Paginator
|
||||
from django.db import IntegrityError, transaction
|
||||
from django.db.models import Avg, Count, DecimalField, Q, Max
|
||||
|
@ -270,8 +269,7 @@ def delete_list(request, list_id):
|
|||
book_list = get_object_or_404(models.List, id=list_id)
|
||||
|
||||
# only the owner or a moderator can delete a list
|
||||
if book_list.user != request.user and not request.user.has_perm("moderate_post"):
|
||||
raise PermissionDenied
|
||||
book_list.raise_not_editable(request.user)
|
||||
|
||||
book_list.delete()
|
||||
return redirect("lists")
|
||||
|
@ -334,9 +332,7 @@ def remove_book(request, list_id):
|
|||
with transaction.atomic():
|
||||
book_list = get_object_or_404(models.List, id=list_id)
|
||||
item = get_object_or_404(models.ListItem, id=request.POST.get("item"))
|
||||
|
||||
if not book_list.user == request.user and not item.user == request.user:
|
||||
return HttpResponseNotFound()
|
||||
item.raise_not_deletable(request.user)
|
||||
|
||||
deleted_order = item.order
|
||||
item.delete()
|
||||
|
@ -351,8 +347,8 @@ def set_book_position(request, list_item_id):
|
|||
Action for when the list user manually specifies a list position, takes
|
||||
special care with the unique ordering per list.
|
||||
"""
|
||||
with transaction.atomic():
|
||||
list_item = get_object_or_404(models.ListItem, id=list_item_id)
|
||||
list_item.list.raise_not_editable(request.user)
|
||||
try:
|
||||
int_position = int(request.POST.get("position"))
|
||||
except ValueError:
|
||||
|
@ -373,12 +369,12 @@ def set_book_position(request, list_item_id):
|
|||
|
||||
int_position = min(int_position, order_max)
|
||||
|
||||
if request.user not in (book_list.user, list_item.user):
|
||||
return HttpResponseNotFound()
|
||||
|
||||
original_order = list_item.order
|
||||
if original_order == int_position:
|
||||
# no change
|
||||
return HttpResponse(status=204)
|
||||
|
||||
with transaction.atomic():
|
||||
if original_order > int_position:
|
||||
list_item.order = -1
|
||||
list_item.save()
|
||||
|
|
Loading…
Reference in a new issue