diff --git a/bookwyrm/view_actions.py b/bookwyrm/view_actions.py index 604fe3a7..3d4926d8 100644 --- a/bookwyrm/view_actions.py +++ b/bookwyrm/view_actions.py @@ -3,7 +3,7 @@ from io import BytesIO, TextIOWrapper from PIL import Image from django.contrib.auth import authenticate, login, logout -from django.contrib.auth.decorators import login_required +from django.contrib.auth.decorators import login_required, permission_required from django.core.files.base import ContentFile from django.http import HttpResponseBadRequest, HttpResponseNotFound from django.shortcuts import redirect @@ -141,6 +141,7 @@ def resolve_book(request): @login_required +@permission_required('bookwyrm.edit_book', raise_exception=True) def edit_book(request, book_id): ''' edit a book cool ''' if not request.method == 'POST': @@ -433,7 +434,9 @@ def import_data(request): return redirect('/import_status/%d' % (job.id,)) return HttpResponseBadRequest() + @login_required +@permission_required('bookwyrm.create_invites', raise_exception=True) def create_invite(request): ''' creates a user invite database entry ''' form = forms.CreateInviteForm(request.POST) diff --git a/bookwyrm/views.py b/bookwyrm/views.py index e619856d..5bcfebf7 100644 --- a/bookwyrm/views.py +++ b/bookwyrm/views.py @@ -1,7 +1,7 @@ ''' views for pages you can go to in the application ''' import re -from django.contrib.auth.decorators import login_required +from django.contrib.auth.decorators import login_required, permission_required from django.db.models import Avg, Count, Q from django.http import HttpResponseBadRequest, HttpResponseNotFound,\ JsonResponse @@ -228,6 +228,7 @@ def invite_page(request, code): return TemplateResponse(request, 'invite.html', data) @login_required +@permission_required('bookwyrm.create_invites', raise_exception=True) def manage_invites(request): ''' invite management page ''' data = { @@ -453,6 +454,7 @@ def book_page(request, book_id): @login_required +@permission_required('bookwyrm.edit_book', raise_exception=True) def edit_book_page(request, book_id): ''' info about a book ''' book = books_manager.get_edition(book_id)