usethesource: Allow logged in users to edit/delete their own comments only

Unless of course they're given the "change comment" and "delete comment" permissions, with which they can change or delete any comment.
2024-03-21 11:51:57 +11:00 · 2024-03-21 11:51:57 +11:00 · 28f3b8de08
commit 28f3b8de08
parent c962a1d100
3 changed files with 11 additions and 3 deletions
--- a/conservancy/usethesource/templates/usethesource/candidate.html
+++ b/conservancy/usethesource/templates/usethesource/candidate.html
@ -15,7 +15,7 @@
      <div>
        <div class="flex items-center">
          <h2 class="f2 lh-title ttu mt0">{{ candidate.name }}</h2>
-          {% if user.is_staff or user.is_superuser %}<a href="{% url 'admin:usethesource_candidate_change' object_id=candidate.id %}" title="Edit candidate" class="f3 white bg-light-silver db ph2 mh2 mb3" style="transform: scaleX(-1); text-decoration: none !important">✎</a>{% endif %}
+          {% if perms.usethesource.change_candidate %}<a href="{% url 'admin:usethesource_candidate_change' object_id=candidate.id %}" title="Edit candidate" class="f3 white bg-light-silver db ph2 mh2 mb3" style="transform: scaleX(-1); text-decoration: none !important">✎</a>{% endif %}
        </div>
        <p><strong>Vendor</strong>: {{ candidate.vendor }}</p>
--- a/conservancy/usethesource/templates/usethesource/comment_partial.html
+++ b/conservancy/usethesource/templates/usethesource/comment_partial.html
@ -1,8 +1,10 @@
 <div class="mb4" hx-target="this" hx-swap="outerHTML">
  <div class="mb2">
    <strong>{% if comment.attribute_to %}{{ comment.attribute_to }}{% else %}{{ comment.user }}{% endif %} — {{ comment.time }}</strong>
-    {% if user.is_staff %}
+    {% if request.user == comment.user or perms.usethesource.change_comment %}
      <a href="#" class="f7 white bg-light-silver ph2" hx-get="{% url 'usethesource:edit_comment' comment_id=comment.id %}">edit</a>
    {% endif %}
    {% if request.user == comment.user or perms.usethesource.delete_comment %}
      <a href="#" class="f7 white bg-light-red ph2" hx-delete="{% url 'usethesource:delete_comment' comment_id=comment.id show_add='false' %}" hx-confirm="Are you sure you want to delete this comment?">delete</a>
    {% endif %}
  </div>
--- a/conservancy/usethesource/views.py
+++ b/conservancy/usethesource/views.py
@ -1,4 +1,5 @@
 from django.contrib.admin.views.decorators import staff_member_required
 from django.core.exceptions import PermissionDenied
 from django.shortcuts import get_object_or_404, redirect, render
 from .models import Candidate, Comment
@ -53,6 +54,8 @@ def create_comment(request, slug):
@staff_member_required
 def edit_comment(request, comment_id):
    comment = get_object_or_404(Comment, id=comment_id)
    if request.user != comment.user and not request.user.has_perm('usethesource.change_comment'):
        raise PermissionDenied
    if request.method == 'GET':
        form = CommentForm(instance=comment)
    else:
@ -72,8 +75,11 @@ def view_comment(request, comment_id, show_add):
@staff_member_required
 def delete_comment(request, comment_id, show_add):
    comment = get_object_or_404(Comment, id=comment_id)
    if request.user != comment.user and not request.user.has_perm('usethesource.delete_comment'):
        raise PermissionDenied
    comment.delete()
    show_add = show_add == 'true'
    Comment.objects.filter(id=comment_id).delete()
    return render(request, 'usethesource/comment_deleted.html', {'comment': None, 'add': show_add})