From 28f3b8de08e7720075f824a6c1a37a4477482f37 Mon Sep 17 00:00:00 2001 From: Ben Sturmfels Date: Thu, 21 Mar 2024 11:51:57 +1100 Subject: [PATCH] usethesource: Allow logged in users to edit/delete their own comments only Unless of course they're given the "change comment" and "delete comment" permissions, with which they can change or delete any comment. --- .../usethesource/templates/usethesource/candidate.html | 2 +- .../templates/usethesource/comment_partial.html | 4 +++- conservancy/usethesource/views.py | 8 +++++++- 3 files changed, 11 insertions(+), 3 deletions(-) diff --git a/conservancy/usethesource/templates/usethesource/candidate.html b/conservancy/usethesource/templates/usethesource/candidate.html index b31a11f2..18734d14 100644 --- a/conservancy/usethesource/templates/usethesource/candidate.html +++ b/conservancy/usethesource/templates/usethesource/candidate.html @@ -15,7 +15,7 @@

{{ candidate.name }}

- {% if user.is_staff or user.is_superuser %}{% endif %} + {% if perms.usethesource.change_candidate %}{% endif %}

Vendor: {{ candidate.vendor }}

diff --git a/conservancy/usethesource/templates/usethesource/comment_partial.html b/conservancy/usethesource/templates/usethesource/comment_partial.html index 6e8b7d59..ea135495 100644 --- a/conservancy/usethesource/templates/usethesource/comment_partial.html +++ b/conservancy/usethesource/templates/usethesource/comment_partial.html @@ -1,8 +1,10 @@
{% if comment.attribute_to %}{{ comment.attribute_to }}{% else %}{{ comment.user }}{% endif %} — {{ comment.time }} - {% if user.is_staff %} + {% if request.user == comment.user or perms.usethesource.change_comment %} edit + {% endif %} + {% if request.user == comment.user or perms.usethesource.delete_comment %} delete {% endif %}
diff --git a/conservancy/usethesource/views.py b/conservancy/usethesource/views.py index 4b7a6be9..6d6446ed 100644 --- a/conservancy/usethesource/views.py +++ b/conservancy/usethesource/views.py @@ -1,4 +1,5 @@ from django.contrib.admin.views.decorators import staff_member_required +from django.core.exceptions import PermissionDenied from django.shortcuts import get_object_or_404, redirect, render from .models import Candidate, Comment @@ -53,6 +54,8 @@ def create_comment(request, slug): @staff_member_required def edit_comment(request, comment_id): comment = get_object_or_404(Comment, id=comment_id) + if request.user != comment.user and not request.user.has_perm('usethesource.change_comment'): + raise PermissionDenied if request.method == 'GET': form = CommentForm(instance=comment) else: @@ -72,8 +75,11 @@ def view_comment(request, comment_id, show_add): @staff_member_required def delete_comment(request, comment_id, show_add): + comment = get_object_or_404(Comment, id=comment_id) + if request.user != comment.user and not request.user.has_perm('usethesource.delete_comment'): + raise PermissionDenied + comment.delete() show_add = show_add == 'true' - Comment.objects.filter(id=comment_id).delete() return render(request, 'usethesource/comment_deleted.html', {'comment': None, 'add': show_add})