heckyel/mediagoblin
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Also allow admins to delete other users' media.

Browse Source
This commit is contained in:
Christopher Allan Webber 2011-08-30 22:37:54 -05:00
parent 2886b340d3
commit 53c5e0b028
1 changed files with 6 additions and 15 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

21
mediagoblin/decorators.py
View File

@ -51,25 +51,16 @@ def require_active_login(controller):
return _make_safe(new_controller_func, controller) return _make_safe(new_controller_func, controller)
def user_may_delete_media(controller): def user_may_delete_media(controller):
""" """
Require user ownership of the MediaEntry Require user ownership of the MediaEntry to delete.
Originally:
def may_delete_media(request, media):
\"\"\"
Check, if the request's user may edit the media details
\"\"\"
if media['uploader'] == request.user['_id']:
return True
if request.user['is_admin']:
return True
return False
""" """
def wrapper(request, *args, **kwargs): def wrapper(request, *args, **kwargs):
if not request.user['_id'] == request.db.MediaEntry.find_one( uploader = request.db.MediaEntry.find_one(
{'_id': ObjectId( {'_id': ObjectId(request.matchdict['media'])}).uploader()
request.matchdict['media'])}).uploader()['_id']: if not (request.user['is_admin'] or
request.user['_id'] == uploader['_id']):
return exc.HTTPForbidden() return exc.HTTPForbidden()
return controller(request, *args, **kwargs) return controller(request, *args, **kwargs)