usethesource: Allow logged in users to edit/delete their own comments only
Unless of course they're given the "change comment" and "delete comment" permissions, with which they can change or delete any comment.
This commit is contained in:
parent
c962a1d100
commit
28f3b8de08
3 changed files with 11 additions and 3 deletions
|
@ -15,7 +15,7 @@
|
|||
<div>
|
||||
<div class="flex items-center">
|
||||
<h2 class="f2 lh-title ttu mt0">{{ candidate.name }}</h2>
|
||||
{% if user.is_staff or user.is_superuser %}<a href="{% url 'admin:usethesource_candidate_change' object_id=candidate.id %}" title="Edit candidate" class="f3 white bg-light-silver db ph2 mh2 mb3" style="transform: scaleX(-1); text-decoration: none !important">✎</a>{% endif %}
|
||||
{% if perms.usethesource.change_candidate %}<a href="{% url 'admin:usethesource_candidate_change' object_id=candidate.id %}" title="Edit candidate" class="f3 white bg-light-silver db ph2 mh2 mb3" style="transform: scaleX(-1); text-decoration: none !important">✎</a>{% endif %}
|
||||
</div>
|
||||
|
||||
<p><strong>Vendor</strong>: {{ candidate.vendor }}</p>
|
||||
|
|
|
@ -1,8 +1,10 @@
|
|||
<div class="mb4" hx-target="this" hx-swap="outerHTML">
|
||||
<div class="mb2">
|
||||
<strong>{% if comment.attribute_to %}{{ comment.attribute_to }}{% else %}{{ comment.user }}{% endif %} — {{ comment.time }}</strong>
|
||||
{% if user.is_staff %}
|
||||
{% if request.user == comment.user or perms.usethesource.change_comment %}
|
||||
<a href="#" class="f7 white bg-light-silver ph2" hx-get="{% url 'usethesource:edit_comment' comment_id=comment.id %}">edit</a>
|
||||
{% endif %}
|
||||
{% if request.user == comment.user or perms.usethesource.delete_comment %}
|
||||
<a href="#" class="f7 white bg-light-red ph2" hx-delete="{% url 'usethesource:delete_comment' comment_id=comment.id show_add='false' %}" hx-confirm="Are you sure you want to delete this comment?">delete</a>
|
||||
{% endif %}
|
||||
</div>
|
||||
|
|
|
@ -1,4 +1,5 @@
|
|||
from django.contrib.admin.views.decorators import staff_member_required
|
||||
from django.core.exceptions import PermissionDenied
|
||||
from django.shortcuts import get_object_or_404, redirect, render
|
||||
|
||||
from .models import Candidate, Comment
|
||||
|
@ -53,6 +54,8 @@ def create_comment(request, slug):
|
|||
@staff_member_required
|
||||
def edit_comment(request, comment_id):
|
||||
comment = get_object_or_404(Comment, id=comment_id)
|
||||
if request.user != comment.user and not request.user.has_perm('usethesource.change_comment'):
|
||||
raise PermissionDenied
|
||||
if request.method == 'GET':
|
||||
form = CommentForm(instance=comment)
|
||||
else:
|
||||
|
@ -72,8 +75,11 @@ def view_comment(request, comment_id, show_add):
|
|||
|
||||
@staff_member_required
|
||||
def delete_comment(request, comment_id, show_add):
|
||||
comment = get_object_or_404(Comment, id=comment_id)
|
||||
if request.user != comment.user and not request.user.has_perm('usethesource.delete_comment'):
|
||||
raise PermissionDenied
|
||||
comment.delete()
|
||||
show_add = show_add == 'true'
|
||||
Comment.objects.filter(id=comment_id).delete()
|
||||
return render(request, 'usethesource/comment_deleted.html', {'comment': None, 'add': show_add})
|
||||
|
||||
|
||||
|
|
Loading…
Reference in a new issue