From 9209039761fca3f99d6881d8f8ce14b9b1f39586 Mon Sep 17 00:00:00 2001 From: Mouse Reeve Date: Thu, 1 Oct 2020 12:59:38 -0700 Subject: [PATCH] Permission decorators for views --- bookwyrm/view_actions.py | 5 ++++- bookwyrm/views.py | 4 +++- 2 files changed, 7 insertions(+), 2 deletions(-) diff --git a/bookwyrm/view_actions.py b/bookwyrm/view_actions.py index 604fe3a7..3d4926d8 100644 --- a/bookwyrm/view_actions.py +++ b/bookwyrm/view_actions.py @@ -3,7 +3,7 @@ from io import BytesIO, TextIOWrapper from PIL import Image from django.contrib.auth import authenticate, login, logout -from django.contrib.auth.decorators import login_required +from django.contrib.auth.decorators import login_required, permission_required from django.core.files.base import ContentFile from django.http import HttpResponseBadRequest, HttpResponseNotFound from django.shortcuts import redirect @@ -141,6 +141,7 @@ def resolve_book(request): @login_required +@permission_required('bookwyrm.edit_book', raise_exception=True) def edit_book(request, book_id): ''' edit a book cool ''' if not request.method == 'POST': @@ -433,7 +434,9 @@ def import_data(request): return redirect('/import_status/%d' % (job.id,)) return HttpResponseBadRequest() + @login_required +@permission_required('bookwyrm.create_invites', raise_exception=True) def create_invite(request): ''' creates a user invite database entry ''' form = forms.CreateInviteForm(request.POST) diff --git a/bookwyrm/views.py b/bookwyrm/views.py index e619856d..5bcfebf7 100644 --- a/bookwyrm/views.py +++ b/bookwyrm/views.py @@ -1,7 +1,7 @@ ''' views for pages you can go to in the application ''' import re -from django.contrib.auth.decorators import login_required +from django.contrib.auth.decorators import login_required, permission_required from django.db.models import Avg, Count, Q from django.http import HttpResponseBadRequest, HttpResponseNotFound,\ JsonResponse @@ -228,6 +228,7 @@ def invite_page(request, code): return TemplateResponse(request, 'invite.html', data) @login_required +@permission_required('bookwyrm.create_invites', raise_exception=True) def manage_invites(request): ''' invite management page ''' data = { @@ -453,6 +454,7 @@ def book_page(request, book_id): @login_required +@permission_required('bookwyrm.edit_book', raise_exception=True) def edit_book_page(request, book_id): ''' info about a book ''' book = books_manager.get_edition(book_id)