mirrors/bookwyrm
1
0
Fork 1
mirror of https://github.com/bookwyrm-social/bookwyrm.git synced 2024-09-24 04:20:03 +00:00
Code Issues Projects Releases Wiki Activity

Invite perms checks

Browse source
This commit is contained in:
Mouse Reeve 2022-09-19 10:26:40 -07:00
parent 1e988cae6c
commit 9d8d85ebc1
3 changed files with 17 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

13
bookwyrm/models/site.py
View file

@ -146,6 +146,13 @@ class SiteInvite(models.Model):
user = models.ForeignKey(User, on_delete=models.CASCADE) user = models.ForeignKey(User, on_delete=models.CASCADE)
invitees = models.ManyToManyField(User, related_name="invitees") invitees = models.ManyToManyField(User, related_name="invitees")
# pylint: disable=no-self-use
def raise_not_editable(self, viewer):
"""Admins only"""
if viewer.has_perm("bookwyrm.create_invites"):
return
raise PermissionDenied()
def valid(self): def valid(self):
"""make sure it hasn't expired or been used""" """make sure it hasn't expired or been used"""
return (self.expiry is None or self.expiry > timezone.now()) and ( return (self.expiry is None or self.expiry > timezone.now()) and (
@ -169,6 +176,12 @@ class InviteRequest(BookWyrmModel):
invite_sent = models.BooleanField(default=False) invite_sent = models.BooleanField(default=False)
ignored = models.BooleanField(default=False) ignored = models.BooleanField(default=False)
def raise_not_editable(self, viewer):
"""Only check perms on edit, not create"""
if not self.id or viewer.has_perm("bookwyrm.create_invites"):
return
raise PermissionDenied()
def save(self, *args, **kwargs): def save(self, *args, **kwargs):
"""don't create a request for a registered email""" """don't create a request for a registered email"""
if not self.id and User.objects.filter(email=self.email).exists(): if not self.id and User.objects.filter(email=self.email).exists():

1
bookwyrm/tests/views/landing/test_invite.py
View file

@ -14,6 +14,7 @@ from bookwyrm.tests.validate_html import validate_html
class InviteViews(TestCase): class InviteViews(TestCase):
"""every response to a get request, html or json""" """every response to a get request, html or json"""
# pylint: disable=invalid-name
def setUp(self): def setUp(self):
"""we need basic test data and mocks""" """we need basic test data and mocks"""
self.factory = RequestFactory() self.factory = RequestFactory()

6
bookwyrm/views/admin/invite.py
View file

@ -52,9 +52,9 @@ class ManageInvites(View):
if not form.is_valid(): if not form.is_valid():
return HttpResponseBadRequest(f"ERRORS: {form.errors}") return HttpResponseBadRequest(f"ERRORS: {form.errors}")
invite = form.save(commit=False) invite = form.save(request, commit=False)
invite.user = request.user invite.user = request.user
invite.save() invite.save(request)
paginated = Paginator( paginated = Paginator(
models.SiteInvite.objects.filter(user=request.user).order_by( models.SiteInvite.objects.filter(user=request.user).order_by(
@ -170,7 +170,7 @@ class InviteRequest(View):
received = False received = False
if form.is_valid(): if form.is_valid():
received = True received = True
form.save() form.save(request)
data = {"request_form": form, "request_received": received} data = {"request_form": form, "request_received": received}
return TemplateResponse(request, "landing/landing.html", data) return TemplateResponse(request, "landing/landing.html", data)