usethesource: Allow logged in users to edit/delete their own comments only

Unless of course they're given the "change comment" and "delete comment"
permissions, with which they can change or delete any comment.
This commit is contained in:
Ben Sturmfels 2024-03-21 11:51:57 +11:00
parent c962a1d100
commit 28f3b8de08
Signed by: bsturmfels
GPG key ID: 023C05E2C9C068F0
3 changed files with 11 additions and 3 deletions

View file

@ -15,7 +15,7 @@
<div>
<div class="flex items-center">
<h2 class="f2 lh-title ttu mt0">{{ candidate.name }}</h2>
{% if user.is_staff or user.is_superuser %}<a href="{% url 'admin:usethesource_candidate_change' object_id=candidate.id %}" title="Edit candidate" class="f3 white bg-light-silver db ph2 mh2 mb3" style="transform: scaleX(-1); text-decoration: none !important"></a>{% endif %}
{% if perms.usethesource.change_candidate %}<a href="{% url 'admin:usethesource_candidate_change' object_id=candidate.id %}" title="Edit candidate" class="f3 white bg-light-silver db ph2 mh2 mb3" style="transform: scaleX(-1); text-decoration: none !important"></a>{% endif %}
</div>
<p><strong>Vendor</strong>: {{ candidate.vendor }}</p>

View file

@ -1,8 +1,10 @@
<div class="mb4" hx-target="this" hx-swap="outerHTML">
<div class="mb2">
<strong>{% if comment.attribute_to %}{{ comment.attribute_to }}{% else %}{{ comment.user }}{% endif %} — {{ comment.time }}</strong>
{% if user.is_staff %}
{% if request.user == comment.user or perms.usethesource.change_comment %}
<a href="#" class="f7 white bg-light-silver ph2" hx-get="{% url 'usethesource:edit_comment' comment_id=comment.id %}">edit</a>
{% endif %}
{% if request.user == comment.user or perms.usethesource.delete_comment %}
<a href="#" class="f7 white bg-light-red ph2" hx-delete="{% url 'usethesource:delete_comment' comment_id=comment.id show_add='false' %}" hx-confirm="Are you sure you want to delete this comment?">delete</a>
{% endif %}
</div>

View file

@ -1,4 +1,5 @@
from django.contrib.admin.views.decorators import staff_member_required
from django.core.exceptions import PermissionDenied
from django.shortcuts import get_object_or_404, redirect, render
from .models import Candidate, Comment
@ -53,6 +54,8 @@ def create_comment(request, slug):
@staff_member_required
def edit_comment(request, comment_id):
comment = get_object_or_404(Comment, id=comment_id)
if request.user != comment.user and not request.user.has_perm('usethesource.change_comment'):
raise PermissionDenied
if request.method == 'GET':
form = CommentForm(instance=comment)
else:
@ -72,8 +75,11 @@ def view_comment(request, comment_id, show_add):
@staff_member_required
def delete_comment(request, comment_id, show_add):
comment = get_object_or_404(Comment, id=comment_id)
if request.user != comment.user and not request.user.has_perm('usethesource.delete_comment'):
raise PermissionDenied
comment.delete()
show_add = show_add == 'true'
Comment.objects.filter(id=comment_id).delete()
return render(request, 'usethesource/comment_deleted.html', {'comment': None, 'add': show_add})