forked from mirrors/bookwyrm
Check perms in status views
This commit is contained in:
parent
556ae0726b
commit
3657f9e0df
2 changed files with 11 additions and 7 deletions
|
@ -3,6 +3,7 @@ from dataclasses import MISSING
|
|||
import re
|
||||
|
||||
from django.apps import apps
|
||||
from django.core.exceptions import PermissionDenied
|
||||
from django.core.validators import MaxValueValidator, MinValueValidator
|
||||
from django.db import models
|
||||
from django.dispatch import receiver
|
||||
|
@ -187,6 +188,14 @@ class Status(OrderedCollectionPageMixin, BookWyrmModel):
|
|||
"""json serialized activitypub class"""
|
||||
return self.to_activity_dataclass(pure=pure).serialize()
|
||||
|
||||
def raise_not_editable(self, viewer):
|
||||
"""certain types of status aren't editable"""
|
||||
# first, the standard raise
|
||||
super().raise_not_editable(viewer)
|
||||
if isinstance(self, (GeneratedNote, ReviewRating)):
|
||||
raise PermissionDenied
|
||||
|
||||
|
||||
|
||||
class GeneratedNote(Status):
|
||||
"""these are app-generated messages about user activity"""
|
||||
|
|
|
@ -98,8 +98,7 @@ class DeleteStatus(View):
|
|||
status = get_object_or_404(models.Status, id=status_id)
|
||||
|
||||
# don't let people delete other people's statuses
|
||||
if status.user != request.user and not request.user.has_perm("moderate_post"):
|
||||
return HttpResponseBadRequest()
|
||||
status.raise_not_deletable(request.user)
|
||||
|
||||
# perform deletion
|
||||
status.delete()
|
||||
|
@ -115,12 +114,8 @@ class DeleteAndRedraft(View):
|
|||
status = get_object_or_404(
|
||||
models.Status.objects.select_subclasses(), id=status_id
|
||||
)
|
||||
if isinstance(status, (models.GeneratedNote, models.ReviewRating)):
|
||||
return HttpResponseBadRequest()
|
||||
|
||||
# don't let people redraft other people's statuses
|
||||
if status.user != request.user:
|
||||
return HttpResponseBadRequest()
|
||||
status.raise_not_editable(request.user)
|
||||
|
||||
status_type = status.status_type.lower()
|
||||
if status.reply_parent:
|
||||
|
|
Loading…
Reference in a new issue