heckyel/mediagoblin
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Update the delete item to use the _id after all... it's the safest way.

Browse Source 
See http://bugs.foocorp.net/issues/695
This commit is contained in:
Christopher Allan Webber 2011-12-05 08:35:42 -06:00
parent 38f102515a
commit bcc9ee3205
4 changed files with 5 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
mediagoblin/decorators.py
View File

@ -58,7 +58,7 @@ def user_may_delete_media(controller):
""" """
def wrapper(request, *args, **kwargs): def wrapper(request, *args, **kwargs):
uploader = request.db.MediaEntry.find_one( uploader = request.db.MediaEntry.find_one(
{'slug': request.matchdict['media']}).get_uploader() {'_id': ObjectId(request.matchdict['media'])}).get_uploader()
if not (request.user['is_admin'] or if not (request.user['is_admin'] or
request.user._id == uploader._id): request.user._id == uploader._id):
return exc.HTTPForbidden() return exc.HTTPForbidden()

2
mediagoblin/templates/mediagoblin/user_pages/media.html
View File

@ -126,7 +126,7 @@
<p> <p>
{% set delete_url = request.urlgen('mediagoblin.user_pages.media_confirm_delete', {% set delete_url = request.urlgen('mediagoblin.user_pages.media_confirm_delete',
user= media.get_uploader().username, user= media.get_uploader().username,
media= media.slug) %} media= media._id) %}
<a href="{{ delete_url }}">{% trans %}Delete{% endtrans %}</a> <a href="{{ delete_url }}">{% trans %}Delete{% endtrans %}</a>
</p> </p>
{% endif %} {% endif %}

2
mediagoblin/templates/mediagoblin/user_pages/media_confirm_delete.html
View File

@ -23,7 +23,7 @@
<form action="{{ request.urlgen('mediagoblin.user_pages.media_confirm_delete', <form action="{{ request.urlgen('mediagoblin.user_pages.media_confirm_delete',
user=media.get_uploader().username, user=media.get_uploader().username,
media=media.slug) }}" media=media._id) }}"
method="POST" enctype="multipart/form-data"> method="POST" enctype="multipart/form-data">
<div class="grid_8 prefix_1 suffix_1 edit_box form_box"> <div class="grid_8 prefix_1 suffix_1 edit_box form_box">
<h1> <h1>

4
mediagoblin/tests/test_submission.py
View File

@ -171,7 +171,7 @@ class TestSubmission:
request.urlgen('mediagoblin.user_pages.media_confirm_delete', request.urlgen('mediagoblin.user_pages.media_confirm_delete',
# No work: user=media.uploader().username, # No work: user=media.uploader().username,
user=self.test_user['username'], user=self.test_user['username'],
media=media.slug), media=media._id),
# no value means no confirm # no value means no confirm
{}) {})
@ -191,7 +191,7 @@ class TestSubmission:
request.urlgen('mediagoblin.user_pages.media_confirm_delete', request.urlgen('mediagoblin.user_pages.media_confirm_delete',
# No work: user=media.uploader().username, # No work: user=media.uploader().username,
user=self.test_user['username'], user=self.test_user['username'],
media=media.slug), media=media._id),
{'confirm': 'y'}) {'confirm': 'y'})
response.follow() response.follow()