From 8f79b362f8c43d37d8c6e82f32f882831416d11b Mon Sep 17 00:00:00 2001 From: Mouse Reeve Date: Fri, 5 Aug 2022 09:51:55 -0700 Subject: [PATCH] Check permissions automatically on form save --- bookwyrm/forms/custom_form.py | 5 +++++ bookwyrm/views/goal.py | 4 +--- bookwyrm/views/group.py | 11 ++++++----- bookwyrm/views/list/list.py | 3 +-- bookwyrm/views/list/list_item.py | 3 +-- bookwyrm/views/list/lists.py | 3 +-- bookwyrm/views/reading.py | 2 +- bookwyrm/views/shelf/shelf.py | 3 +-- bookwyrm/views/shelf/shelf_actions.py | 4 +--- bookwyrm/views/status.py | 4 +--- 10 files changed, 19 insertions(+), 23 deletions(-) diff --git a/bookwyrm/forms/custom_form.py b/bookwyrm/forms/custom_form.py index 74a3417a2..3c2b4685f 100644 --- a/bookwyrm/forms/custom_form.py +++ b/bookwyrm/forms/custom_form.py @@ -24,3 +24,8 @@ class CustomForm(ModelForm): input_type = "textarea" visible.field.widget.attrs["rows"] = 5 visible.field.widget.attrs["class"] = css_classes[input_type] + + def save(self, request, *args, **kwargs): + """Save and check perms""" + self.instance.raise_not_editable(request.user) + return super().save(*args, **kwargs) diff --git a/bookwyrm/views/goal.py b/bookwyrm/views/goal.py index 57ff4bd75..b5fd5bdc2 100644 --- a/bookwyrm/views/goal.py +++ b/bookwyrm/views/goal.py @@ -48,8 +48,6 @@ class Goal(View): year = int(year) user = get_user_from_username(request.user, username) goal = models.AnnualGoal.objects.filter(year=year, user=user).first() - if goal: - goal.raise_not_editable(request.user) form = forms.GoalForm(request.POST, instance=goal) if not form.is_valid(): @@ -59,7 +57,7 @@ class Goal(View): "year": year, } return TemplateResponse(request, "user/goal.html", data) - goal = form.save() + goal = form.save(request) if request.POST.get("post-status"): # create status, if appropriate diff --git a/bookwyrm/views/group.py b/bookwyrm/views/group.py index b2271e78d..1ccfd6849 100644 --- a/bookwyrm/views/group.py +++ b/bookwyrm/views/group.py @@ -52,7 +52,7 @@ class Group(View): form = forms.GroupForm(request.POST, instance=user_group) if not form.is_valid(): return redirect("group", user_group.id) - user_group = form.save() + user_group = form.save(request) # let the other members know something about the group changed memberships = models.GroupMember.objects.filter(group=user_group) @@ -113,10 +113,8 @@ class UserGroups(View): if not form.is_valid(): return redirect(request.user.local_path + "/groups") - group = form.save(commit=False) - group.raise_not_editable(request.user) with transaction.atomic(): - group.save() + group = form.save(request) # add the creator as a group member models.GroupMember.objects.create(group=group, user=request.user) return redirect("group", group.id) @@ -129,10 +127,13 @@ class FindUsers(View): # this is mostly borrowed from the Get Started friend finder def get(self, request, group_id): - """basic profile info""" + """Search for a user to add the a group, or load suggested users cache""" user_query = request.GET.get("user_query") group = get_object_or_404(models.Group, id=group_id) + + # only users who can edit can add users group.raise_not_editable(request.user) + lists = ( models.List.privacy_filter(request.user) .filter(group=group) diff --git a/bookwyrm/views/list/list.py b/bookwyrm/views/list/list.py index d0b5e08f4..35e18d244 100644 --- a/bookwyrm/views/list/list.py +++ b/bookwyrm/views/list/list.py @@ -81,13 +81,12 @@ class List(View): def post(self, request, list_id): """edit a list""" book_list = get_object_or_404(models.List, id=list_id) - book_list.raise_not_editable(request.user) form = forms.ListForm(request.POST, instance=book_list) if not form.is_valid(): # this shouldn't happen raise Exception(form.errors) - book_list = form.save() + book_list = form.save(request) if not book_list.curation == "group": book_list.group = None book_list.save(broadcast=False) diff --git a/bookwyrm/views/list/list_item.py b/bookwyrm/views/list/list_item.py index 6dca908fb..691df4da3 100644 --- a/bookwyrm/views/list/list_item.py +++ b/bookwyrm/views/list/list_item.py @@ -16,10 +16,9 @@ class ListItem(View): def post(self, request, list_id, list_item): """Edit a list item's notes""" list_item = get_object_or_404(models.ListItem, id=list_item, book_list=list_id) - list_item.raise_not_editable(request.user) form = forms.ListItemForm(request.POST, instance=list_item) if form.is_valid(): - item = form.save(commit=False) + item = form.save(request, commit=False) item.notes = to_markdown(item.notes) item.save() else: diff --git a/bookwyrm/views/list/lists.py b/bookwyrm/views/list/lists.py index ee6ff0867..1b2250794 100644 --- a/bookwyrm/views/list/lists.py +++ b/bookwyrm/views/list/lists.py @@ -36,8 +36,7 @@ class Lists(View): form = forms.ListForm(request.POST) if not form.is_valid(): return redirect("lists") - book_list = form.save(commit=False) - book_list.raise_not_editable(request.user) + book_list = form.save(request) # list should not have a group if it is not group curated if not book_list.curation == "group": diff --git a/bookwyrm/views/reading.py b/bookwyrm/views/reading.py index 482da3cd0..328dfd7fa 100644 --- a/bookwyrm/views/reading.py +++ b/bookwyrm/views/reading.py @@ -159,7 +159,7 @@ class ReadThrough(View): models.ReadThrough, id=request.POST.get("id") ) return TemplateResponse(request, "readthrough/readthrough.html", data) - form.save() + form.save(request) return redirect("book", book_id) diff --git a/bookwyrm/views/shelf/shelf.py b/bookwyrm/views/shelf/shelf.py index 378b346b3..0c3074902 100644 --- a/bookwyrm/views/shelf/shelf.py +++ b/bookwyrm/views/shelf/shelf.py @@ -113,7 +113,6 @@ class Shelf(View): """edit a shelf""" user = get_user_from_username(request.user, username) shelf = get_object_or_404(user.shelf_set, identifier=shelf_identifier) - shelf.raise_not_editable(request.user) # you can't change the name of the default shelves if not shelf.editable and request.POST.get("name") != shelf.name: @@ -122,7 +121,7 @@ class Shelf(View): form = forms.ShelfForm(request.POST, instance=shelf) if not form.is_valid(): return redirect(shelf.local_path) - shelf = form.save() + shelf = form.save(request) return redirect(shelf.local_path) diff --git a/bookwyrm/views/shelf/shelf_actions.py b/bookwyrm/views/shelf/shelf_actions.py index 7dbb83dea..d2aa7d566 100644 --- a/bookwyrm/views/shelf/shelf_actions.py +++ b/bookwyrm/views/shelf/shelf_actions.py @@ -15,9 +15,7 @@ def create_shelf(request): if not form.is_valid(): return redirect("user-shelves", request.user.localname) - shelf = form.save(commit=False) - shelf.raise_not_editable(request.user) - shelf.save() + shelf = form.save(request) return redirect(shelf.local_path) diff --git a/bookwyrm/views/status.py b/bookwyrm/views/status.py index c0a045f8a..2f957f087 100644 --- a/bookwyrm/views/status.py +++ b/bookwyrm/views/status.py @@ -65,7 +65,6 @@ class CreateStatus(View): existing_status = get_object_or_404( models.Status.objects.select_subclasses(), id=existing_status_id ) - existing_status.raise_not_editable(request.user) existing_status.edited_date = timezone.now() status_type = status_type[0].upper() + status_type[1:] @@ -84,8 +83,7 @@ class CreateStatus(View): return HttpResponseBadRequest() return redirect("/") - status = form.save(commit=False) - status.raise_not_editable(request.user) + status = form.save(request) # save the plain, unformatted version of the status for future editing status.raw_content = status.content if hasattr(status, "quote"):