Also allow admins to delete other users' media.

2011-08-30 22:37:54 -05:00 · 2011-08-30 22:37:54 -05:00 · 53c5e0b028
commit 53c5e0b028
parent 2886b340d3
1 changed files with 6 additions and 15 deletions
--- a/mediagoblin/decorators.py
+++ b/mediagoblin/decorators.py
@ -51,25 +51,16 @@ def require_active_login(controller):

    return _make_safe(new_controller_func, controller)

+
 def user_may_delete_media(controller):
    """
-    Require user ownership of the MediaEntry
-
-    Originally:
-def may_delete_media(request, media):
-    \"\"\"
-    Check, if the request's user may edit the media details
-    \"\"\"
-    if media['uploader'] == request.user['_id']:
-        return True
-    if request.user['is_admin']:
-        return True
-    return False
+    Require user ownership of the MediaEntry to delete.
    """
    def wrapper(request, *args, **kwargs):
-        if not request.user['_id'] == request.db.MediaEntry.find_one(
-            {'_id': ObjectId(
-                    request.matchdict['media'])}).uploader()['_id']:
+        uploader = request.db.MediaEntry.find_one(
+            {'_id': ObjectId(request.matchdict['media'])}).uploader()
+        if not (request.user['is_admin'] or
+                request.user['_id'] == uploader['_id']):
            return exc.HTTPForbidden()

        return controller(request, *args, **kwargs)