Update the delete item to use the _id after all... it's the safest way.

See http://bugs.foocorp.net/issues/695
2011-12-05 08:35:42 -06:00 · 2011-12-05 08:35:42 -06:00 · bcc9ee3205
commit bcc9ee3205
parent 38f102515a
4 changed files with 5 additions and 5 deletions
--- a/mediagoblin/decorators.py
+++ b/mediagoblin/decorators.py
@ -58,7 +58,7 @@ def user_may_delete_media(controller):
    """
    def wrapper(request, *args, **kwargs):
        uploader = request.db.MediaEntry.find_one(
-            {'slug': request.matchdict['media']}).get_uploader()
+            {'_id': ObjectId(request.matchdict['media'])}).get_uploader()
        if not (request.user['is_admin'] or
                request.user._id == uploader._id):
            return exc.HTTPForbidden()
--- a/mediagoblin/templates/mediagoblin/user_pages/media.html
+++ b/mediagoblin/templates/mediagoblin/user_pages/media.html
@ -126,7 +126,7 @@
      <p>
        {% set delete_url = request.urlgen('mediagoblin.user_pages.media_confirm_delete',
                                   user= media.get_uploader().username,
-                                   media= media.slug) %}
+                                   media= media._id) %}
        <a href="{{ delete_url }}">{% trans %}Delete{% endtrans %}</a>
      </p>
    {% endif %}
--- a/mediagoblin/templates/mediagoblin/user_pages/media_confirm_delete.html
+++ b/mediagoblin/templates/mediagoblin/user_pages/media_confirm_delete.html
@ -23,7 +23,7 @@

  <form action="{{ request.urlgen('mediagoblin.user_pages.media_confirm_delete',
 		                  user=media.get_uploader().username,
-				  media=media.slug) }}"
+				  media=media._id) }}"
        method="POST" enctype="multipart/form-data">
    <div class="grid_8 prefix_1 suffix_1 edit_box form_box">
      <h1>
--- a/mediagoblin/tests/test_submission.py
+++ b/mediagoblin/tests/test_submission.py
@ -171,7 +171,7 @@ class TestSubmission:
            request.urlgen('mediagoblin.user_pages.media_confirm_delete',
                           # No work: user=media.uploader().username,
                           user=self.test_user['username'],
-                           media=media.slug),
+                           media=media._id),
            # no value means no confirm
            {})

@ -191,7 +191,7 @@ class TestSubmission:
            request.urlgen('mediagoblin.user_pages.media_confirm_delete',
                           # No work: user=media.uploader().username,
                           user=self.test_user['username'],
-                           media=media.slug),
+                           media=media._id),
            {'confirm': 'y'})

        response.follow()